Email OTP and Selfservice portal does not.

394 views
Skip to first unread message

liush...@gmail.com

unread,
May 3, 2018, 12:43:48 AM5/3/18
to LinOTP
I have two major issues with my linotp server. Hope anyone can help me fix with this issues.

1. Email otp does not work, may be their are some configuration issues.
2. Selfservice portal does not work out of the box. It says login failed

Server CentOS 7
-------------------------------------
My Policy
[DetailsOnValidation]
realm = *
name = DetailsOnValidation
active = True
client = *
user = *
time = * * * * * *;
action = "detail_on_fail, "
scope = authorization

[sms_email]
realm = *
name = sms_email
action = "email_provider=sms2,"
client = *
user = admin
time = * * * * * *;
active = True
scope = authentication

[otppin]
realm = *
name = otppin
active = True
client = *
user = admin
time = * * * * * *;
action = otppin=1
scope = authentication

[email_provider1]
realm = *
name = email_provider1
action = email_provider=email
client = *
user = admin
time = * * * * * *;
active = True
scope = authentication

[autoenroll_email]
realm = *
name = autoenroll_email
active = False
client = *
user = admin
time = * * * * * *;
action = "autoenrollment=email,"
scope = enrollment

[challenge2]
realm = *
name = challenge2
action = challenge_response=HMAC TOTP PW
client = *
user = *
time = * * * * * *;
active = True
scope = authentication

[selfpol1]
realm = *
name = selfpol1
active = True
client = *
user = admin
time = * * * * * *;
action = "webprovisionGOOGLE, reset, resync, setOTPPIN, disable"
scope = selfservice
---------------------------------------
1.Data related to Email otp

When i config Email Provider with the following data i get SMTP AUTH extension not supported by server. Below are the error logs and Email. How do i enable tls?

Provider config:
{
"SMTP_SERVER":"smtp.office365.com",
"SMTP_USER":"em...@example.com",
"SMTP_PASSWORD":"PASSWORD",
"EMAIL_FROM":"em...@example.com",
"EMAIL_SUBJECT":"Your OTP"
}

when i do challenge response using /validate/check?user=myuser&pass=mypin
logs:
2018/05/03 - 09:30:31 ERROR [linotp.lib.challenges][create_challenge #219] Failed to create challenge: SMTPException('SMTP AUTH extension not supported by server.',)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/linotp/lib/challenges.py", line 205, in create_challenge
token.createChallenge(transactionid, options=options)
File "/usr/lib/python2.7/site-packages/linotp/tokens/emailtoken.py", line 335, in createChallenge
success, status_message = self._sendEmail()
File "/usr/lib/python2.7/site-packages/linotp/tokens/emailtoken.py", line 426, in _sendEmail
message=message)
File "/usr/lib/python2.7/site-packages/linotp/provider/emailprovider/__init__.py", line 168, in submitMessage
smtp_connection.login(self.smtp_user, self.smtp_password)
File "/usr/lib64/python2.7/smtplib.py", line 584, in login

SMTPException: SMTP AUTH extension not supported by server.
2018/05/03 - 09:30:31 ERROR [linotp.lib.challenges][create_challenge #244] Failed to create or init challenge. Reason was "SMTPException('SMTP AUTH extension not supported by server.',)"
2018/05/03 - 09:30:31 ERROR [linotp.controllers.validate][check #262] [check] validate/check failed: SMTPException('SMTP AUTH extension not supported by server.',)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/linotp/controllers/validate.py", line 233, in check
(ok, opt) = self._check(param)
File "/usr/lib/python2.7/site-packages/linotp/controllers/validate.py", line 161, in _check
(ok, opt) = vh.checkUserPass(user, passw, options=options)
File "/usr/lib/python2.7/site-packages/linotp/lib/auth/validate.py", line 577, in checkUserPass
tokenList, passw, user, options=options)
File "/usr/lib/python2.7/site-packages/linotp/lib/auth/validate.py", line 799, in checkTokenList
(res, reply) = fh.finish_checked_tokens()
File "/usr/lib/python2.7/site-packages/linotp/lib/auth/finishtokens.py", line 89, in finish_checked_tokens
(ret, reply, detail) = self.finish_challenge_token()
File "/usr/lib/python2.7/site-packages/linotp/lib/auth/finishtokens.py", line 273, in finish_challenge_token
id_postfix=id_postfix
File "/usr/lib/python2.7/site-packages/linotp/lib/challenges.py", line 245, in create_challenge
raise ReasonException
SMTPException: SMTP AUTH extension not supported by server.

---------------------
2.Data related to Selfservice portal
when i log to selfservice portal using
username: myuser@realm
password: mypassword

logs:
2018/05/03 - 09:21:44 WARNI [linotp.useridresolver.SQLIdResolver][checkPass #601] [checkPass] user 3 failed to authenticate.

Note : i have tried with linotp-create-sqlidresolver-user.


liush...@gmail.com

unread,
May 8, 2018, 12:18:15 AM5/8/18
to LinOTP
Is their anyone who can help me in this..??

