Yubico Forum

Hi

I'm trying to set up YRVA and I have successfully imported users from my LDAP but when I try to assign a yubikey to a user I get: Error in adding the key mapping : Unknown error

Not sure what log files you need for debugging this but from the webmin log I can see that it validates against yubicloud but when it tries to add the mapping it fails:

yubico-RoP adding mapping "urlhttp://127.0.0.1/wsapi/ user:kore@pwny.se yubikey_id:ccccccbhlvcf"
yubico-RoP ykmap_add_mapping: "http://127.0.0.1/wsapi/map-store?find=yubikey_prefix&record=ccccccbhlvcf&keyword=username&value=kore%40pwny.se"
yubico-RoP adding mapping "Error in adding the key mapping"

I'm confused about this URL, should there be some daemon running and listening on 127.0.0.1:80?

Regards

Hello,

Please send the following log files to "support@yubico.com".

1. Please configure the log files with the following settings from the webmin console:
1. Login to webmin
2. Go to "System" >> "System Logs"
3. Click on log file (ykropval.log ,etc. mentioned below)
4. Select "all" option in "priorities" field of "Message types to log" section
5. Please click on "save" button to save the changes.
6. Please repeat step 3, 4 and 5 for other log files mentioned below.
7. Please click on "Apply Changes" button on System Logs page
8. Go to "Servers" >> "YubiRADIUS Virtual Appliance"
9. Navigate 'Global Configuration' >> 'FreeRADIUS' menu, please enable FreeRADIUS Logging
10. Could you please ssh to the YRVA instance and restart the rsyslog process by executing the following command:
/etc/init.d/rsyslog restart
11. Please try to add the user and test the user with YubiKey credentials.

Please send us the following log files:
/var/log/syslog
/var/log/messages
/var/log/ykval.log
/var/log/ykropval.log
/var/log/ykmap.log
/var/log/freeradius/radius.log
/var/log/postgresql/postgresql-8.4-main.log
/var/log/apache2/error.log
/var/log/apache2/access.log
/var/log/debug

2. If you have already configure the webmin logs, please send "webmin.debug" file available at /var/webmin/webmin.debug

If not please configure the log file with the following settings from the webmin console:
1. Login to webmin
2. Go to "Webmin" >> "Webmin Configuration"
3. Please Click on "Debugging Log File"
4. Please Click on "yes" option of "Debug log enabled?"
5. Please click on "save" button to save the changes.
6. Please once again Import Users.

Please find the "webmin.debug" file at /var/webmin/webmin.debug

FYI,

To map the username with YubiKey please follow the steps:

"YubiRADIUS Virtual Appliance" webmin interface >> select domain under "Domain" tab >> select user under "Users/Groups" tab >> click on "Assign a new YubiKey" >> put "Login Name" (do not add domain name with your username, only "Login Name" eg. "user1") >> emit OTP to "Yubico OTP" field >> click on "Create".

Hope this helps!

Thanks and best regards,
Samir.

Done.

Any updates regarding this issue? I'm in the exact same situation.

When I add the login-uid: foob2
Error in adding the key mapping : Unknown error

If I'm adding the "login name": foo bar
Error in adding the key mapping : Failed to find the user with login name 'foo bar'

Hello,

You can assign YubiKey in two ways:
(1) Assign YubiKey to the user through "Users/Groups" tab:
1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links
2. Click on "Domain" tab >> select domain
3. Under "Users/Groups" tab select user >> click on "Assign a new YubiKey"
4. Input the "User Details" as 'Login Name" (Do not add domain name with login name; eg. "user1") >> emit "YubiKey OTP" >> click on "Create" button.

(2) Assign YubiKey to the user through "List YubiKeys" tab:
1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links
2. Click on "List YubiKeys" tab >> select the "YubiKey" >> click on "Assign a YubiKey to User"
3. Input the "User Details" as "Login Name@domain.com" (Please add domain name with login name; eg. "user1@domain.com") >> emit "YubiKey OTP" >> click on "Create" button.

Hope this helps! Please write to "support@yubico.com" if you have further questions.

Thanks and best regards,
Samir.

Sorry, but that gives the exact same result as before.

Error in adding the key mapping : Unknown error

Here's the steps I have gone through.

1, install YRVA

2, configure LDAP import
2.1 Verified imported user(s).
I can see the imported user in the list "
Username = Foo Bar
Login Name/ Group/OU = foob2

3, Assign Yubkey to user - I've tested with both the username and Login name the are getting two different errors, see above.

