Debian + Error during installation

[Stefan Steuer]

Hi,

I tried to install privacyidea in our debian server, but I'll get the following error

(privacyidea)root@mfaotrs:/etc/apache2/sites-available# cp etc/apache2/sites-available/privacyidea /etc/apache2/sites-available/

cp: Aufruf von stat für „etc/apache2/sites-available/privacyidea“ nicht möglich: Datei oder Verzeichnis nicht gefunden

 Manual: https://www.privacyidea.org/documentation/howtos/howto-run-privacyidea-with-apache2-and-mysql/

So there are no other sub-folders in "sites-available" :(

[Cornelius Kölbel]

This howto refers to privacyidea 1.5.

2.0 was a total rewrite. The apache-configs etc. are not contained in the python package at the moment.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/d608c097-e1a8-4f9a-8d4a-06532156e79e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stefan Steuer]

Hi Cornelius,

you're very fast ;)

I tried to install the 1.5.

Are there any debian packages for 2.0 available?

[Stefan Steuer]

btw - is it possible to auth. against username, password and the pin code out of the google auth. ?

[Cornelius Kölbel]

I am planning to build packages for wheezy.
If you tell me, you are running wheezy, I will take a look into it and re-prioritize it ;-)

Yes you can authenticate against the password from your userstore and the OTP value from GoogleAuth.
You need to define a policy, which looks like this in v2:



Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/57588376-9bb7-41e4-a81a-eb10a0c4e04d%40googlegroups.com.

[Stefan Steuer]

Oh great :)

My otrs-instance is running on:

Description:    Debian GNU/Linux 7.8 (wheezy)

Release:        7.8

Did you already created the otrs-module for 2.0 (https://www.privacyidea.org/documentation/howtos/howto-add-two-factor-authentication-to-otrs-with-privacyidea/) ?

When yes or no ;-) how is the process for the user?

- Open the otrs url

- type in the username and password (LDAP) and submit

- a barcode will be displayed

- scan the barcode/qr with google auth.

- type in the onetime-token

- login successful

[Cornelius Kölbel]

:-)

The OTRS Module is the same for 2.0 like for 1.5. Nothing has changed.
https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS

The user sees the same login mask, but in the password field he needs to enter
OTRS-static-Password (coming from the OTRS SQL userstore or from the LDAP userstore) concatenated with the OTP value.

The enrollment for the user is another topic.
You could have the user enter the selfservice portal to self-enroll a google authenticator.
It is similar to the administrative enrollment.
See: https://www.youtube.com/watch?v=Cwzz5PCjHQI&t=3m20s

You could as well - depending on the IT affinity of your users - enroll the device for the users yourself.
You might also use any hardware devices or - which i like a lot - the yubikey.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/3a2f4684-461c-4274-a9d9-de93c628b4ec%40googlegroups.com.

[Stefan Steuer]

Does the user have to scan on each Login an other qr code or is it time based.

[Cornelius Kölbel]

The QR Code contains the secret key (unencrypted!!!) that is shared
between the server and the smartphone.
The user only needs to scan once during enrollment.
After that, the smartphone generated the OTP value on its own, i.e. on a
button press.

[Stefan Steuer]

Okay.

I'm curious for The new version :-)

[Stefan Steuer]

Hi Cornelius,

is the v1.5 still available for debian? :)

[Cornelius Kölbel]

Hi Stefan,
you can run privacyidea in a virtualenv on debian.

To install privacyidea 1.5 in a virtualenv you can specify the version.

    pip install privacyidea==1.5.1

Looking at your original post, you simply were in the wrong directory to get the apache-confg file.

In your virtualenv top level folder search at etc/apache2/sites-available/pidea...

This file you can copy to the apache folder.

I just finished the packages for ubuntu 14.04lts.
which you can find here:
    https://launchpad.net/~privacyidea/+archive/ubuntu/privacyidea-dev?field.series_filter=trusty

Yesterday I spent a lot of time looking at debian wheezy. Problem is, that maaaaany python modules are not packed for debian.
So I started to pack. I ended up with about 13 new packages and came to a point, where I also had to repack existing modules, since the exsting modules in wheezy are soooooo old.
So at the moment I think I would create a debian package for wheezy that just contains a complete running virtualenv.
I.e. the 60MB deb-file would hold all its software in a directory /opt/privacyidea.
I would create a second package that can be installed to run privacyidea with apache and another package to run PI with nginx. (I already did so on ubuntu)

Than everyone can choose to
a) only install the base package and roll PI as he wishes to
b) easily roll privacyIDEA with apache
c) easily roll privacyIDEA with nginx...

There is no sense in providing my own 15 packages replacing older versions and install them to the main system which might lead to version problems and breaking other software.
What do you think?

Kind regards
Cornelius

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/47c15c51-357f-4071-b7aa-600f50540c02%40googlegroups.com.

[Stefan Steuer]

Dear Cornelius,

that sounds very good - so everyone can choose the own way to install pi :)

For myself I'll use a) - because I've apache and mysql already installed 

[Cornelius Kölbel]

Hi Stefan,

you may find a first shot of a wheezy package here:
https://www.privacyidea.org/wp-content/uploads/2015/privacyidea-venv_2.1~dev0_amd64.deb

I added a first quickly hacked howto:
http://privacyidea.readthedocs.org/en/latest/installation/index.html#debian-packages

I'd like to have an additional meta package, that at least installs the necessary config files and creates the available-sites/privacyidea.conf.
If you are willing to take a look at this prebeta package I am happy about any feedback.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/d586fca3-cb26-4d01-b3c4-fcff946eecc3%40googlegroups.com.