Kay Winkler

unread,
May 8, 2018, 4:46:27 AM5/8/18
to lin...@googlegroups.com
Hi Liushan,

sorry for the late reply.

I'd like to focus first on the selfservice login problem.

0. Please remove / disable in the first place all policies.
1. create a selfservice policy with user/realm=* and empty action

next we have to care for your userid resolver, you might explain
me which type Flatfile/SQL/LDAP you are using?

Best regards,

Kay Winkler


Am 08.05.18 um 06:18 schrieb liush...@gmail.com:
> Is their anyone who can help me in this..??
>

--
Kay Winkler
Software Development

Fon: +49 6151 86086-262
Fax: +49 6151 86086-290
Mobil: +49 1751 874258
E-Mail: Kay.W...@keyidentity.com

www.keyidentity.com

KeyIdentity GmbH

Robert-Koch-Straße 9, 64331 Weiterstadt, DE

Unternehmenssitz: Weiterstadt
Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Nils Manegold, Amir Alsbih

MAX 21-Unternehmensgruppe

liush...@gmail.com

unread,
May 8, 2018, 11:14:29 PM5/8/18
to LinOTP
Hi Kay
First of all thanks a heap for replying..
_______________
Current Policy
[self1]
realm = *
name = self1
action = *
client = *
user = *
time = * * * * * *;
active = True
scope = selfservice
_________________

userid resolver type is SQL.

Kay Winkler

unread,
May 9, 2018, 3:52:27 AM5/9/18
to lin...@googlegroups.com
Hi Liushan,

if you are using an SQL resolver, we have to speak
about the way you created your passwords as the selfservice
will try use these. LinOTP supports several password formats.

How do you create these password entries? and how is this
addressed in your resolver configuration?

Or have you already verified the correct usage of the password
using an token wit otppin=1 policy via /validate/check?

Best regards,

Kay

PS: are you using LinOTP on a RedHat variant? There is a known
problem with the selfservice.


Am 09.05.18 um 05:14 schrieb liush...@gmail.com:

liush...@gmail.com

unread,
May 9, 2018, 7:01:02 AM5/9/18
to LinOTP
Hi Kay,
1. For your en-query bellow

> if you are using an SQL resolver, we have to speak
> about the way you created your passwords as the selfservice
> will try use these. LinOTP supports several password formats.
>
> How do you create these password entries? and how is this
> addressed in your resolver configuration?

Im not exactly sure what you meant above, but i would try to answer my best.
If you meant for Hashing, Iam using simple hashing algorithm in my UAT environment for my passwords = password_hash(). So my question is how LINOTP will use my hashing algorithm.

If you meant password formats for characters used in password, im using very simple characters in the field for testing, but thats not an option.
----------------------------------------------------------------
2. For your en-query bellow

>
> Or have you already verified the correct usage of the password
> using an token wit otppin=1 policy via /validate/check?
>

I have checked with validate check with below validation method and it works.
https://LINOTPSERVER/validate/check?user=myuser&pass=PINOTP
----------------------------------------------------------------------
3. For your en-query bellow


> PS: are you using LinOTP on a RedHat variant? There is a known
> problem with the selfservice.
>

Yes, im using CENTOS-7 . But i can change it to an Ubuntu if you suggest.

-----------------------------------------------------------------------

Kay Winkler

unread,
May 13, 2018, 12:22:51 PM5/13/18
to lin...@googlegroups.com
Hi Liushan,

with linotp there comes a tool called

linotp-create-sqlidresolver-user

which will help you to create the user/pw in the sql
database

2. and yes, for now I would suggest to use the ubuntu or better
debian image for playin

Best regards,

Kay



Am 09.05.18 um 13:01 schrieb liush...@gmail.com:

liush...@gmail.com

unread,
Jun 5, 2018, 3:35:39 AM6/5/18
to LinOTP

Hi Kay,

As you suggested im using an ubuntu server for linotp. Im still facing the same error.

I even used folliwing methods to create the user/pw in the sql
database
linotp-create-sqlidresolver-user -u mliushan -i 3 -p Password -s SHA512 -o SQL

UPDATE "UserDB"
SET "password"= '{SSHA512}s27GrL3jvbWLUuumfpqNKrLePdc7S8zK11faIJw/T/f8QUy55SVl0e6zRBiW2lvBxiRddcHgglGHlpQVqOdXxTJocVRZeGtObGN1S0x2NmdjMmprRTR0VDlSZk5KSWtndFFoM2Y5REtMSXhwS2hxNXBnVEdtNUFyMEJoT2xQdjU='
WHERE "id" = '3';

linotp logs
2018/06/05 - 17:26:19 WARNI {None} [useridresolver.SQLIdResolver][checkPass #542] [checkPass] user 3 failed to authenticate.
2018/06/05 - 17:26:19 ERROR {None} [linotp.lib.user][get_authenticated_user #1401] Error while trying to verify the username: mliushan


Reply all
Reply to author
Forward
0 new messages