Update to 2.16 broke MSAD LDAP connector

Hi, thank you for the recent update. I am running fresh privacyIDEA
installation on Centos7 since last week in test and updated it yesterday to
continue tests with the latest software version.

Since the update my active directory connector is broken:
[2016-11-11
13:49:36,416][1751][140051689187072][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:479]
Error during fetching LDAP objects: IndexError(‘list index out of range’,)
The connector still binds to LDAP.

The connector still binds, but the GUI tells me it found 0 user objects.
The logs show only the above message and I do not know what next to try.
Filter settings etc are default as provided by privacyidea and when running
tcpdump I can see that the user objects are in fact received by the
privacyidea host.

As this is a new version, perhaps I’m running into something unforseen.

I guess this is your interesting part:

[2016-11-11
13:31:36,895][1394][139784036828928][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:715]
Error during fetching LDAP objects: ValueError(‘bytes_le is not a 16-char
string’,)

You should check, which way you installed it. Obviously via pip?
Setup debug level. This will output a traceback, which might give you a
clue.

Kind regards
CorneliusAm Freitag, 11. November 2016 14:03:07 UTC+1 schrieb finalbeta@gmail.com:

Hi, thank you for the recent update. I am running fresh privacyIDEA
installation on Centos7 since last week in test and updated it yesterday to
continue tests with the latest software version.

Since the update my active directory connector is broken:
[2016-11-11
13:49:36,416][1751][140051689187072][ERROR][privacyidea.lib.resolvers.LDAPIdResolver:479]
Error during fetching LDAP objects: IndexError(‘list index out of range’,)
The connector still binds to LDAP.

The connector still binds, but the GUI tells me it found 0 user objects.
The logs show only the above message and I do not know what next to try.
Filter settings etc are default as provided by privacyidea and when
running tcpdump I can see that the user objects are in fact received by the
privacyidea host.

As this is a new version, perhaps I’m running into something unforseen.

I’ve added the debug log (Level 10) Perhaps someone else can see more than
I do.

PI.log (37.4 KB)

Because you asked some more information about the installation:
I had originally used the following guide to install privacyIDEA:
https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/

I ran:
cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

to update the installation.
and followed :
http://privacyidea.readthedocs.io/en/latest/installation/upgrade.html to
update the database.

I’ve added " log.debug("{0!s}".format(entry)) " to
/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py
because I wanted to see if the ldap data received was ok.
So the code now looks like:

  # returns a generator of dictionaries
        count = 0
        uidtype_count = 0
        for entry in g:
            try:
                userid = cls._get_uid(entry, uidtype)
                count += 1
                if userid:
                    uidtype_count += 1
            except Exception as exx:  # pragma: no cover
                log.warning("Error during fetching LDAP objects:"
                            " {0!r}".format(exx))
                log.debug("{0!s}".format(traceback.format_exc()))
                log.debug("{0!s}".format(entry))
        if uidtype_count < count:  # pragma: no cover
            desc = _("Your LDAP config found %i user objects, but only 

%i "
“with the specified uidtype” % (count,
uidtype_count))
else:

The output:

[2016-11-13
22:36:40,923][4742][139969427994368][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:719]
{‘dn’: u’CN=test test5,OU=Users,DC=TESTDOMAIN,DC=LOCAL’, ‘attributes’:
{‘telephoneNumber’: [], u’sAMAccountName’: u’test5’, ‘mobile’: [],
u’objectGUID’: ‘64c79f1a-881c-4854-a5f2-68278f0d7aa6’, u’sn’: u’test5’,
‘mail’: [], u’givenName’: u’test’}, ‘raw_attributes’: {‘telephoneNumber’:
[], u’sAMAccountName’: [‘test5’], ‘mobile’: [], u’objectGUID’:
["\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6"], u’sn’: [‘test5’], ‘mail’:
[], u’givenName’: [‘test’]}, ‘type’: ‘searchResEntry’}
[2016-11-13
22:36:40,924][4742][139969427994368][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:715]
Error during fetching LDAP objects: ValueError(‘bytes_le is not a 16-char
string’,)
[2016-11-13
22:36:40,924][4742][139969427994368][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:716]
Traceback (most recent call last):
File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 709, in testconnection
userid = cls._get_uid(entry, uidtype)
File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 272, in _get_uid
uid = str(uuid.UUID(bytes_le=uid))
File “/usr/lib64/python2.7/uuid.py”, line 138, in init
raise ValueError(‘bytes_le is not a 16-char string’)
ValueError: bytes_le is not a 16-char string