[Stefan Steuer]

Hi,

you should add to the manual, that the user has to add the directory /var/log/privacyidea/ manually.

What is the url for the  admin control panel after I installed the package successful?

[Cornelius Kölbel]

Hi Stefan,

it depends on how you configured the apache vhost.
The URL is determined by the WSGIScriptAlias in your config.
I.e. be default it is /, but you could set it to any other path.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/60b6c40f-c38a-40f0-af55-23f5995c2d8b%40googlegroups.com.

[Cornelius Kölbel]

Thanks, done.
Kind regards
Cornelius

Am 22.02.2015 um 11:41 schrieb Stefan Steuer:

Hi,

I received the following error-code while the command 

pi-manage.py createdb

(privacyidea-venv)root@mfaotrs:/# pi-manage.py createdb

The configuration name is: production

Additional configuration can be read from the file /etc/privacyidea/pi.cfg

Traceback (most recent call last):

  File "/opt/privacyidea/privacyidea-venv/bin/pi-manage.py", line 44, in <module>

    app = create_app(config_name='production')

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/app.py", line 109, in create_app

    maxBytes=10000000)

  File "/usr/lib/python2.7/logging/handlers.py", line 117, in __init__

    BaseRotatingHandler.__init__(self, filename, mode, encoding, delay)

  File "/usr/lib/python2.7/logging/handlers.py", line 64, in __init__

    logging.FileHandler.__init__(self, filename, mode, encoding, delay)

  File "/usr/lib/python2.7/logging/__init__.py", line 901, in __init__

    StreamHandler.__init__(self, self._open())

  File "/usr/lib/python2.7/logging/__init__.py", line 924, in _open

    stream = open(self.baseFilename, self.mode)

IOError: [Errno 2] No such file or directory: '/var/log/privacyidea/privacyidea.log'

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/4ee67a90-62c9-44b9-8f22-d3ffcd8a5d50%40googlegroups.com.

[Stefan Steuer]

oh you're right :)

So i enabled the site and tried to reload the apache2... failed.

apache2 errorlog:

[Sun Feb 22 11:47:51 2015] [error] [client ] File does not exist: /var/www/privacyidea

[Sun Feb 22 11:47:52 2015] [error] [client ] File does not exist: /var/www/favicon.ico

[Sun Feb 22 11:53:23 2015] [error] [client ] File does not exist: /var/www/privacyidea

[Sun Feb 22 11:53:27 2015] [error] [client ] File does not exist: /var/www/pi

[Sun Feb 22 11:54:40 2015] [error] [client ] File does not exist: /var/www/privacyidea-venv

[Sun Feb 22 13:14:15 2015] [error] [client ] File does not exist: /var/www/production

[Stefan Steuer]

This is the correct error log

Syntax error on line 1 of /etc/apache2/sites-enabled/privacyidea.conf:

Invalid command 'WSGIPythonHome', perhaps misspelled or defined by a module not included in the server configuration

Action 'configtest' failed.

The Apache error log may have more information.

 failed!

Line 1: 

WSGIPythonHome /opt/privacyidea/privacyidea-venv

[Stefan Steuer]

so ok....

Last post ;)

You should add that the following mods have to be installed :)

sudo apt-get install libapache2-mod-wsgi
sudo a2enmod wsgi

a2enmod ssl

[Stefan Steuer]

in the Privacyidea.conf you have the line with the Documentroot

     DocumentRoot /var/www

But there are no files - so the result is, when I try to open the website with the patch which I definied in the WSGIScriptAlias I'll get the following error-code in the apache-log

[Cornelius Kölbel]

Hi,

this is wired.
It should not bother about the DocumentRoot.
Which URL are you calling?

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f159c173-f815-41c0-8bb8-0d1829fdcd45%40googlegroups.com.

[Cornelius Kölbel]

I just checked,

You must not use

"require all granted", since probably you are running apache 2.2

The other stuff should work, so we need to check your apache config.

Kind regards
Cornelius

Am 22.02.2015 um 13:47 schrieb Stefan Steuer:

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f159c173-f815-41c0-8bb8-0d1829fdcd45%40googlegroups.com.

[Stefan Steuer]

This is my privacyidea.conf - site is enabled.

WSGIPythonHome /opt/privacyidea/privacyidea-venv/

<VirtualHost _default_:80>

     ServerAdmin webmaster@localhost

     # You might want to change this

    ServerName localhost

     DocumentRoot /var/www

     <Directory />

             # For Apache 2.4 you need to set this:

             # Require all granted

             Options FollowSymLinks

             AllowOverride None

     </Directory>

     # We can run several instances on different paths with different configurations

     WSGIScriptAlias /pi/      /etc/privacyidea/piapp.wsgi

     #

     # The daemon is running as user 'privacyidea'

     # This user should have access to the encKey database encryption file

     WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea

     WSGIProcessGroup privacyidea

     WSGIPassAuthorization On

     ErrorLog /var/log/apache2/error.log

     LogLevel warn

     LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA

     CustomLog /var/log/apache2/ssl_access.log privacyIDEA

     #   SSL Engine Switch:

     #   Enable/Disable SSL for this virtual host.

     SSLEngine off

     #   If both key and certificate are stored in the same file, only the

     #   SSLCertificateFile directive is needed.

#     SSLCertificateFile    /etc/ssl/certs/privacyideaserver.pem

#     SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

     <FilesMatch "\.(cgi|shtml|phtml|php)$">

             SSLOptions +StdEnvVars

     </FilesMatch>

     <Directory /usr/lib/cgi-bin>

             SSLOptions +StdEnvVars

     </Directory>

     BrowserMatch ".*MSIE.*" \

             nokeepalive ssl-unclean-shutdown \

             downgrade-1.0 force-response-1.0

</VirtualHost>

[Cornelius Kölbel]

You should specify

WSGIScriptAlias /pi   /etc...

