| Yubico Forum https://forum.yubico.com/ |
|
| Key assignment not listed in user list, unable to unassign https://forum.yubico.com/viewtopic.php?f=29&t=1276 |
Page 1 of 1 |
| Author: | Neonsun [ Tue Jan 07, 2014 5:05 pm ] |
| Post subject: | Key assignment not listed in user list, unable to unassign |
YR 3.6.1, linked to 2012 Active Directory. Users are imported without issue. Autoprovisioning YK seems to work fine and tests OK after assignment, but list of users in GUI doesn't show any YK assignments, nor can keys be disabled or unassigned (as no keys are found, presumably). Trying to assign same key manually gives error that the key with that ID already has been assigned. Queries against ykmap..[ykmaps] shows keys have been assigned to accounts. ykmap.log only lists errors for accounts that have no keys assigned yet (one line for each account). This is happening on two separate installs. Same users import setting for the domain, both servers configured to use YubiCloud for validation. Any idea what could cause the key assignment not to show up in the GUI? |
|
| Author: | Neal [ Tue Jan 14, 2014 4:59 pm ] |
| Post subject: | Re: Key assignment not listed in user list, unable to unassi |
Hi Neonsun, That sounds a lot like an issue I had a while ago with case sensitive usernames - but I thought that was fixed in version 3.6.1. Just to check though: are these usernames all lowercase in AD, in the YubiRadius and in the client when the user tries to log on? If not it might be worth creating a test account with all lowercase, importing, then auto assigning the Yubikey to test if it then shows in the GUI. I manually fixed my accounts by setting the case of the username in AD to match Yubiradius then re importing the accounts. The Yubikeys then appeared for the relevant accounts. Regards, Neal. |
|
| Author: | Neonsun [ Tue Jan 14, 2014 5:54 pm ] |
| Post subject: | Re: Key assignment not listed in user list, unable to unassi |
Hi Neal, Good tip, decided to check it out. Looks like users are imported with the right casing (we have a bit of both in AD apparently, but all are imported with their original casing to the YR user db), but I see a small discrepancy in the ykmaps table; the 'value' column stores users in the format of 'user@DOMAIN.com' (the domain name is in caps), however this is also how the domain entry is listed YR virtual appliance setting so it could be unrelated. In the user list, the 'User DN' lists the DC in lower case though, even though it is specified in caps everywhere else that I can see. When troubleshooting, authentication succeeds regardless of username casing. Not quite sure where to go next. The only 'problem' I see with the current situation is that I am unable to unassign Yubikeys from users, as the user list page doesn't read the config properly. The auto-provisioning works and I am able to authenticate, I just can't see that provisioning has been completed without querying the Postgre DB directly. (I assume I'd be able to remove mappings from here as well, but I'd prefer not have to do that). I'll post a support ticket and see if Yubico have any suggestions. |
|
| Author: | Neonsun [ Wed Jan 29, 2014 4:55 pm ] |
| Post subject: | Re: Key assignment not listed in user list, unable to unassi |
So, that was pointless. Support for YubiRadius has been discontinued altogether, apparently. So we're on our own here it seems. Auth and key assignment is working for us, though, so it's just the user list page that is not getting the correct data somehow. I suppose we can live with that. http://www.yubico.com/products/services ... ubiradius/ |
|
| Author: | Neal [ Wed Jan 29, 2014 5:39 pm ] |
| Post subject: | Re: Key assignment not listed in user list, unable to unassi |
Arg! So Yubico replaced a working Radius implementation including Active Directory integration with a reference implementation that is not intended as a product? I missed that when they announced YubiX! I guess I can appreciate why they did this though. I'll start a new thread to see if anyone knows of any good open source alternatives out there. |
|
| Author: | Ibeme [ Sun Apr 27, 2014 7:52 pm ] |
| Post subject: | Re: Key assignment not listed in user list, unable to unassi |
Hi there, I got the same Problem, which you reported (Changelog says, that this was fixed with verison 3.6.1 btw). I got only one solution for that problem: My usernames in AD were with upper and lower case characters. For example: User If i imported those users and assigned a Yubikey to the, the assigned Yubikey was not shown and I couldn't unassign it. After changing all usernames to lowercase characters, for example "user", I can see the Yubikeys correctly and also unassign them. That's the only solution I can see atm. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|