So the code does seem to receive a user object. I’m not sure if the above
information shows you where the problem lies.
If I can provide you with extra information, do ask :slight_smile:

Indeed, I did not use the correct debug level. More information:

[2016-11-13
19:24:02,778][3004][139784912459520][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:715]
Error during fetching LDAP objects: ValueError(‘bytes_le is not a 16-char
string’,)

[2016-11-13
19:24:02,779][3004][139784912459520][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:716]
Traceback (most recent call last):

  • File
    "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
    line 709, in testconnection*
  • userid = cls._get_uid(entry, uidtype)*
  • File
    "/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
    line 272, in _get_uid*
  • uid = str(uuid.UUID(bytes_le=uid))*
  • File “/usr/lib64/python2.7/uuid.py”, line 138, in init*
  • raise ValueError(‘bytes_le is not a 16-char string’)*
    ValueError: bytes_le is not a 16-char string

[2016-11-13
19:24:02,780][3004][139784912459520][DEBUG][privacyidea.lib.resolver:191]
Exiting pretestresolver with result (True, ‘Your LDAP config seems to be
OK, 0 user objects found.’)

[2016-11-13
19:24:02,782][3004][139784912459520][DEBUG][privacyidea.api.resolver:191]
Exiting test_resolver with result <Response 316 bytes [200 OK]>

I’m trying to add some more logging to
"/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py"
at line 708 to perhaps see the values passed to the function and see what
the entry or uidtype variable holds.
I noticed that after changing the code I need to restart the webserver, but
so far I was not able to add anything usefull (I don’t know Python myself
so it is trial and error for me at the moment).

Hi Jochen,

it gets there, but it bails out exactly at this position!

Several years ago I also had to get used to reading the traceback log
of python.

(see below)

Hi Cornelux, My name is Jochen and I am currently evaluating the
product because it seems very versatile :). This is (not yet a
production system)

Any help you give is much appreciated.

I tried your example with the exact same result (the GUID in the
example is also valid on my system). making me think that
str(uuid.UUID(bytes_le=uid)) does not even
get “\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”.
And I think I’m right.

I added some extra debugging:

@staticmethod
def _get_uid(entry, uidtype):
    uid = None
    #log.debug("{0!s}".format(entry))
    if uidtype.lower() == "dn":
       uid = entry.get("dn")
    else:
        attributes = entry.get("attributes")
        if type(attributes.get(uidtype)) == list:
            uid = attributes.get(uidtype)[0]
            log.debug("FBTEST {0!s}".format(uid))
        else:
            uid = attributes.get(uidtype)
            log.debug("FBTEST2 {0!s}".format(uid))
        # in case: fix the objectGUID
        if uidtype == "objectGUID":
            uid = str(uuid.UUID(bytes_le=uid))
    return uid

And and exmple result is:
[2016-11-14
10:18:12,608][5947][140300436125440][DEBUG][privacyidea.lib.resolvers
.LDAPIdResolver:272] FBTEST2 79fbf2a1-dabf-44cb-a45a-34e891ce10ee
[2016-11-14
10:18:12,609][5947][140300436125440][WARNING][privacyidea.lib.resolve
rs.LDAPIdResolver:718] Error during fetching LDAP objects:
ValueError(‘bytes_le is not a 16-char string’,)
[2016-11-14
10:18:12,609][5947][140300436125440][DEBUG][privacyidea.lib.resolvers
.LDAPIdResolver:719] Traceback (most recent call last):
File “/opt/privacyIDEA/lib/python2.7/site-
packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 712, in
testconnection
userid = cls._get_uid(entry, uidtype)
File “/opt/privacyIDEA/lib/python2.7/site-
packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 275, in
_get_uid
uid = str(uuid.UUID(bytes_le=uid))
File “/usr/lib64/python2.7/uuid.py”, line 138, in init
raise ValueError(‘bytes_le is not a 16-char string’)
ValueError: bytes_le is not a 16-char string

The real error occures in the last list,
in

File “/usr/lib64/python2.7/uuid.py” in line 138.

This is called by the privacyIDEA code, which is the line above in the
traceback:

File “/opt/privacyIDEA/…/LDAPIdResolver.py” in line 275

In the method _get_uid. In exactly the line, you identified which is
not reached.

uid = str(uuid.UUID(bytes_le=uid))

So this is the line in privacyIDEA code, where things break. But after
all, it breaks in the python own code uuid. This is why I asked for
versions.