(without a trailing slash - otherwise you need to call explicitly https://yourmachine/pi/)

But on top of this it looks like, that little error found its way back in, when specifying a path at the WSGIScriptAlias.

I need to look into it.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/7157c04d-df2b-4381-ad72-5c9392fade91%40googlegroups.com.

[Stefan Steuer]

When you need an access to my test enviroment - I can send you the credentials via pn

[Stefan Steuer]

So i created an ssl-certificate and activate SSL.

Now I'm able to see:

Support privacyIDEA google group

[Stefan Steuer]

Issue solved!!! :)

WSGIScriptAlias /      /etc/privacyidea/piapp.wsgi

I can't define another scriptalias as the root directory... :) 

[Stefan Steuer]

he last problem is that I'll get a blank page while opening the otrs-login screen.

Apache error log:

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Sun Feb 22 17:10:33 2015
 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!
 RemoteAddress: xxx
 RequestURI: /otrs/index.pl
 Traceback (5256):
   Module: Kernel::System::Auth::new Line: 69
   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222
   Module: Kernel::System::ObjectManager::Get Line: 176
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41
   Module: (eval) (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

Config.pm

 $Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';

 $Self->{'AuthModule::privacyIDEA::URL'} = "http://localhost:5001/validate/simplecheck";

[Cornelius Kölbel]

If you are running otrs on the same system, this will not work!

You need to change the scriptalias.
Nevertheless I found the problem and will send the link for a patched version - immediately...

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/5a9b7b90-47d9-421c-93d6-482c07239b21%40googlegroups.com.

[Cornelius Kölbel]

...take this:
https://www.privacyidea.org//wp-content/uploads/2015/privacyidea-venv_2.1~dev1_amd64.deb

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54EA0325.7050709%40privacyidea.org.

[Stefan Steuer]

any idea regarding the blank otrs login screen?

[Cornelius Kölbel]

Obviously your apache configuration is interfering.

As mentioned, I assume, that your are running OTRS in the same Apache host?
    How does your apache config look like?

Then you need to run privacyIDEA with the wsgiscript alias. Otherwise the path /otrs/index.pl would be grapped by the WSGI script.

Kind regards
COrnelius

Am 22.02.2015 um 18:03 schrieb Stefan Steuer:

any idea regarding the blank otrs login screen?

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/5f29a27e-3c5a-4195-ab4c-84134a328b3b%40googlegroups.com.

[Stefan Steuer]

Yes - OTRS and privacyIDEA are on the same host.

apache.conf: default config.

privacyidea.conf as posted.

conf.d/otrs.conf

 # --

# added for OTRS (http://otrs.org/)

# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"

Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules

    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk

    PerlModule Apache2::Reload

    PerlInitHandler Apache2::Reload

    # general mod_perl2 options

    <Location /otrs>

#        ErrorDocument 403 /otrs/customer.pl

        ErrorDocument 403 /otrs/index.pl

        SetHandler  perl-script

        PerlResponseHandler ModPerl::Registry

        Options +ExecCGI

        PerlOptions +ParseHeaders

        PerlOptions +SetupEnv

 

 <IfModule mod_version.c>

        <IfVersion < 2.4>

            Order allow,deny

            Allow from all

        </IfVersion>

        <IfVersion >= 2.4>

            Require all granted

        </IfVersion>

    </IfModule>

    <IfModule !mod_version.c>

        Order allow,deny

        Allow from all

    </IfModule>

    <IfModule mod_deflate.c>

        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json

    </IfModule>

</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">

    AllowOverride None

    <IfModule mod_version.c>

        <IfVersion < 2.4>

            Order allow,deny

            Allow from all

        </IfVersion>

        <IfVersion >= 2.4>

            Require all granted

        </IfVersion>

    </IfModule>

    <IfModule !mod_version.c>

        Order allow,deny

        Allow from all

    </IfModule>

    <IfModule mod_deflate.c>

        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json

    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.

    AddCharset UTF-8 .css

    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.

    AddType application/font-woff .woff

</Directory>

<IfModule mod_headers.c>

    # Cache css-cache for 30 days

    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">

        <FilesMatch "\.(css|CSS)$">

            Header set Cache-Control "max-age=2592000 must-revalidate"

        <FilesMatch "\.(css|CSS)$">

            Header set Cache-Control "max-age=2592000 must-revalidate"

        </FilesMatch>

    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts

    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">

        <FilesMatch "\.(css|CSS|woff|svg)$">

            Header set Cache-Control "max-age=14400 must-revalidate"

        </FilesMatch>

    </Directory>

    # Cache js-cache for 30 days

    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">

        <FilesMatch "\.(js|JS)$">

            Header set Cache-Control "max-age=2592000 must-revalidate"

        </FilesMatch>

    </Directory>

    # Cache js thirdparty for 4 hours

    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">

        <FilesMatch "\.(js|JS)$">

            Header set Cache-Control "max-age=14400 must-revalidate"

        </FilesMatch>

    </Directory>

</IfModule>

# Limit the number of requests per child to avoid excessive memory usage

MaxRequestsPerChild 4000

[Cornelius Kölbel]

Obviously this is an Apache issue.

You are writing "conf.d/orts.conf" but it looks like a "sites-available"?

