Using privacyidea command with admin account in userstore

foot3print · June 15, 2017, 1:52pm

Hello !

I’d like to ask if there’s anyone else using the ‘privacyidea’ command for token enrollments particularly with an administrator account saved in the userstore (not in the pi database)? The default ‘admin’ account in the pi database functions flawlessly of course. But I get an error (see command output) using an admin account which is saved in the userstore e.g. ‘itadmin01’. Anyone experiencing this??

~$ privacyidea --nosslcheck -U https://PI-2fa.domain.com/ -a itadmin01 -r admin token list        
Please enter password for 'itadmin01':
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:821: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Traceback (most recent call last):
  File "/usr/bin/privacyidea", line 1563, in <module>
    main()
  File "/usr/bin/privacyidea", line 1555, in main
    no_ssl_check=args.nosslcheck)
  File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 96, in __init__
    self.set_credentials(username, password)
  File "/usr/lib/python2.7/dist-packages/privacyideautils/clientutils.py", line 135, in set_credentials
    raise Exception("Invalid Credentials: %s" % r.status_code)
Exception: Invalid Credentials: 401

The command privacyidea -U {url} -a {admin} -r {admin-realm} seem to accept only the admin accounts in the pi database. If its only me, then maybe I’ll debug more and check my configurations.

Thanks and Regards,

cornelinux · June 17, 2017, 11:13am

Hello @foot3print,
Ok, here is the least beloved forum comment: “It works for me!”

Please check, if you are prodiving the realm of this admin! Otherwise the adminuser might not be found.
Take a look into the audit log.
Also check, if you have any authentication policy in place, which recommends auth against privacyIDEA (webui policy) or any otppin policy.

Kind regards
Cornelius

cornelinux · June 17, 2017, 11:16am

I see you are using -a itadmin01 -r admin.

Obviously the parameter “-r” does not work.
Please use:

-a itadmin@admin.

Kind regards
Cornelius

foot3print · June 19, 2017, 9:08am

Hi @cornelinux !

Thanks for the response! I think I found the problem. Does the command also do second authentication? My policy:auth is set to use the PW from the userstore as OTPPIN and another policy:webui is set to authenticate against the PrivacyID3A Server. It does well with the authentication plugins as well as the login through any browser.

You’re right. The parameter ‘-r’ somehow does not function. But I tested it with ’ -a itadmin@admin’ and it still failed. I think its because my admin ‘itadmin’ has a token. I tried creating a AUTH policy for ‘passthru:userstore’ only for the user ‘itadmin’, deleted his token and run the command:

~$ privacyidea --nosslcheck -U https://PI-2fa.domain.com -a itadmin@admin token list

It returned successfully with the token list. So going back to my first assumption, is the tool ‘privacyidea’ also capable of doing the challenge/response part?

just for reference-- the system finds the user and token as stated in the logs. This is before I created the ‘passthru’ for ‘itadmin’:

[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:694] Added it-ldap-slave01.domain.com, 1389, False to server pool.
[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:234] Authtype: u'Simple'
[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:235] user    : u'uid=itadmin,ou=people,ou=it,o=domain,c=com'
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:248] bind result: True
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:251] bind seems successful.
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:253] unbind successful.
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.user:357] Successfully authenticated user User(login=u'itadmin', realm=u'admin', resolver=u'ldap-2fa-admin').
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.user:197] Exiting check_password with result itadmin@admin
[2017-06-19 10:15:19,476][7489][140033989637888][DEBUG][privacyidea.lib.tokens.hotptoken:197] Exiting is_challenge_request with result True
[2017-06-19 10:15:19,478][7489][140033989637888][DEBUG][privacyidea.lib.config:185] Entering get_from_config with arguments ('DefaultChallengeValidityTime', 120) and keywords {}
[2017-06-19 10:15:19,479][7489][140033989637888][DEBUG][privacyidea.lib.config:72] The singleton <class 'privacyidea.lib.config.ConfigClass'> already exists.
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:197] Exiting get_from_config with result 120
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:185] Entering get_from_config with arguments (u'HotpChallengeValidityTime', 120) and keywords {}
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:72] The singleton <class 'privacyidea.lib.config.ConfigClass'> already exists.
[2017-06-19 10:15:19,483][7489][140033989637888][DEBUG][privacyidea.lib.config:197] Exiting get_from_config with result 120
[2017-06-19 10:15:19,483][7489][140033989637888][DEBUG][privacyidea.models:185] Entering __init__ with arguments (<privacyidea.models.Challenge object at 0x7f5c07014e90>, u'OATH00064CA0') and keywords {'challenge': None, 'session': None, 'data': None, 'validitytime': 120, 'transaction_id': None}
[2017-06-19 10:15:19,484][7489][140033989637888][DEBUG][privacyidea.models:197] Exiting __init__ with result None
[2017-06-19 10:15:19,568][7489][140033989637888][DEBUG][privacyidea.lib.token:197] Exiting check_token_list with result (False, {'attributes': None, 'multi_challenge': [{'attributes': None, 'serial': u'OATH00064CA0', 'transaction_id': u'04426701574343944316'}], 'transaction_id': u'04426701574343944316', 'message': 'please enter otp:  ', 'serial': u'OATH00064CA0'})
[2017-06-19 10:15:19,568][7489][140033989637888][DEBUG][privacyidea.lib.token:197] Exiting check_user_pass with result (False, {'attributes': None, 'multi_challenge': [{'attributes': None, 'serial': u'OATH00064CA0', 'transaction_id': u'04426701574343944316'}], 'transaction_id': u'04426701574343944316', 'message': 'please enter otp: ', 'serial': u'OATH00064CA0'})

Regards,