You may also try to add a debug log

log.debug("FBTEST2 {0!r}".format(uid))
log.debug("FBTEST2 {0}".format(len(uid)))

This will output the representation and the length of the string. Which
is indeed 16.

The thing is, the privacyidea code at this point did not change.
So either

  1. the underlying python code changed or
  2. your directory changed.

Kind regards
COrneliusAm Montag, den 14.11.2016, 01:26 -0800 schrieb finalbeta@gmail.com:

So the string we are sending to the function is not of the correct
format and acutally is the format we need already.

At this point I’m going to just install a server next to it from
scratch and see what the end result is.

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to p
rivacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/02611775-8a46-41ab-81c0-
09c9efbde594%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

First of all, updating privacyIDEA is not necessary, as you just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to a wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting is wrong.
Have you restarted apache after running the upgrade?

Kind regards
CorneliusAm Montag, den 14.11.2016, 05:01 -0800 schrieb finalbeta@gmail.com:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using the guide
found on: Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add the LDAP
connector, connecting to the same Active directory. It is able to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link is broken
again with the previously discussed results.
I’ve attached the on screen output from the command, perhaps
something can be seen in that.

(It is still possible something strange is going on inside my active
directory, a previous vasco Identikey installation (part of the test
setup) has been installed. As far as I know, no active directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to p
rivacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hello Nameless Ninja,

this is obviously due to your uuid version, which is part of python.

Python 2.7.12 (default, Jul 1 2016, 15:12:24)
[GCC 5.4.0 20160609] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

“\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”
“\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”
uid = “\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”
import uuid
uuid.UUID(bytes_le=uid)
UUID(‘64c79f1a-881c-4854-a5f2-68278f0d7aa6’)
str(uuid.UUID(bytes_le=uid))
‘64c79f1a-881c-4854-a5f2-68278f0d7aa6’
len(uid)
16

This is not reproducable on my side. Not even on a up-to-date CentOS
env. So the 1M$ Question is, which special versions of python you are
running here.
There are several options:

  1. dig into it
  2. switch to ubuntu packages
  3. switch your resolver to DN
  4. get professional help in a remote session.

For everyone who wants to receive some personal help by individual
humans, it would be great to state his name, to be a more personal
here.

Kind regards
CorneliusAm Sonntag, den 13.11.2016, 13:56 -0800 schrieb finalbeta@gmail.com:

Because you asked some more information about the installation:
I had originally used the following guide to install privacyIDEA:
Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A
tos-7/

I ran:
cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

to update the installation.
and followed : http://privacyidea.readthedocs.io/en/latest/installati
on/upgrade.html to update the database.

I’ve added " log.debug(“{0!s}”.format(entry)) " to
/opt/privacyIDEA/lib/python2.7/site-
packages/privacyidea/lib/resolvers/LDAPIdResolver.py because I wanted
to see if the ldap data received was ok.
So the code now looks like:

  # returns a generator of dictionaries
        count = 0
        uidtype_count = 0
        for entry in g:
            try:
                userid = cls._get_uid(entry, uidtype)
                count += 1
                if userid:
                    uidtype_count += 1
            except Exception as exx:  # pragma: no cover
                log.warning("Error during fetching LDAP objects:"
                            " {0!r}".format(exx))
                log.debug("{0!s}".format(traceback.format_exc()))
                log.debug("{0!s}".format(entry))
        if uidtype_count < count:  # pragma: no cover
            desc = _("Your LDAP config found %i user objects, but

only %i "
“with the specified uidtype” % (count,
uidtype_count))
else:

The output:

