Hi @cornelinux !
Thanks for the response! I think I found the problem. Does the command also do second authentication? My policy:auth is set to use the PW from the userstore as OTPPIN and another policy:webui is set to authenticate against the PrivacyID3A Server. It does well with the authentication plugins as well as the login through any browser.
You’re right. The parameter ‘-r’ somehow does not function. But I tested it with ’ -a itadmin@admin’ and it still failed. I think its because my admin ‘itadmin’ has a token. I tried creating a AUTH policy for ‘passthru:userstore’ only for the user ‘itadmin’, deleted his token and run the command:
~$ privacyidea --nosslcheck -U https://PI-2fa.domain.com -a itadmin@admin token list
It returned successfully with the token list. So going back to my first assumption, is the tool ‘privacyidea’ also capable of doing the challenge/response part?
just for reference-- the system finds the user and token as stated in the logs. This is before I created the ‘passthru’ for ‘itadmin’:
[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:694] Added it-ldap-slave01.domain.com, 1389, False to server pool.
[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:234] Authtype: u'Simple'
[2017-06-19 10:15:19,277][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:235] user : u'uid=itadmin,ou=people,ou=it,o=domain,c=com'
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:248] bind result: True
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:251] bind seems successful.
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.resolvers.LDAPIdResolver:253] unbind successful.
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.user:357] Successfully authenticated user User(login=u'itadmin', realm=u'admin', resolver=u'ldap-2fa-admin').
[2017-06-19 10:15:19,475][7489][140033989637888][DEBUG][privacyidea.lib.user:197] Exiting check_password with result itadmin@admin
[2017-06-19 10:15:19,476][7489][140033989637888][DEBUG][privacyidea.lib.tokens.hotptoken:197] Exiting is_challenge_request with result True
[2017-06-19 10:15:19,478][7489][140033989637888][DEBUG][privacyidea.lib.config:185] Entering get_from_config with arguments ('DefaultChallengeValidityTime', 120) and keywords {}
[2017-06-19 10:15:19,479][7489][140033989637888][DEBUG][privacyidea.lib.config:72] The singleton <class 'privacyidea.lib.config.ConfigClass'> already exists.
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:197] Exiting get_from_config with result 120
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:185] Entering get_from_config with arguments (u'HotpChallengeValidityTime', 120) and keywords {}
[2017-06-19 10:15:19,481][7489][140033989637888][DEBUG][privacyidea.lib.config:72] The singleton <class 'privacyidea.lib.config.ConfigClass'> already exists.
[2017-06-19 10:15:19,483][7489][140033989637888][DEBUG][privacyidea.lib.config:197] Exiting get_from_config with result 120
[2017-06-19 10:15:19,483][7489][140033989637888][DEBUG][privacyidea.models:185] Entering __init__ with arguments (<privacyidea.models.Challenge object at 0x7f5c07014e90>, u'OATH00064CA0') and keywords {'challenge': None, 'session': None, 'data': None, 'validitytime': 120, 'transaction_id': None}
[2017-06-19 10:15:19,484][7489][140033989637888][DEBUG][privacyidea.models:197] Exiting __init__ with result None
[2017-06-19 10:15:19,568][7489][140033989637888][DEBUG][privacyidea.lib.token:197] Exiting check_token_list with result (False, {'attributes': None, 'multi_challenge': [{'attributes': None, 'serial': u'OATH00064CA0', 'transaction_id': u'04426701574343944316'}], 'transaction_id': u'04426701574343944316', 'message': 'please enter otp: ', 'serial': u'OATH00064CA0'})
[2017-06-19 10:15:19,568][7489][140033989637888][DEBUG][privacyidea.lib.token:197] Exiting check_user_pass with result (False, {'attributes': None, 'multi_challenge': [{'attributes': None, 'serial': u'OATH00064CA0', 'transaction_id': u'04426701574343944316'}], 'transaction_id': u'04426701574343944316', 'message': 'please enter otp: ', 'serial': u'OATH00064CA0'})
Regards,