If you want to run both applications on one port on one server you must only have one VIrtualHost definition.
I.e. you need to have one link in

    /etc/apache2/sites-available/

listening on port 443 with ONE certificate.

In this VirtualHost defintion you might have

    WSGIScriptAlias /pi  /pathto/wsgi/scirp
    ScriptAlias /otrs/ ....
    Alias /otrs-web/....

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/e4be1154-3c3e-4f55-b37a-b713fe8891e2%40googlegroups.com.

[Stefan Steuer]

Hi Cornelius,

so I tried to extract the parameter but every time with the same result.

Blank page and the following apache error-code:

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 12:55:48 2015

 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!

 RemoteAddress: xxxxx

 RequestURI: /otrs/index.pl

 Traceback (4946):

   Module: Kernel::System::Auth::new Line: 69

   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222

   Module: Kernel::System::ObjectManager::Get Line: 176

   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41

   Module: (eval) (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170

   Module: ModPerl::Registry::handler (v1.99) Line: 31

privacyidea.conf

WSGIPythonHome /opt/privacyidea/privacyidea-venv

<VirtualHost _default_:443>

     ServerAdmin webmaster@localhost

     # You might want to change this

     ServerName localhost

     DocumentRoot /var/www

     <Directory />

             # For Apache 2.4 you need to set this:

             # Require all granted

              Options FollowSymLinks

              AllowOverride None

     </Directory>

     # We can run several instances on different paths with different configurations

     WSGIScriptAlias /      /etc/privacyidea/piapp.wsgi

     #

     # The daemon is running as user 'privacyidea'

     # This user should have access to the encKey database encryption file

     WSGIDaemonProcess privacyidea processes=1 threads=15 display-name=%{GROUP} user=privacyidea

     WSGIProcessGroup privacyidea

     WSGIPassAuthorization On

     ErrorLog /var/log/apache2/error.log

     LogLevel warn

     LogFormat "%h %l %u %t %>s \"%m %U %H\"  %b \"%{Referer}i\" \"%{User-agent}i\"" privacyIDEA

     CustomLog /var/log/apache2/ssl_access.log privacyIDEA

     #   SSL Engine Switch:

     #   Enable/Disable SSL for this virtual host.

     SSLEngine on

     #   If both key and certificate are stored in the same file, only the

     #   SSLCertificateFile directive is needed.

     SSLCertificateFile    /etc/ssl/certs/apache.pem

#     SSLCertificateKeyFile /etc/ssl/private/privacyideaserver.key

     <FilesMatch "\.(cgi|shtml|phtml|php)$">

             SSLOptions +StdEnvVars

     </FilesMatch>

     <Directory /usr/lib/cgi-bin>

             SSLOptions +StdEnvVars

     </Directory>

     BrowserMatch ".*MSIE.*" \

             nokeepalive ssl-unclean-shutdown \

             downgrade-1.0 force-response-1.0

# --

# added for OTRS (http://otrs.org/)

# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"

Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

</VirtualHost>

conf.d/otrs.conf

</Location>

[Stefan Steuer]

sry wrong otrs.conf.

[Cornelius Kölbel]

Hi Stefan,
I did not get the error. You said a white page?

Obviously your configuration did not used VirtualHosts before.

Just disable privacyidea-site and enable your old site.
How did your old site look like?

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/05128820-c30e-4ede-88d8-52e2ebf95e11%40googlegroups.com.

[Stefan Steuer]

When I disable the site I'll get also a blank page.

But I found the issue...

/opt/otrs/Kernel/Config.pm

 $Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';

 $Self->{'AuthModule::privacyIDEA::URL'} = "localhost:5001/validate/simplecheck";

When I insert this two lines into the Config.PM I'll get the blank page. When delete them I'll get the login screen.

[Cornelius Kölbel]

OK, I was not aware, that you already activated the privacyIDEA module in OTRS.

So you need to change this to the correct URL - I think in your case it might be:

    https://localhost/pi/validate/simplecheck

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/4a20ad4b-36b7-44c9-a66e-450b88d90694%40googlegroups.com.

[Stefan Steuer]

Same result.

I think that the auth/privacyidea.pm is not compatible with OTRS4

[Cornelius Kölbel]

What does the OTRS error log say?

And I think otrs writes to the apache error log, can you see anything there?

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/deaa6563-7427-4405-bbcb-487acfaac18f%40googlegroups.com.

[Stefan Steuer]

The OTRS Error log is empty.

only in the apache log are entries

[Stefan Steuer]

now I'd input the two lines into the /opt/otrs/Kernel/Config/Default.pm

result: blank page

Apache Error log:

[Mon Feb 23 15:18:50 2015] privacyIDEA.pm: Bareword found where operator expected at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 5, near ""en" class"

[Mon Feb 23 15:18:50 2015] privacyIDEA.pm:      (Missing operator before class?)

[Mon Feb 23 15:18:50 2015] privacyIDEA.pm: Bareword found where operator expected at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 12, near "<title>privacyidea"

[Mon Feb 23 15:18:50 2015] privacyIDEA.pm:      (Missing operator before privacyidea?)

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 15:18:50 2015

 Message: Unrecognized character \xC2; marked by <-- HERE after at master <-- HERE near column 49 at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 12.

 RemoteAddress: xxxxxx

 RequestURI: /otrs/index.pl

 Traceback (5403):

   Module: Kernel::System::Auth::new Line: 69

   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222

   Module: Kernel::System::ObjectManager::Get Line: 176

   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41

   Module: (eval) (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170

   Module: ModPerl::Registry::handler (v1.99) Line: 31

ERROR: OTRS-CGI-98 Perl: 5.14.2 OS: linux Time: Mon Feb 23 15:18:50 2015

 Message: Can't load backend module Kernel::System::Auth::privacyIDEA!