[2016-11-13
22:36:40,923][4742][139969427994368][DEBUG][privacyidea.lib.resolvers
.LDAPIdResolver:719] {‘dn’: u’CN=test
test5,OU=Users,DC=TESTDOMAIN,DC=LOCAL’, ‘attributes’:
{‘telephoneNumber’: , u’sAMAccountName’: u’test5’, ‘mobile’: ,
u’objectGUID’: ‘64c79f1a-881c-4854-a5f2-68278f0d7aa6’, u’sn’:
u’test5’, ‘mail’: , u’givenName’: u’test’}, ‘raw_attributes’:
{‘telephoneNumber’: , u’sAMAccountName’: [‘test5’], ‘mobile’: ,
u’objectGUID’: [“\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”],
u’sn’: [‘test5’], ‘mail’: , u’givenName’: [‘test’]}, ‘type’:
‘searchResEntry’}
[2016-11-13
22:36:40,924][4742][139969427994368][WARNING][privacyidea.lib.resolve
rs.LDAPIdResolver:715] Error during fetching LDAP objects:
ValueError(‘bytes_le is not a 16-char string’,)
[2016-11-13
22:36:40,924][4742][139969427994368][DEBUG][privacyidea.lib.resolvers
.LDAPIdResolver:716] Traceback (most recent call last):
File “/opt/privacyIDEA/lib/python2.7/site-
packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 709, in
testconnection
userid = cls._get_uid(entry, uidtype)
File “/opt/privacyIDEA/lib/python2.7/site-
packages/privacyidea/lib/resolvers/LDAPIdResolver.py”, line 272, in
_get_uid
uid = str(uuid.UUID(bytes_le=uid))
File “/usr/lib64/python2.7/uuid.py”, line 138, in init
raise ValueError(‘bytes_le is not a 16-char string’)
ValueError: bytes_le is not a 16-char string

So the code does seem to receive a user object. I’m not sure if the
above information shows you where the problem lies.
If I can provide you with extra information, do ask :slight_smile:

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to p
rivacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/1562c195-c886-4d02-97b9-
b76ec64ba493%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using the guide found
on: https://www.privacyidea.org/two-factor-authentication-with-otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add the LDAP
connector, connecting to the same Active directory. It is able to read out
the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link is broken again
with the previously discussed results.
I’ve attached the on screen output from the command, perhaps something can
be seen in that.

(It is still possible something strange is going on inside my active
directory, a previous vasco Identikey installation (part of the test setup)
has been installed. As far as I know, no active directory schema changed
where made in that proccess.
But it is still strange that the installation only breaks when running the
update, not after the default install)

Best regards,
Jochen

pipinstallupdate.txt (228 KB)

Hi Cornelux, My name is Jochen and I am currently evaluating the product
because it seems very versatile :). This is (not yet a production system)

Any help you give is much appreciated.

I tried your example with the exact same result (the GUID in the example is
also valid on my system). making me think that
str(uuid.UUID(bytes_le=uid)) does not even
get “\x1a\x9f\xc7d\x1c\x88TH\xa5\xf2h’\x8f\rz\xa6”.
And I think I’m right.

I added some extra debugging:

@staticmethod
def _get_uid(entry, uidtype):
    uid = None
    #log.debug("{0!s}".format(entry))
    if uidtype.lower() == "dn":
       uid = entry.get("dn")
    else:
        attributes = entry.get("attributes")
        if type(attributes.get(uidtype)) == list:
            uid = attributes.get(uidtype)[0]
            *log.debug("FBTEST {0!s}".format(uid))*
        else:
            uid = attributes.get(uidtype)
            *log.debug("FBTEST2 {0!s}".format(uid))*
        # in case: fix the objectGUID
        if uidtype == "objectGUID":
            uid = str(uuid.UUID(bytes_le=uid))
    return uid

And and exmple result is:
[2016-11-14
10:18:12,608][5947][140300436125440][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:272]
FBTEST2 79fbf2a1-dabf-44cb-a45a-34e891ce10ee
[2016-11-14
10:18:12,609][5947][140300436125440][WARNING][privacyidea.lib.resolvers.LDAPIdResolver:718]
Error during fetching LDAP objects: ValueError(‘bytes_le is not a 16-char
string’,)
[2016-11-14
10:18:12,609][5947][140300436125440][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:719]
Traceback (most recent call last):
File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 712, in testconnection
userid = cls._get_uid(entry, uidtype)
File
“/opt/privacyIDEA/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py”,
line 275, in _get_uid
uid = str(uuid.UUID(bytes_le=uid))
File “/usr/lib64/python2.7/uuid.py”, line 138, in init
raise ValueError(‘bytes_le is not a 16-char string’)
ValueError: bytes_le is not a 16-char string

So the string we are sending to the function is not of the correct format
and acutally is the format we need already.

At this point I’m going to just install a server next to it from scratch
and see what the end result is.

