[RESOLVED] Self-Service Malfunction

TomTom · January 14, 2025 - 10:14

/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
----------------------------------------------------------------
Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Username : mullert
Group test member : Domain Users
----------------------------------------------------------------
[OK] Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Test ldap with direct Login
----------------------------------------------------------------
Username ldap: mullert
Password ldap:
Group test member : Domain Users
--------
ALL GOOD
--------

TomTom · January 14, 2025 - 10:15

However, with another group of which I am a member:

Code: Select all

/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
----------------------------------------------------------------
Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Username : mullert
Group test member : caduser
----------------------------------------------------------------
[FAIL] username mullert not in group caduser
----------------------------------------------------------------
{'success': True, 'groups': [], 'error': False, 'msg': ''}

January 14, 2025 - 10:22

I'm unsure about the uppercase/lowercase settings;

are the groups entirely lowercase everywhere?

Is there a specific DN base in the WAPT configuration?

clafon · January 14, 2025 - 10:26

@tomtom: Just wondering if you're experiencing the same issue as me: if you change the authentication method in the self-service configuration package to "system", does the self-service feature appear? (You'll need to enter a login/password)

TomTom · January 14, 2025 - 10:27

Here is my waptserver.ini:

Code: Select all

[options]
wapt_user = adminwapt
wapt_password = password
wapt_folder = /var/www/wapt
server_uuid = 67837244-907c-11e6-86b1-005056add68a
secret_key = secret
use_kerberos = True
allow_unauthenticated_registration = False
waptwua_folder = /var/www/waptwua
allow_unauthenticated_connect = False
signature_clockskew = 72000
clients_signing_key = /opt/wapt/conf/ca-waptserver.fr.hydac.int.pem
clients_signing_certificate = /opt/wapt/conf/ca-waptserver.fr.hydac.int.crt
remote_repo_support = True
wapt_admin_group = FR-WAPTADMINS
ldap_auth_ssl_enabled = False
ldap_account_service_login = FR-SVC-LDAP@fr.hydac.int
ldap_account_service_password = password
wapt_huey_db = /opt/wapt/db/waptservertasks.sqlite
loglevel_waptserver = info
loglevel_waptcore = info
glpi_server_endpoint = https://fr-for-glpi/glpi/plugins/fusioninventory/index.php
glpi_server_user = fr-svc-glpi
glpi_server_pass = password
glpi_inventory_update_delay = 4
glpi_inventory_update_range = 20
glpi_server_pause_timeout = 20,15
wads_enable = True
token_secret_key = secret
clients_signing_crl = /var/www/ssl/ca-waptserver.fr.hydac.int.crl
clients_signing_crl_url = http://waptserver.fr.hydac.int/wapt/ssl/ca-waptserver.fr.hydac.int.crl
ssl_additional_crls = /var/www/ssl
ad_domain_name = fr.hydac.int

The groups are exactly as written in the "Domain Users" script, with uppercase letters and "caduser" in lowercase

TomTom · January 14, 2025 - 10:29

clafon wrote: ↑Jan 14, 2025 - 10:26 AM @tomtom: just to know if you're in the same situation as me: if you change the authentication method in the self-service configuration package to "system", does the self-service appear? (you'll need to enter a login/password)

I tested it and indeed, with service_auth_type=waptserver-ldap -> not working (empty Self Service) and service_auth_type=system -> OK after entering credentials

However, no selectable categories...

January 14, 2025 - 11:31

TomTom wrote: ↑January 14, 2025 - 10:15 However, with another group of which I am a member:

Code: Select all

/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
----------------------------------------------------------------
Test SSO SELFSERVICE LDAP with ldap_account_service_login
----------------------------------------------------------------
Username : mullert
Group test member : caduser
----------------------------------------------------------------
[FAIL] username mullert not in group caduser
----------------------------------------------------------------
{'success': True, 'groups': [], 'error': False, 'msg': ''}

This specific case, as shown in testing-ldap-connectivity.sh, interests me
Can you contact our support team so I can see it live?

January 14, 2025 - 11:55

The problem has been reproduced internally.

It's clearly a capitalization issue.

I've put a 'tis' group into testing

within the 'Tis' self-service rule package,

in the 'ad tiS' group

. A temporary solution would be to convert all groups to lowercase.

We'll therefore perform the comparisons ignoring case sensitivity.

TomTom · January 14, 2025 - 5:17 PM

So it's strange because the test fails with the group "caduser" which is in lowercase, though.

January 14, 2025 - 5:56 PM

TomTom wrote: ↑Jan 14, 2025 - 5:17 PM So it's strange because the test fails with the group "caduser" which is in lowercase though.

Yes, in that case there is still a problem for you.

Can you contact us by phone to look into this, mentioning that it was Simon who asked us to call?