 RemoteAddress: xxxx

 RequestURI: /otrs/index.pl

 Traceback (5403):

   Module: Kernel::System::Auth::new Line: 69

   Module: Kernel::System::ObjectManager::_ObjectBuild Line: 222

   Module: Kernel::System::ObjectManager::Get Line: 176

   Module: Kernel::System::Web::InterfaceAgent::Run Line: 721

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41

   Module: (eval) (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::run (v1.99) Line: 204

   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170

   Module: ModPerl::Registry::handler (v1.99) Line: 31

[Stefan Steuer]

Okay... i just found the issue...

when I downloaded the file with wget he added some courios google content....

Now I'll get an error 500 (apache error) which I can fix - hopefully ;)

[Stefan Steuer]

[Mon Feb 23 15:39:03 2015] [error] [Mon Feb 23 15:39:03 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n

[Mon Feb 23 15:39:05 2015] [error] [Mon Feb 23 15:39:05 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n

[Mon Feb 23 15:41:37 2015] [error] [Mon Feb 23 15:41:37 2015] -e: No LogObject! at /opt/otrs//Kernel/System/Auth/privacyIDEA.pm line 24.\n

[Cornelius Kölbel]

Hi,

to my knowledge Logging in OTRS 3 was performed this way:

    https://github.com/privacyidea/privacyidea/blob/master/authmodules/OTRS/privacyIDEA.pm#L36

See:
    http://otrs.perl-services.de/docs/otrs/rel-3_0/kernel_system_log.html

But it looks like, as if it still should exist int 4:
    http://otrs.perl-services.de/docs/otrs/rel-4_0/kernel_system_log.html

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/3bb20cb1-a0a4-4b21-b1da-d30fe0410b0f%40googlegroups.com.

[Stefan Steuer]

mhm... any idea?

[Cornelius Kölbel]

Just looking into it.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/447e0f2c-45a7-4a0c-8486-244281675173%40googlegroups.com.

[Cornelius Kölbel]

Good news!
I was able to reproduce the problem.
So the half way is done, now ;-)

Running a vanilla OTRS 4.0.5.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54EB470E.4000802%40privacyidea.org.

[Cornelius Kölbel]

I can say as much as this:
otrs 4.0 has changed a lot over 3.
This will be a new privacyidea otrs module!

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54EB5842.9050009%40privacyidea.org.

[Stefan Steuer]

oh okay :(

[Cornelius Kölbel]

Hi Stefan,

...here we go.

I checked this module on my site. Please take a look, if it works for you either.
https://github.com/privacyidea/privacyidea/blob/master/authmodules/OTRS/privacyIDEA-4_0.pm

In the header of the module you can see, how it should be configured in Kernel/Config.pm.

# $Self->{'AuthModule'} = 'Kernel::System::Auth::privacyIDEA';

# $Self->{'AuthModule::privacyIDEA::URL'} = \

# "https://localhost/validate/check";

# $Self->{'AuthModule::privacyIDEA::disableSSLCheck'} = "yes";

Note, that you need to call /validate/check now, not simplecheck.
If you have no valid certificate you need to define anything in disableSSLCheck, like "yes" ;-)

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/4b78f975-d576-46f5-bb09-d343aa754239%40googlegroups.com.

[Stefan Steuer]

Hi Cornelius,

I think that there is a big bug or a wrong config of my site :(

Now I'll get the login screen but....

e.g. my credentials are M.Mustermann and the pw testpassword123!

But now I'm able to login with any password e.g. M.Mustermann kfgafasdasd or M.Mustermann and twfnaedsf

[Cornelius Kölbel]

Hi Stefan,

I assume there is a difference between perl on ubuntu 14.04 and debian wheezy as far as the interpretation of true and false is concerned.

Could you please try the attached module (rename it) and then take a look at the apache error log:

Mine looks like this:

 Message: {
  "detail": {
    "message": "wrong otp value",
    "serial": "OATH0000FB1E",
    "type": "hotp"
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": false
  },
  "version": "privacyIDEA 2.1dev0"
}

 RemoteAddress: 127.0.0.1
 RequestURI: /otrs/index.pl

 Traceback (18793):
   Module: Kernel::System::Auth::privacyIDEA::Auth Line: 128
   Module: Kernel::System::Auth::Auth Line: 142
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 242

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 41

   Module: (eval) (v1.99) Line: 206
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 206
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 172

   Module: ModPerl::Registry::handler (v1.99) Line: 31

ERROR: OTRS-CGI-56 Perl: 5.18.2 OS: linux Time: Tue Feb 24 09:26:18 2015

 Message: result is: 0


The API result contains "value": false if the authentication failed.
If your perl things of "false" as a string, it will let the user in.

My Perl interprets "false" as False and this is why the
Message: result is: 0

So the question, what your Message: result looks like.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/c6347ac0-b939-4b8a-93a9-4a783d9c8eec%40googlegroups.com.

[Cornelius Kölbel]

I am a bit concerned - what was it, that you were able to authenticate to OTRS with the wrong password?

You may want to check your OTP at the privacyIDEA ui first.
I recommend starting with eventbase OTP, since there are less things to go wrong ;-)

If you go to the token details you can:

* reset the OTP PIN and
* you have the action "Test token".
You can enter the OTP PIN and the OTP value there and click "test token".