Just want to let you know that we are also seeing this issue with our stack.
We use objectGUID as id. Nothing has been changed on the AD side, but we
received the same error message with the new 2.16 version. So, we change to
use userPrincipalName as id as a quick work around at the moment.On Monday, November 14, 2016 at 8:34:08 AM UTC-8, Cornelius Kölbel wrote:

First of all, updating privacyIDEA is not necessary, as you just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to a wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting is wrong.
Have you restarted apache after running the upgrade?

Kind regards
Cornelius

Am Montag, den 14.11.2016, 05:01 -0800 schrieb fina...@gmail.com
<javascript:>:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using the guide
found on: Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add the LDAP
connector, connecting to the same Active directory. It is able to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link is broken
again with the previously discussed results.
I’ve attached the on screen output from the command, perhaps
something can be seen in that.

(It is still possible something strange is going on inside my active
directory, a previous vasco Identikey installation (part of the test
setup) has been installed. As far as I know, no active directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to p
rivacyidea+...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Quynh, hello Jochen,

thanks for reporting this.

I can not reproduce this on my machines. There are also extra tests to
check this, which do not fail :wink:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_r
esolver.py#L878

So it would be great to narrow this problem down and I could need your
help here.

The problem occurs in the method _get_uid, which looks like this:

@staticmethod
def _get_uid(entry, uidtype):
    uid = None
    if uidtype.lower() == "dn":
       uid = entry.get("dn")
    else:
        attributes = entry.get("attributes")
        if type(attributes.get(uidtype)) == list:
            uid = attributes.get(uidtype)[0]
        else:
            uid = attributes.get(uidtype)
        # in case: fix the objectGUID
        if uidtype == "objectGUID":
            uid = str(uuid.UUID(bytes_le=uid))
    return uid

From Jochens Log I saw, that his objectGUID is a list. So the line

        if type(attributes.get(uidtype)) == list:
            ui

d = attributes.get(uidtype)[0]

should get the first entry from the list.
My suspicion is, that there might be something wrong with the list thing.
I would like to know, how the attribute objectGUID looks before and after. Can you please adapt the code as follow:

@staticmethod
def _get_uid(entry, uidtype):
    uid = None
    if uidtype.lower() == "dn":
       uid = entry.get("dn")
    else:
        attributes = entry.get("attributes")
        log.error("GUID: {0!r}".format(attributes.get(uidtype)))
        if type(attributes.get(uidtype)) == list:
            uid = attributes.get(uidtype)[0]
        else:
            uid = attributes.get(uidtype)
        log.error("GUID: {0!r}".format(uid))
        # in case: fix the objectGUID
        if uidtype == "objectGUID":
            uid = str(uuid.UUID(bytes_le=uid))
    return uid

Thanks a lot
CorneliusAm Dienstag, den 15.11.2016, 15:50 -0800 schrieb Quynh .Nhat:

Just want to let you know that we are also seeing this issue with our
stack.
We use objectGUID as id. Nothing has been changed on the AD side, but
we received the same error message with the new 2.16 version. So, we
change to use userPrincipalName as id as a quick work around at the
moment.

First of all, updating privacyIDEA is not necessary, as you just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to a
wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting is
wrong.
Have you restarted apache after running the upgrade?

Kind regards
Cornelius

Am Montag, den 14.11.2016, 05:01 -0800 schrieb fina...@gmail.com:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using the
guide
found on: Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A
ith-
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add the
LDAP
connector, connecting to the same Active directory. It is able
to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link is
broken
again with the previously discussed results.
I’ve attached the on screen output from the command, perhaps
something can be seen in that.

(It is still possible something strange is going on inside my
active
directory, a previous vasco Identikey installation (part of the
test
setup) has been installed. As far as I know, no active directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic
in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d
/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email
to p
rivacyidea+...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi Quynh,

thanks again.

The ldap3 >= 2.0.7 does not only fix the timeout problem but also
handles some attributes of responses in different ways. Especially the
objectGUID.

So either you can force to use ldap3==1.4.0, then all your resolvers
will work fine, but you will get the timeout issues, if your server is
down.

Or you use ldap3>=2.0.7, but then you will not see the users with the
current code 2.16 (if uidtype=objectGUID).

So to use 2.0.7/2.1.0 AND objectGUID I created a new branch-2.16, where
I cherry-picked the LDAP changes of the master branch:

https://github.com/privacyidea/privacyidea/archive/branch-2.16.zip

Can you check out, if this works our for you?

