Problem with PrivacyIDEA and Drupal for add two-step authentication feature

[Mohsen Dehghani]

Hello guys

I want to add 2-step authentication by using PrivacyIDEA v2.6 and write a dedicated module for Drupal 7, by myself.

I have passed these steps for setup and create connectivity between Drupal DB and PrivacyIDEA:

1. Create new sqlresolver in PrivacyIDEA and gave it a name "drupal".also, insert connect information to Drupal on PrivacyIDEA and setting up a database Mapping. (Connection to DB and table working correctly).

2. Create a new Realm has named "drupal", after that, added drupal resolver to it (to Realm) and set it as a default Realm.

3. Making a Token with these default values:

4. QRCode scanning by Google authenticator and generate Auth code

5. Entering user information like http://mydomain.com/validate/check?user=MYUSER&pass=MYPASSauthcode for authentication

Unfortunately, the following values are returned and the authentication fails: 

{

 "detail": {

 "message": "wrong otp pin"

 }, 

 "id": 1, 

 "jsonrpc": "2.0", 

 "result": {

 "status": true, 

 "value": false

 }, 

 "version": "privacyIDEA 2.6.dev1", 

 "versionnumber": "2.6.dev1"

}

All these steps working correctly and returns true value in Wordpress, but does not work for Drupal.

I think, password hashing of drupal 7 might cause the problem or it could be something else!

Please help me to fix this problem.

[Cornelius Kölbel]

Hi Mohsen,

You did not mention, that you created an authentication policy.

The default behaviour is, that you need to enter the privcyIDEA token
specific OTP PIN, which you can set within privacyIDEA per token.

The default behviour is not, to use the password from the userstore (in
your case the drupal password)

If you want to use the drupal password as OTP pin, you need to set an
authentication policy

scope:authentication
action:otppin=userstore

Please comment, if this helps.

Otherwise we might need to check for the password handling (hashing) in
drupal.

I would also like to add a presetting to the SQL Resolver for Drupal.
It would be great, if you would share your mapping with us, so that I
can add a button "Preset for Drupal".

THanks a lot and kind regards
Cornelius

PS: You might also want to use latest privacyIDEA 2.7

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/36956f72-88eb-4f51-88ce-1bce32e02154%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Mohsen Dehghani]

Special thanks for your great support...

Regarding to your answer, i have created an authentication policy with the following values:

Policy Name: drupal_policy

scope: authntication

action: otppin=userstore

user-realm: drupal

user-resolver: drupal

but still the authentication returns fail.

[Cornelius Kölbel]

Obviously Drupal handles passwords a bit different. If you like to see Drupal support in privacyidea we can use your help. You can provide as many information as possible.

1. Can you please send your mapping from the sql resolver.

2. Please send an example database entry of a Drupal user. We need the contents of the password field from the dB users table.

Thanks a lot 

Cornelius

Cornelius Kölbel

Corneliu...@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://netknights.it

Landgraf-Karl-Str. 19, 34131 Kassel, Germany

Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405

Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Mohsen Dehghani <mohsen...@gmail.com>
Datum: 18.10.2015 15:54 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: Problem with PrivacyIDEA and Drupal for add two-step authentication feature

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/1efc22ac-80ab-49a8-b785-2278cd21a91f%40googlegroups.com.

[Mohsen Dehghani]

Yeah! its true.

I'll do any help that i can do!

At start, i have to say the drupal users table structure is something like this:

Table name: users

Fields:

1) uid: int(10) [Auto Increment]

Primary Key: Unique user ID.

2) name: varchar(60)

Unique user name.

3) pass: varchar(128)

User’s password (hashed).

4) mail: varchar(254)

User’s e-mail address.

5) theme: varchar(255)

User’s default theme.

6) signature: varchar(255)

User’s signature.

7) signature_format: varchar(255)

The filter_format.format of the signature.

8) created: int(11)

Timestamp for when user was created.

9) access: int(11)

Timestamp for previous time user accessed the site.

10) login: int(11)

Timestamp for user’s last login.

11) status: tinyint(4)

Whether the user is active(1) or blocked(0).

12) timezone: varchar(32)

User’s time zone.

13) language: varchar(12)

User’s default language.

14) picture: int(11)

Foreign key: file_managed.fid of user’s picture.

15) init: varchar(254)

E-mail address used for initial account creation.

16) data: longblob [binary]

serialized array of name value pairs that are related to the user. Any form values posted during user edit are stored and are loaded into the $user object during user_load(). Use of this field is discouraged and it will likely disappear in a future...

1. Entered mapping in sql resolver:

table: usres

my entered test mapping: { "userid" : "uid", "username": "name", "email" : "mail", "password" : "pass" }

	2. Some example entry from users table:

1. name: mohsen          pass: $S$D98Bg3ANTUrjVwx073djifdH1KxbyzXQaPrmbpxGOu4VXFyMClRz         original password: mohsen123

2. name: privacy           pass: $S$Dp8.YLUG.rtPOg0gEDLdj5BtALBXmWGTdKG73m9VxPK/60yezZjO        original password: privacy987

3. name: test                 pass: $S$Dp8.YLUG.rtPOg0gEDLdj5BtALBXmWGTdKG73m9VxPK/60yezZjO        original password: test456

 

I will explane more about drupal password hashing in next posts...

Thanks a lot!