Kind regards
Cornelius

Am 24.02.2015 um 10:40 schrieb Stefan Steuer:

I'm sorry but now I'm not able to login (with the old and new file) .....arghhhhh...

Attached you'll find the screenshots of my configuration.

Apache error code is: 

can not authenticate: wrong otp pin

 

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/fad8de45-acb9-4e3b-af0b-0c0623bb76c0%40googlegroups.com.

[Stefan Steuer]

So i created a HOTP.

Set Pin to "123456"

Scan the barcode.

Go to test test line

Enter 123456 and the token out of the google auth.

Wrong OTP.

[Cornelius Kölbel]

It seems to me that the wheezy package is not playing that well. I can not see these issues on another distribution.

Can you please:

1. install python-virtualenv
   apt-get install python-virtualenv
   and restart the webserver

2. create a useridresolver of /etc/passwd and create a realm with this resolver.
    enroll a new token to a user from passwd, to see if this is somehow linked to the sqlusers...

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/97ec5a7b-ed4f-46fa-a9dc-3961839ee76a%40googlegroups.com.

[Cornelius Kölbel]

Please also take a look at /var/log/privacyidea/privacyidea.log

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54EC5C19.9090903%40privacyidea.org.

[Stefan Steuer]

Can you please explain step 2?

[Stefan Steuer]

privacyidea.log

[2015-02-24 11:18:51,138][6222][140443699234560][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:18:51,179][6222][140443699234560][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:08,958][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:09,002][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:09,040][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:09,078][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:09,120][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 11:19:09,161][6222][140443682449152][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:20:56,234][22034][140178216625920][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:20:56,398][22034][140178216625920][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:20:56,541][22034][140178115913472][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:20:56,588][22034][140178115913472][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:21:02,008][22034][140178115913472][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:21:20,223][22034][140178107520768][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:21:20,281][22034][140178107520768][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-24 12:21:20,446][22034][140178115913472][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[Cornelius Kölbel]

Your logfile realm shows...

...nothing.

Step 2:
I can not see this behaviour on a debian machine I have.
But I have not resolver to an OTRS on this debian at the moment.
So I want to rule out, that it is something with the resolvers.

I know that using a password resolver should work. The resolver might introduce some strange behaviour due to the policy checkings.

So you need to create a new userresolver pointing to /etc/passwd and create a new realm with this resolver.
Than enroll a new token with a user from this resolver.
A token without a user assigned, will not check. This is a bug i just fixed.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54EC5F88.4000709%40privacyidea.org.

[Stefan Steuer]

same error.

[Cornelius Kölbel]

I remember you had a strange policy with no meaning.
Please delete the policy.
(Delete all policies!)

Obviously the wheezy package is not stable in your case.
Is it a 32bit or 64bit system?

As a last resort, you should remove the package and install via pip.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/1364fbc4-b90d-4741-80a6-45e33363cbd7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Stefan Steuer]

so I deleted all policies: same result with both.

64bit wheezy

[Cornelius Kölbel]

for what it's worth:

You can increase the log level

 PI_LOGLEVEL = 10

and see if something useful comes up in the log.

If nothing comes up, I would use pip install and my homework is to create a stable wheezy package.

Kind regards
Cornelius

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f4a81216-8b95-4a5d-ac68-9f89426d5018%40googlegroups.com.

[Stefan Steuer]

I'll reset my vm and reinstall otrs and privayidea ;)

[Stefan Steuer]

After I reinstall Privacyidea ... it works..... :)

Thank you for the great support!

I'll install the PI on saturday/sunday on my productive enviroment and give you a feedback!

[Stefan Steuer]

One last question ;)

Is it possible to login with the OTP/google auth-code without the pin?

[Cornelius Kölbel]

Hi Stefan,

I wonder what got mixed up there.

You can login with only that what I call the OTP value by
1. either setting the OTP PIN = "" (oups I think you can not do this via the web ui)
2. or you define a policy like this...



Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/03b4f9b5-a358-437f-9a2e-6c673fc904e0%40googlegroups.com.

[Stefan Steuer]

ok great.

[Stefan Steuer]

Is it possible to deliver some more informations with the QR-Code?

e.g. username instead the ID and Systemname?

screenshot attached

[Cornelius Kölbel]

You can create an enrollment policy with the <u> parameter.
http://privacyidea.readthedocs.org/en/latest/policies/enrollment.html#tokenlabel

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/bf08862a-1606-4cb5-8f13-967d07968612%40googlegroups.com.

[Stefan Steuer]

Dear Cornelius,

now I installed privacyidea without any errors in my "live environment" :)

ldap works fine

But ;)

when I try to get the user list with the mysql-resolver I'll get the following error code.

OTRS 4 use another codec in the mysql db.

'utf8' codec can't decode byte 0xfc in position 1: invalid start byte 

[Stefan Steuer]

Next bug is that when I want to use the ldap-resolver and enroll a token I'll get the following error.

Found more than one object for Loginname u's.steuer'

privacylog:

[2015-02-28 21:00:03,142][25486][140692787885824][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-02-28 21:00:03,263][25486][140692787885824][ERROR][privacyidea.app:1423] Exception on /token/init [POST]

Traceback (most recent call last):

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1817, in wsgi_app

    response = self.full_dispatch_request()

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1477, in full_dispatch_request

    rv = self.handle_user_exception(e)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1381, in handle_user_exception

    reraise(exc_type, exc_value, tb)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request

    rv = self.dispatch_request()

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request

    return self.view_functions[rule.endpoint](**req.view_args)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/api/lib/prepolicy.py", line 79, in policy_wrapper

    action=self.action)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/api/lib/prepolicy.py", line 167, in check_max_token_realm

    user_object = get_user_from_param(params)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/lib/user.py", line 403, in get_user_from_param

    user_object = User(login=username, realm=realm)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/lib/log.py", line 101, in log_wrapper

    f_result = func(*args, **kwds)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/lib/user.py", line 87, in __init__

    self.get_resolvers()

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/lib/user.py", line 172, in get_resolvers

    uid = y.getUserId(self.login)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 241, in getUserId

    LoginName)

Exception: Found more than one object for Loginname u's.steuer'

 

[Cornelius Kölbel]

This probably is a misconfiguration in your LDAP resolver.