4, Logfiles says that it cannot find "foob2" but it's still in the list of users, and I can re-import the user from ldap.

Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:[127.0.0.1] Request: find=username&record=foob2%40ldapdomain.local&keyword=yubikey_prefix
Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:[127.0.0.1] found protocol version 1
Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_INFO:ykmap-query:dsi:searching for keyword : username in db
Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_DEBUG:ykmap-query:dsi:db:DB query is: SELECT * FROM ykmaps WHERE keyword = 'username' and value = 'foob2@ldapdomain.local'
Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_NOTICE:ykmap-query:dsi:no recors for keyword : username
Mar 7 06:05:28 yrva36 ykmap[11199]: LOG_CRIT:ykmap-query:[127.0.0.1] No records exists!

When I'm importing the users I'm using this a a filter;
(memberOf=CN=VPN_Users,ou=Groups,ou=ldapdomain,DC=ldapdomain,DC=local)

And Login Name Identifier = samAccountName

Could there be a mismatch between the import usernames and what username is in the local YRVA-db?

Hello,

Please perform the following steps:

1. Go to YubiRADIUS webmin interface >> click on "Troubleshoot" tab >> go to "Validate OTP" section >> emit OTP from your YubiKey to "YubiKey OTP" >> click on "Validate"

If you YubiKey OTP is authenticated successfully you can proceed further to step 2. If the OTP is not authenticated successfully please import the YubiKey to YubiRADIUS please refer step 3

2. You can assign YubiKey in two ways:
(1) Assign YubiKey to the user through "Users/Groups" tab:
1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links
2. Click on "Domain" tab >> select domain
3. Under "Users/Groups" tab select user >> click on "Assign a new YubiKey"
4. Input the "User Details" as 'Login Name" (Do not add domain name with login name eg. user@domain.com) >> emit "YubiKey OTP" >> click on "Create" button.

(2) Assign YubiKey to the user through "List YubiKeys" tab:
1. Go to the YubiRADIUS VA webmin interface >> click on "YubiRADIUS Virtual Appliance" on the left side links
2. Click on "List YubiKeys" tab >> select the "YubiKey" >> click on "Assign a YubiKey to User"
3. Input the "User Details" as "Login Name@domain.com" (Please add domain name with login name eg. user@domain.com) >> emit "YubiKey OTP" >> click on "Create" button.

3. YubiKey is a write-only device so there is no way one can read the configuration from programmed YubiKeys. If you have the log file created by the personalization tool, you can find these parameters in the log file.

Please refer section 5.2.5 of "YubiRADIUS configuration Guide" available at http://www.yubico.com/wp-content/upload ... _3_6_0.pdf

As per this section you need to configure your YubiKey with with the help of "Cross Platform Personalization tool" by keeping log file enable. Please follow the steps to use Cross Platform Personalization tool with logfile.

For your convenience, please find the step-by-step instructions below on how to reprogram a YubiKey in OTP mode and upload the AES key to YubiCloud servers so you can validate the OTPs from your reprogrammed YubiKey against the YubiCloud service (if you choose your Validation Server as "Online Validation Server").

1) Download and install the latest Cross Platform Personalization Tool for Windows from the link below:

http://www.yubico.com/products/services ... tools/use/ and look for section "Cross platform personalization tools"

2) Start the YubiKey Personalization Tool

3) Insert your YubiKey in to the USB port

4) Click on "Settings" tab >> "Logging Settings" >> check (enable) "Log configuration output" >> set path for the "Log output file". It will automatically save settings.

5) From the "Yubico OTP" tab, click on "Quick" button

6) In the "Quick" mode, select the configuration slot which you want to program

7) All other parameters will be randomly generated. Generate the parameters again if you want by clicking on "Regenerate" button

8) Click on the "Write Configuration" button, and leave the YubiKey Personalization tool running

If you want to use "Local Validation Server", please go to "Import YubiKeys" >> select "Log File Source" as "Cross-Platform Personalization tool" >> click on "Choose file" button >> locate the "Log output file" created by personalization tool while programming YubiKey >> click on "Upload" button.

You will find the YubiKeys imported under "List YubiKeys" and try testing YubiRADIUS with the help of "troubleshoot" tab.

Please note - if you select "online validation server" there will be no "YubiKey import" option, you have to upload AES key of YubiKey to YubiCloud then you can use YubiKey with YubiRADIUS for authentication.

Please contact "support@yubico.com" if you have further questions.

Thanks and best regards,
Samir.