Kind regards
CorneliusAm Donnerstag, den 17.11.2016, 16:57 -0800 schrieb Quynh .Nhat:

Hi Cornelius,

Following is the example out put of the log.error:
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #268] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #273] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’

I was able to get it to work as normal with this modification in
_get_uid:

        if uidtype == "objectGUID":
            uid = str(uuid.UUID('{%s}' %uid))

Seems like the format has change some how.

Hello Quynh, hello Jochen,

thanks for reporting this.

I can not reproduce this on my machines. There are also extra tests
to
check this, which do not fail :wink:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_l
ib_r
esolver.py#L878

So it would be great to narrow this problem down and I could need
your
help here.

The problem occurs in the method _get_uid, which looks like this:

@staticmethod 
def _get_uid(entry, uidtype): 
    uid = None 
    if uidtype.lower() == "dn": 
       uid = entry.get("dn") 
    else: 
        attributes = entry.get("attributes") 
        if type(attributes.get(uidtype)) == list: 
            uid = attributes.get(uidtype)[0] 
        else: 
            uid = attributes.get(uidtype) 
        # in case: fix the objectGUID 
        if uidtype == "objectGUID": 
            uid = str(uuid.UUID(bytes_le=uid)) 
    return uid 

From Jochens Log I saw, that his objectGUID is a list. So the
line

        if type(attributes.get(uidtype)) == list: 
            ui 

d = attributes.get(uidtype)[0]

should get the first entry from the list.
My suspicion is, that there might be something wrong with the list
thing.
I would like to know, how the attribute objectGUID looks before and
after. Can you please adapt the code as follow:

@staticmethod 
def _get_uid(entry, uidtype): 
    uid = None 
    if uidtype.lower() == "dn": 
       uid = entry.get("dn") 
    else: 
        attributes = entry.get("attributes") 
        log.error("GUID:

{0!r}".format(attributes.get(uidtype)))
if type(attributes.get(uidtype)) == list:
uid = attributes.get(uidtype)[0]
else:
uid = attributes.get(uidtype)
log.error(“GUID: {0!r}”.format(uid))
# in case: fix the objectGUID
if uidtype == “objectGUID”:
uid = str(uuid.UUID(bytes_le=uid))
return uid

Thanks a lot
Cornelius

Am Dienstag, den 15.11.2016, 15:50 -0800 schrieb Quynh .Nhat:

Just want to let you know that we are also seeing this issue with
our
stack.
We use objectGUID as id. Nothing has been changed on the AD side,
but
we received the same error message with the new 2.16 version. So,
we
change to use userPrincipalName as id as a quick work around at
the
moment.

First of all, updating privacyIDEA is not necessary, as you
just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to
a
wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is
an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting
is
wrong.
Have you restarted apache after running the upgrade?

Kind regards
Cornelius

Am Montag, den 14.11.2016, 05:01 -0800 schrieb fina...@gmail.co
m:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using
the
guide
found on: Two Factor Authentication everywhere – This time at the Ohio Linuxfest – privacyID3A
on-w
ith-
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add
the
LDAP
connector, connecting to the same Active directory. It is
able
to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link
is
broken
again with the previously discussed results.
I’ve attached the on screen output from the command,
perhaps
something can be seen in that.

(It is still possible something strange is going on inside
my
active
directory, a previous vasco Identikey installation (part of
the
test
setup) has been installed. As far as I know, no active
directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks
when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two
factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support Level


You received this message because you are subscribed to a
topic
in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.c
om/d
/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an
email
to p
rivacyidea+...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.co
m.
Visit this group at https://groups.google.com/group/privacyid
ea.
To view this discussion on the web visit https://groups.googl
e.co
m/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi Cornelius,

Following is the example out put of the log.error:
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #268] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #273] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’

I was able to get it to work as normal with this modification in _get_uid:

        if uidtype == "objectGUID":
            uid = str(uuid.UUID('{%s}' %uid))

Seems like the format has change some how.On Tuesday, November 15, 2016 at 10:01:33 PM UTC-8, Cornelius Kölbel wrote:

Hello Quynh, hello Jochen,

thanks for reporting this.

I can not reproduce this on my machines. There are also extra tests to
check this, which do not fail :wink:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_r
esolver.py#L878
https://github.com/privacyidea/privacyidea/blob/master/tests/test_lib_resolver.py#L878

So it would be great to narrow this problem down and I could need your
help here.