What does your LDAP Resolver settings look like?

What is your login attribute?
Your Search FIlter and User Filter?

This part of the code takes your searchfilter and constructs an ldap filter like this:

    (&(......)(<LoginAtribute>=s.steuer))

you might want to check with ldaputils (ldapsearch), which conflicting object are found.

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/6e4e906e-05c2-44e3-b908-612e55663023%40googlegroups.com.

[Stefan Steuer]

Okay i will try it.
What's about my other error message? :-)

[Cornelius Kölbel]

Hi Stefan,

encodings.

I promise to buy this T-Shirt

     "Schei[] Encoding"

at the next opportunity!

Do you have the privacyidea.log file, which will give me a clue, were it bailed out.

THanks a lot and kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/7b3b6f78-6171-4756-9032-2fd967867e47%40googlegroups.com.

[Stefan Steuer]

I used the default ldap-filter from your example (active directory)

[Cornelius Kölbel]

Good news, everybody.

I can reproduce the problem...

Looking into it.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/70f4d765-c57c-4b39-9dcf-0aefb62b8faf%40googlegroups.com.

[Cornelius Kölbel]

Hi Stefan,

there might be a problem with the referral chasing.
The search for the user also returns the Config partion etc...

You can work around like this:
Please use no the top level base DN like "dc=yourdomain,dc=tld", but rather a subdir like:

    cn=users,dc=yourdomain,dc=tld.

Then it works out fine.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54F2F858.6020308%40privacyidea.org.

[Cornelius Kölbel]

I added an issue for that:
https://github.com/privacyidea/privacyidea/issues/99

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54F2F998.7070507%40privacyidea.org.

[Stefan Steuer]

The workaround for ldap works fine! :) Thx for that.

At least I need your support for the encoding ;)

[Cornelius Kölbel]

please send the log file durcing the utf8 issue.

THanks a lot
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/86229ea0-8cd3-4d59-9f74-50bb8bd29d99%40googlegroups.com.

[Stefan Steuer]

Following you'll the logfile

[2015-03-01 13:15:00,870][2707][140016716265216][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:01,707][2707][140016699479808][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:10,736][2707][140016716265216][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:14,389][2707][140016607160064][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:14,394][2707][140016607160064][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:14,395][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Map' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,395][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Database' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,395][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Driver' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,395][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Server' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,396][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Limit' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,396][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'User' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,396][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Table' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,396][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Password' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:14,396][2707][140016607160064][WARNING][privacyidea.lib.resolver:128] the passed key u'Port' is not a parameter for the resolver u'sqlresolver'

[2015-03-01 13:15:21,979][2707][140016716265216][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-01 13:15:22,016][2707][140016716265216][ERROR][privacyidea.app:1423] Exception on /user/ [GET]

Traceback (most recent call last):

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1817, in wsgi_app

    response = self.full_dispatch_request()

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1477, in full_dispatch_request

    rv = self.handle_user_exception(e)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1381, in handle_user_exception

    reraise(exc_type, exc_value, tb)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request

    rv = self.dispatch_request()

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request

    return self.view_functions[rule.endpoint](**req.view_args)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/api/lib/prepolicy.py", line 80, in policy_wrapper

    return wrapped_function(*args, **kwds)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/api/user.py", line 97, in get_users

    return send_result(users)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/privacyidea/api/lib/utils.py", line 124, in send_result

    return jsonify(res)

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/json.py", line 238, in jsonify

    indent=indent),

  File "/opt/privacyidea/privacyidea-venv/local/lib/python2.7/site-packages/flask/json.py", line 126, in dumps

    rv = _json.dumps(obj, **kwargs)

  File "/usr/lib/python2.7/json/__init__.py", line 238, in dumps

    **kw).encode(obj)

  File "/usr/lib/python2.7/json/encoder.py", line 202, in encode

    chunks = list(chunks)

  File "/usr/lib/python2.7/json/encoder.py", line 427, in _iterencode

    for chunk in _iterencode_dict(o, _current_indent_level):

  File "/usr/lib/python2.7/json/encoder.py", line 401, in _iterencode_dict

    for chunk in chunks:

  File "/usr/lib/python2.7/json/encoder.py", line 401, in _iterencode_dict

    for chunk in chunks:

  File "/usr/lib/python2.7/json/encoder.py", line 325, in _iterencode_list

    for chunk in chunks:

  File "/usr/lib/python2.7/json/encoder.py", line 383, in _iterencode_dict

    yield _encoder(value)

UnicodeDecodeError: 'utf8' codec can't decode byte 0xfc in position 1: invalid start byte

[Stefan Steuer]

Do you need some other informations?

[Cornelius Kölbel]

Hi,
no - I just need some time, to look into it ;-)

Kind regards
Cornelius

Am 01.03.2015 um 19:00 schrieb Stefan Steuer:

Do you need some other informations?

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/46a2d097-f318-4310-bc7e-58d4f76a349c%40googlegroups.com.