[Mohsen Dehghani]

Sorry, a mistake has occurred !!!
The password of test user is: $S$DrU4ohs1VK19eJbYRiBU/kVcppVVHKGUvLcCFkrVXz8m3kDT/FV5

[Cornelius Kölbel]

Hi,

the code was easy to extend for use with this hashing scheme.
I need to do some streamlining and add the UI button.

But after all, it will be part of 2.8.

I will tell you when the development version is online - so maybe you
want to test it then.

Thanks a lot and kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/011cc937-26ee-4d42-8cf2-0ccea6f2c52c%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it

+49 151 2960 1417

NetKnights GmbH

http://www.netknights.it

[Cornelius Kölbel]

Hi,
please check out the 2.8dev3 version, which should be able to verify
drupal passwords.

You can install it from the devel ppa repo.

Kind regards

Cornelius
Am Montag, den 19.10.2015, 23:34 -0700 schrieb Mohsen Dehghani:

> Sorry, a mistake has occurred !!!

[Mohsen Dehghani]

Hi,

I'll test v2.8Dev3 and then report you.

Thank you so much...

[Mohsen Dehghani]

Hi Cornelius,

Does privacyidea-dev support Ubuntu v15.04 ?

.

.

.

I have installed Ubuntu 15.04 and LAMP Stack on it.

Apache2, MySQL-Server and PHP5 works good.

For install Privacy2.8-dev3 on my Ubuntu, i do some steps according this tutorial.

- All the privacyidea dependency packages added successfully by entering:

sudo apt-get install packages-name

- Adding devel repo is ok and duration do all oprations there is no errors:

sudo add-apt-repository ppa:privacyidea/privacyidea-dev

- update has no error and reads all package lists:

sudo apt-get update

but when i run

sudo apt-get install privacyidea

terminal shows me:

building dependency tree
Reading state information... Done
E: Unable to locate package privacyidea

Help me plz, for install PrivacyIDEA2.8-Dev3.

Tnx a lot.

[Cornelius Kölbel]

Hello Mohsen,

the package "privacyidea" is deprecated.

Please install

"privacyidea-apache2", which will also install python-privacyidea.

You can also read the install manual:

http://privacyidea.readthedocs.org/en/latest/installation/ubuntu.html

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/af717617-a327-40f5-915f-6e147fc773b7%40googlegroups.com.

[Mohsen Dehghani]

Hello,

Another problem!
In the installation steps, when i run this commands, Ubuntu can not get some packages:

sudo add-apt-repository ppa:privacyidea/privacyidea-dev

Adding privacy development repository is success

But,

sudo apt-get update

has error:

Err http://ppa.launchpad.net wily/main amd64 Packages                          
  404  Not Found            
Err http://ppa.launchpad.net wily/main i386 Packages                          
  404  Not Found
                                         
W: Failed to fetch http://ppa.launchpad.net/privacyidea/privacyidea-dev/ubuntu/dists/wily/main/binary-amd64/Packages  404  Not Found

W: Failed to fetch http://ppa.launchpad.net/privacyidea/privacyidea-dev/ubuntu/dists/wily/main/binary-i386/Packages  404  Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

[Cornelius Kölbel]

Hi,

the ppa repository is only available for 14.04lts trusty as suggested be
the installation guide.

http://privacyidea.readthedocs.org/en/latest/installation/ubuntu.html

It "might be" that those package could run on wily, but I would not
recommend.
On wily rather try installation via pip
http://privacyidea.readthedocs.org/en/latest/installation/pip.html

Kind regards
Cornelius

Am Samstag, den 07.11.2015, 11:32 -0800 schrieb Mohsen Dehghani:
> Hello,
>
> Another problem!

> In the installation steps, when i run this commands, Ubuntu can no get

> some packages:
>
> sudo add-apt-repository ppa:privacyidea/privacyidea-dev
> Adding privacy development repository is success
>
> But,
> sudo apt-get update
>
> has error:
>
>
> Err http://ppa.launchpad.net wily/main amd64 Packages
>
> 404 Not Found
> Err http://ppa.launchpad.net wily/main i386 Packages
>
> 404 Not Found
>
> W: Failed to fetch
> http://ppa.launchpad.net/privacyidea/privacyidea-dev/ubuntu/dists/wily/main/binary-amd64/Packages 404 Not Found
>
> W: Failed to fetch
> http://ppa.launchpad.net/privacyidea/privacyidea-dev/ubuntu/dists/wily/main/binary-i386/Packages 404 Not Found
>
> E: Some index files failed to download. They have been ignored, or old
> ones used instead.
>
>
>
>
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/854315d5-0d65-4325-8fee-5639515abf45%40googlegroups.com.

[Houmanic]

Dear Cornelius

There is no such version (2.8 dev3 or other sub) in ppa repository for Ubuntu trusty or wily. In Launchpad ppa, the latest version is "2.7-1trusty".

Should I just rely on this latest Debian package?

privacyidea-venv_2.8~dev1-1_amd64.deb 

[Cornelius Kölbel]

Dear Houmanic,

all "dev?"-Versions are development versions. Snapshots between the
releases.

The dev-Versions are located in an extra repository, in

ppa:privacyidea/privacyidea-dev

"Stable" versions are located in

ppa:privacyidea/privacyidea

The latest stable is 2.7.
The latest dev is 2.8~dev?

So if you want to you 2.8~dev you need to add "privacyidea-dev" repo.
On ubuntu I would use the repos.

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/f43d426c-d34d-4fb8-9e2d-86a841b4cb7a%40googlegroups.com.

[Houmanic]

Thanks a lot for your quick response.