The problem occurs in the method _get_uid, which looks like this:

@staticmethod 
def _get_uid(entry, uidtype): 
    uid = None 
    if uidtype.lower() == "dn": 
       uid = entry.get("dn") 
    else: 
        attributes = entry.get("attributes") 
        if type(attributes.get(uidtype)) == list: 
            uid = attributes.get(uidtype)[0] 
        else: 
            uid = attributes.get(uidtype) 
        # in case: fix the objectGUID 
        if uidtype == "objectGUID": 
            uid = str(uuid.UUID(bytes_le=uid)) 
    return uid 

From Jochens Log I saw, that his objectGUID is a list. So the line

        if type(attributes.get(uidtype)) == list: 
            ui 

d = attributes.get(uidtype)[0]

should get the first entry from the list.
My suspicion is, that there might be something wrong with the list thing.
I would like to know, how the attribute objectGUID looks before and after.
Can you please adapt the code as follow:

@staticmethod 
def _get_uid(entry, uidtype): 
    uid = None 
    if uidtype.lower() == "dn": 
       uid = entry.get("dn") 
    else: 
        attributes = entry.get("attributes") 
        log.error("GUID: {0!r}".format(attributes.get(uidtype))) 
        if type(attributes.get(uidtype)) == list: 
            uid = attributes.get(uidtype)[0] 
        else: 
            uid = attributes.get(uidtype) 
        log.error("GUID: {0!r}".format(uid)) 
        # in case: fix the objectGUID 
        if uidtype == "objectGUID": 
            uid = str(uuid.UUID(bytes_le=uid)) 
    return uid 

Thanks a lot
Cornelius

Am Dienstag, den 15.11.2016, 15:50 -0800 schrieb Quynh .Nhat:

Just want to let you know that we are also seeing this issue with our
stack.
We use objectGUID as id. Nothing has been changed on the AD side, but
we received the same error message with the new 2.16 version. So, we
change to use userPrincipalName as id as a quick work around at the
moment.

First of all, updating privacyIDEA is not necessary, as you just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to a
wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting is
wrong.
Have you restarted apache after running the upgrade?

Kind regards
Cornelius

Am Montag, den 14.11.2016, 05:01 -0800 schrieb fina...@gmail.com:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using the
guide
found on: Two-Factor-Authentication with OTP on CentOS 7 – privacyID3A
ith-
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add the
LDAP
connector, connecting to the same Active directory. It is able
to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link is
broken
again with the previously discussed results.
I’ve attached the on screen output from the command, perhaps
something can be seen in that.

(It is still possible something strange is going on inside my
active
directory, a previous vasco Identikey installation (part of the
test
setup) has been installed. As far as I know, no active directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic
in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d
/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an email
to p
rivacyidea+...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.co
m/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Cornelius,

Thank you for your response.
We are actually going use the userPrincipalName as the id.
But I am glad that you found the issue cause and resolved it.

Best regards,On Friday, November 18, 2016 at 1:12:56 AM UTC-8, Cornelius Kölbel wrote:

Hi Quynh,

thanks again.

The ldap3 >= 2.0.7 does not only fix the timeout problem but also
handles some attributes of responses in different ways. Especially the
objectGUID.

So either you can force to use ldap3==1.4.0, then all your resolvers
will work fine, but you will get the timeout issues, if your server is
down.

Or you use ldap3>=2.0.7, but then you will not see the users with the
current code 2.16 (if uidtype=objectGUID).

So to use 2.0.7/2.1.0 AND objectGUID I created a new branch-2.16, where
I cherry-picked the LDAP changes of the master branch:

GitHub - privacyidea/privacyidea at branch-2.16
https://github.com/privacyidea/privacyidea/archive/branch-2.16.zip

Can you check out, if this works our for you?

Kind regards
Cornelius

Am Donnerstag, den 17.11.2016, 16:57 -0800 schrieb Quynh .Nhat:

Hi Cornelius,

Following is the example out put of the log.error:
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #268] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’
2016/11/17 - 16:53:42 ERROR LDAPIdResolver
[privacyidea.lib.resolvers.LDAPIdResolver][_get_uid #273] GUID:
‘b406a716-973c-3610-97ce-49bf9f10b2d9’

I was able to get it to work as normal with this modification in
_get_uid:

        if uidtype == "objectGUID": 
            uid = str(uuid.UUID('{%s}' %uid)) 

Seems like the format has change some how.

Hello Quynh, hello Jochen,

thanks for reporting this.