[Cornelius Kölbel]

Hi Stefan,

the exception occurs after privacyIDEA has handled the request and the
result is about to be sent to the browser.
The "return jsonify(res)" is the last statement in the request handling.
Jsonify is a third party module.
So there is something strange with the input "res" to it.
Something is starting with the letter "ü".

A) Can you give me some more information about:
What database field contains the "ü" and what are you doing at the
moment. Just listing the users?
As many information you can provide of your installation, the better.

B) Can you turn on debug level and try again?
In /etc/privacyida/pi.cfg you can set:

PI_LOGLEVEL = 10

C) I could send you a development/debug-package, that creates more log
output, i.e. the "res" before it enters the jsonify, if you would be
happy with that.

Kind regards
Cornelius




Am 01.03.2015 um 13:16 schrieb Stefan Steuer:
> return jsonify(res)

[Stefan Steuer]

Dear Cornelius,

I found some "ü" in the name of the otrs-agents column. But nothin starts with a "ü".

I think the problem is that otrs is utf8_general_ci (

Storage-Engine (InnoDB))

Error log with pi_loglevel 10

[2015-03-02 10:21:10,139][22040][140451446462208][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:10,506][22040][140451446462208][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:10,806][22040][140451555567360][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:10,958][22040][140451555567360][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:19,127][22040][140451446462208][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:20,111][22040][140451454854912][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:20,117][22040][140451454854912][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:20,118][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Map' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,119][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Database' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,119][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Driver' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,119][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Server' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,120][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Limit' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,120][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'User' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,120][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Table' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,120][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Password' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:20,121][22040][140451454854912][WARNING][privacyidea.lib.resolver:128] the passed key u'Port' is not a parameter for the resolver u'sqlresolver'

[2015-03-02 10:21:23,233][22040][140451555567360][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:24,848][22040][140451555567360][WARNING][privacyidea.lib.config:451] unable to load resolver module : 'resolvers.SCIMIdResolver' (ImportError('cannot import name getResolverClass',))

[2015-03-02 10:21:24,875][22040][140451555567360][ERROR][privacyidea.app:1423] Exception on /user/ [GET]

[Cornelius Kölbel]

Hi Stefan,

thanks a lot for the patience.

I had to do some minor fixes. If a decoding error occurs, not the whole user list is missing now, but only the value that could not be decoded. Interesting enough, I need to set

Database Encoding  to "latin1"

in the sql resolver. Although the database is utf8_general_ci...

I will upload a verion 2.1dev2 shortly. (As the deb-package is not based on 2.0)

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/4864dd35-facb-4a34-8bd4-d28e1306d0d0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Stefan Steuer]

OK great - so please can create a manual how I can update the files?

btw: 

What do you think is safer?

LDAPS query with privacyIDEA or mySQL DB with privacyIDEA? Or LDAP-S (password policy at the domain controller) while auth. with OTRS (without privacyIDEA)

[Cornelius Kölbel]

Am 02.03.2015 um 15:34 schrieb Stefan Steuer:

OK great - so please can create a manual how I can update the files?

dpkg -i new_deb_package
;-)

I will send you the link with the new package, when it is built.

btw: 

What do you think is safer?

LDAPS query with privacyIDEA or mySQL DB with privacyIDEA? Or LDAP-S (password policy at the domain controller) while auth. with OTRS (without privacyIDEA)

Of course not using privacyIDEA is UNsafer! :-)

THat is the idea with one time passwords, to avoid password sniffing by trojans or should surfers. So just using LDAP/OTRS is of course unsafer.

In one point using the users from the OTRS SQL database is safer:
An LDAP request sends an LDAP bind. At the moment a simple bind. A simple bind sends the ldap password over the wire. Although it is in the TLS tunnel.

Moreover, an ldap administrator could change the users password in ldap or modify the user data.

If you keep everything on one machine, you do not have these attach vectors.

...but there might be other points...

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/3d051291-5832-403d-a955-2392bd8959fc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cornelius Kölbel]

Hi Stefan,

you'll find the package here:
https://www.privacyidea.org/wp-content/uploads/2015/privacyidea-venv_2.1~dev2_amd64.deb

And as a told, I had to set

   database encoding = latin1

in my resolver, so I saw the OTRS user with the umlaut.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/54F47CDB.10108%40netknights.it.

[Stefan Steuer]

root@support:/home/# dpkg -i privacyidea-venv_2.1~dev2_amd64.deb

(Lese Datenbank ... 33805 Dateien und Verzeichnisse sind derzeit installiert.)

Vorbereitung zum Ersetzen von privacyidea-venv 2.1~dev1 (durch privacyidea-venv_2.1~dev2_amd64.deb) ...

Ersatz für privacyidea-venv wird entpackt ...

dpkg: Abhängigkeitsprobleme verhindern Konfiguration von privacyidea-venv:

 privacyidea-venv hängt ab von python-virtualenv; aber:

  Paket python-virtualenv ist nicht installiert.

dpkg: Fehler beim Bearbeiten von privacyidea-venv (--install):

 Abhängigkeitsprobleme - verbleibt unkonfiguriert

Fehler traten auf beim Bearbeiten von:

 privacyidea-venv

[Stefan Steuer]

installation fixed - but when I add the SQLresolver, create the realm there are no users displayed.

[Cornelius Kölbel]

apt-get install -f

[Cornelius Kölbel]

Did you restart the apache webserver?

Otherwise the new code will not be used.

How does your configuration look like, now?
And what does the pirvacyidea.log say?

Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/3feb0ab6-8290-4841-9d6d-90d74978afe6%40googlegroups.com.