Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:17 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Tue Jan 07, 2014 5:05 pm 
Offline

Joined: Thu Oct 03, 2013 3:42 pm
Posts: 4
YR 3.6.1, linked to 2012 Active Directory. Users are imported without issue.

Autoprovisioning YK seems to work fine and tests OK after assignment, but list of users in GUI doesn't show any YK assignments, nor can keys be disabled or unassigned (as no keys are found, presumably). Trying to assign same key manually gives error that the key with that ID already has been assigned. Queries against ykmap..[ykmaps] shows keys have been assigned to accounts. ykmap.log only lists errors for accounts that have no keys assigned yet (one line for each account).

This is happening on two separate installs. Same users import setting for the domain, both servers configured to use YubiCloud for validation.

Any idea what could cause the key assignment not to show up in the GUI?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jan 14, 2014 4:59 pm 
Offline

Joined: Tue Nov 04, 2008 8:55 pm
Posts: 19
Hi Neonsun,

That sounds a lot like an issue I had a while ago with case sensitive usernames - but I thought that was fixed in version 3.6.1. Just to check though: are these usernames all lowercase in AD, in the YubiRadius and in the client when the user tries to log on? If not it might be worth creating a test account with all lowercase, importing, then auto assigning the Yubikey to test if it then shows in the GUI. I manually fixed my accounts by setting the case of the username in AD to match Yubiradius then re importing the accounts. The Yubikeys then appeared for the relevant accounts.

Regards,
Neal.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 14, 2014 5:54 pm 
Offline

Joined: Thu Oct 03, 2013 3:42 pm
Posts: 4
Hi Neal,

Good tip, decided to check it out. Looks like users are imported with the right casing (we have a bit of both in AD apparently, but all are imported with their original casing to the YR user db), but I see a small discrepancy in the ykmaps table; the 'value' column stores users in the format of 'user@DOMAIN.com' (the domain name is in caps), however this is also how the domain entry is listed YR virtual appliance setting so it could be unrelated. In the user list, the 'User DN' lists the DC in lower case though, even though it is specified in caps everywhere else that I can see.

When troubleshooting, authentication succeeds regardless of username casing. Not quite sure where to go next. The only 'problem' I see with the current situation is that I am unable to unassign Yubikeys from users, as the user list page doesn't read the config properly. The auto-provisioning works and I am able to authenticate, I just can't see that provisioning has been completed without querying the Postgre DB directly. (I assume I'd be able to remove mappings from here as well, but I'd prefer not have to do that). I'll post a support ticket and see if Yubico have any suggestions.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 29, 2014 4:55 pm 
Offline

Joined: Thu Oct 03, 2013 3:42 pm
Posts: 4
So, that was pointless. Support for YubiRadius has been discontinued altogether, apparently. So we're on our own here it seems. Auth and key assignment is working for us, though, so it's just the user list page that is not getting the correct data somehow. I suppose we can live with that.

http://www.yubico.com/products/services ... ubiradius/


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 29, 2014 5:39 pm 
Offline

Joined: Tue Nov 04, 2008 8:55 pm
Posts: 19
Arg! So Yubico replaced a working Radius implementation including Active Directory integration with a reference implementation that is not intended as a product? I missed that when they announced YubiX! I guess I can appreciate why they did this though. I'll start a new thread to see if anyone knows of any good open source alternatives out there.


Top
 Profile  
Reply with quote  
PostPosted: Sun Apr 27, 2014 7:52 pm 
Offline

Joined: Wed Apr 23, 2014 4:32 pm
Posts: 10
Hi there,

I got the same Problem, which you reported (Changelog says, that this was fixed with verison 3.6.1 btw).
I got only one solution for that problem:

My usernames in AD were with upper and lower case characters.
For example: User

If i imported those users and assigned a Yubikey to the, the assigned Yubikey was not shown and I couldn't unassign it.
After changing all usernames to lowercase characters, for example "user", I can see the Yubikeys correctly and also unassign them.

That's the only solution I can see atm.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group