Error in WebUI after Upgrade from 2.13 to 2.17

[Aaron Smith]

I have privacyIDEA version 2.13 running on Ubuntu 14.04.  It was installed via apt-get from the repository in the documentation.  It's been running like a champ, but then a while ago we went to do Ubuntu upgrades on the system and, as a result, privacyIDEA was upgraded to version 2.17.  Afterward, when users logged in to the WebUI and clicked "Enroll Token", they received an error: "'NoneType' object has no attribute 'split'".  The token enrollment page would still come up, but the fields for setting the PIN would not display. We ended up rolling back the virtual machine to a snapshot and leaving it.  I've since created a clone of the system in order to recreate the issue.  If I apply all of the system updates EXCEPT privacyidea-apache2, privacyidea-radius, and python-privacyidea, everythign continues to work just fine.  but as soon as I upgrade the actual privacyidea packages, it breaks.  Interestingly, if I stand up a brand NEW UBuntu 14.04 system, perform all ubuntu updates, and then install a brand NEW install of privacyIDEA 2.17 it works just fine.  Something about the apt-get upgrade process, though, fubar's it....

[Jochen Hein]

Aaron Smith <ministe...@gmail.com> writes:

> I have privacyIDEA version 2.13 running on Ubuntu 14.04. It was installed
> via apt-get from the repository in the documentation. It's been running
> like a champ, but then a while ago we went to do Ubuntu upgrades on the
> system and, as a result, privacyIDEA was upgraded to version 2.17.
> Afterward, when users logged in to the WebUI and clicked "Enroll Token",
> they received an error: "'NoneType' object has no attribute 'split'".

Can you get the backtrace from /var/log/privacyidea/privacyidea.log? I
had similar messages, which were caused by database inconsistencies, I
think between the token and tokeninfo table. I had to clean that up
manually.

Jochen

[Cornelius Kölbel]

As for the missing OTP PIN:

A policy for setting OTP PIN was added lately. So you need to update either the user-policy or the admin-policy and the OTP PIN field will be available again.

As for the NoneType: Check what Jochen pointed out and review the log file.

It could also be a problematic user in your user directory.

Kind regards

Cornelius

[Aaron Smith]

I'll post the backtrace from the privacyidea.log below.  However, as far as I can tell, correcting the OTP Pin in the WebUI policy (changing SetPIN to EnrollPIN basically) seems to have caused the error to go away.  I found that the error could sometimes just not show up, but if you kept clicked back and forth between Enroll token and All Tokens (as a user) it would eventually pop up.  After correcting the WebUI policy, though, even doing that wouldn't cause the error to crop up so I'm thinking it's probably fixed. So thanks for the help gents!  Like I said, here is the backtrace from the log file, though, for posterity (and the off chance that it rings a bell with someone about some OTHER issue that isn't readily apparent):

[2017-03-03 09:42:36,343][1408][-1357743296][ERROR][privacyidea.app:1423] Exception on /caconnector/ [GET]
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1473, in full_dispatch_request
    rv = self.preprocess_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1666, in preprocess_request
    rv = func()
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py", line 324, in decorated_function
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 76, in before_user_request
    before_request()
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 157, in before_request
    "realm")})
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 187, in log_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 560, in get_user_from_param
    user_object.get_resolvers()
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 189, in get_resolvers
    uid = y.getUserId(self.login)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 154, in cache_wrapper
    f_result = func(self, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 443, in getUserId
    self._bind()
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 343, in _bind
    server_pool = self.get_serverpool(self.uri, self.timeout)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 651, in get_serverpool
    for uri in urilist.split(","):
AttributeError: 'NoneType' object has no attribute 'split'

[Jochen Hein]

Aaron Smith <ministe...@gmail.com> writes:

> that the error could sometimes just not show up, but if you kept clicked
> back and forth between Enroll token and All Tokens (as a user) it would
> eventually pop up.

Yes, that's what I saw too.

> [2017-03-03 09:42:36,343][1408][-1357743296][ERROR][privacyidea.app:1423]
> Exception on /caconnector/ [GET]

That's not what I expected...

> File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line
> 560, in get_user_from_param
> user_object.get_resolvers()
> File "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line
> 189, in get_resolvers
> uid = y.getUserId(self.login)
> File
> "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
> line 154, in cache_wrapper
> f_result = func(self, *args, **kwds)
> File
> "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
> line 443, in getUserId
> self._bind()
> File
> "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
> line 343, in _bind
> server_pool = self.get_serverpool(self.uri, self.timeout)
> File
> "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py",
> line 651, in get_serverpool
> for uri in urilist.split(","):
> AttributeError: 'NoneType' object has no attribute 'split'

My guess would something wrong in table resolverid and resolverconfig.
I guess my system has a problem too:

mysql> select * from resolver;
+----+--------------------+--------------+
| id | name | rtype |
+----+--------------------+--------------+
| 3 | ldap-special-users | ldapresolver |
| 5 | kolab | ldapresolver |
| 6 | IPA | ldapresolver |
| 7 | IPA-admins | ldapresolver |
+----+--------------------+--------------+
4 rows in set (0,00 sec)
mysql> select resolver_id from resolverconfig;
+-------------+
| resolver_id |
+-------------+
| NULL |
| NULL |
...

I guess I'll remove the rows with resolver_id == NULL;

Jochen

[Cornelius Kölbel]

Hi Aaron,

Am Freitag, 3. März 2017 15:51:45 UTC+1 schrieb Aaron Smith:

  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 443, in getUserId
    self._bind()
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 343, in _bind
    server_pool = self.get_serverpool(self.uri, self.timeout)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolvers/LDAPIdResolver.py", line 651, in get_serverpool
    for uri in urilist.split(","):
AttributeError: 'NoneType' object has no attribute 'split'

Please check the definition of your LDAP Resolver.

The error occurs, because it does not get a configured URI list for your LDAP URIs!

Kind regards

COrnelius