Failing to retrieve user list from Active Directory server

[John Moore]

We're trying out PrivacyIDEA. Installed Version 1.4.1 from Ubuntu repositories. We setup a default realm and a userid from the local passwd file. That worked well enough, but when setting up a LDAP connection to our AD controllers we can't get any users accounts to show up. We're using the default setting for AD in the LDAP UserIDResolvers. When testing the connection it returns with the correct number of users. Checking the log file shows up the following error:

2014/12/24 - 12:08:57 ERROR {140040261662656} [privacyidea.lib.user][getUserList #637] Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 622, in getUserList

    ulist = y.getUserList(searchDict)

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 232, in getUserList

    uid = entry.get(self.uidtype)[0]

TypeError: 'NoneType' object has no attribute '__getitem__'

Any idea on what we should check?

[Cornelius Kölbel]

Hello,

something happened that should not, so obviously you found a bug.

So you kept the default settings of the AD setting.
Is the UID type set to "DN"?
Can you please try to set the type to "dn"? (lower case?)


Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/bccfbae6-d737-4036-8575-c5076e3f2f6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Cornelius Kölbel]

After checking it on my site, I very much guess this is the issue and I opened an issue for this.

https://github.com/privacyidea/privacyidea/issues/63

Kind regards
Cornelius

Am 24.12.2014 um 18:30 schrieb John Moore:

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/bccfbae6-d737-4036-8575-c5076e3f2f6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[John Moore]

Thanks for the quick reply. The default value for UID is set to DN. However changing it to lower case dn didn't correct the issue.

[Cornelius Kölbel]

What output do you get in the log file, when changing to lower case?

I assume you did add the LDAP resolver to the default realm?

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f8b68a2b-1ee6-488a-8bac-bdde614a5058%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cornelius Kölbel]

Try the following setting:

    BASE DN: cn=users,dc=domaincoment1,dc=domaincomponent2

Using top level: dc=...,dc=.. can cause an unhandled error.

Then use the searchfilter:

    (sAMAccountName=*)(objectClass=user)(objectClass=person)

to avoid getting other objects, than users.

Finally use

    uid type:  objectGUID


I will release a new version with better error handling shortly.

Kind regards
Cornelius

Am 25.12.2014 um 04:51 schrieb John Moore:

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/f8b68a2b-1ee6-488a-8bac-bdde614a5058%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cornelius Kölbel]

Hello again,

what version of windows is your domain controller running? 2012?

I uploaded a new release candidate on the privacyidea-dev candidate, which will work with the uid type = DN.
It will not work with the UID type=obectGUID on windows 2012.

See here: https://launchpad.net/~privacyidea/+archive/ubuntu/privacyidea-dev/+packages

Please respond it 1.5-dev9 fixes your problem. I tested it successfully on my side.

Kind regards
Cornelius

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/549BFC66.70105%40netknights.it.

For more options, visit https://groups.google.com/d/optout.

[John Moore]

Hmm, interesting results:

I'm using Windows 2008 R2 Domain controllers. I was binding the connection at the top of Active Directory tree.

Using UID Type: objectGUID I get the following error on screen: 'utf8' codec can't decode byte 0xb4 in position 0: invalid start byte

Changing the search filter to (sAMAccountName=*)(objectClass=user)(objectClass=person) and the BaseDN to a different OU I was able to retrive my user list.

Thank you for your help!

[Cornelius Kölbel]

You are welcome.
Thanks a lot for your patience.

So you are runing UID-Type=DN and a sub BaseDN, now.

Kind regards
Cornelius

--

You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/6f953bf6-ba82-4287-a89a-1b5d4239d08e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.