I can not reproduce this on my machines. There are also extra tests
to
check this, which do not fail :wink:
https://github.com/privacyidea/privacyidea/blob/master/tests/test_l
ib_r
esolver.py#L878

So it would be great to narrow this problem down and I could need
your
help here.

The problem occurs in the method _get_uid, which looks like this:

@staticmethod  
def _get_uid(entry, uidtype):  
    uid = None  
    if uidtype.lower() == "dn":  
       uid = entry.get("dn")  
    else:  
        attributes = entry.get("attributes")  
        if type(attributes.get(uidtype)) == list:  
            uid = attributes.get(uidtype)[0]  
        else:  
            uid = attributes.get(uidtype)  
        # in case: fix the objectGUID  
        if uidtype == "objectGUID":  
            uid = str(uuid.UUID(bytes_le=uid))  
    return uid  

From Jochens Log I saw, that his objectGUID is a list. So the
line

        if type(attributes.get(uidtype)) == list:  
            ui  

d = attributes.get(uidtype)[0]

should get the first entry from the list.
My suspicion is, that there might be something wrong with the list
thing.
I would like to know, how the attribute objectGUID looks before and
after. Can you please adapt the code as follow:

@staticmethod  
def _get_uid(entry, uidtype):  
    uid = None  
    if uidtype.lower() == "dn":  
       uid = entry.get("dn")  
    else:  
        attributes = entry.get("attributes")  
        log.error("GUID: 

{0!r}".format(attributes.get(uidtype)))
if type(attributes.get(uidtype)) == list:
uid = attributes.get(uidtype)[0]
else:
uid = attributes.get(uidtype)
log.error(“GUID: {0!r}”.format(uid))
# in case: fix the objectGUID
if uidtype == “objectGUID”:
uid = str(uuid.UUID(bytes_le=uid))
return uid

Thanks a lot
Cornelius

Am Dienstag, den 15.11.2016, 15:50 -0800 schrieb Quynh .Nhat:

Just want to let you know that we are also seeing this issue with
our
stack.
We use objectGUID as id. Nothing has been changed on the AD side,
but
we received the same error message with the new 2.16 version. So,
we
change to use userPrincipalName as id as a quick work around at
the
moment.

First of all, updating privacyIDEA is not necessary, as you
just
installed it in the latest version.

I guess you are somehow breaking your virtual environment.
– although this should not happen.

I might also be something with your apache server pointing to
a
wrong
virutalenv.
Or SeLinux.
Or AD.

In your virtualenv run a

pip freeze

to check, which versions are installed.

Also you can run the integrated server, to check whether it is
an
apache issue:

pi-manage runserver -t 0.0.0.0

then you can connect to http://…:5000

See if it still breaks the ldap. If not, your apache setting
is
wrong.
Have you restarted apache after running the upgrade?

Kind regards
Cornelius

Am Montag, den 14.11.2016, 05:01 -0800 schrieb fina...@gmail.co
m:

Hi Cornelius,

I installed a fresh centos7, I installed privacyIdea using
the
guide
found on: Two Factor Authentication everywhere – This time at the Ohio Linuxfest – privacyID3A
on-w
ith-
otp-on-centos-7/
After installation I’m running Privacyidea 2.16. and I add
the
LDAP
connector, connecting to the same Active directory. It is
able
to
read out the users. So far, so good.

Then I follow the last part of the guide:

cd /opt/privacyIDEA
source bin/activate
pip install --upgrade cffi
pip install --upgrade bcrypt
pip install --upgrade privacyidea

When I run pip install --upgrade privacyidea, the ldap link
is
broken
again with the previously discussed results.
I’ve attached the on screen output from the command,
perhaps
something can be seen in that.

(It is still possible something strange is going on inside
my
active
directory, a previous vasco Identikey installation (part of
the
test
setup) has been installed. As far as I know, no active
directory
schema changed where made in that proccess.
But it is still strange that the installation only breaks
when
running the update, not after the default install)

Best regards,
Jochen

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two
factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support Level


You received this message because you are subscribed to a
topic
in
the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.c
om/d
/top
ic/privacyidea/HeeP9qWiiT0/unsubscribe.
To unsubscribe from this group and all its topics, send an
email
to p
rivacyidea+...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.co
m.
Visit this group at https://groups.google.com/group/privacyid
ea.
To view this discussion on the web visit https://groups.googl
e.co
m/d/
msgid/privacyidea/49a00620-30c8-41b6-a297-
3806bc91aa07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel