Page 1 of 1
Since version 2.6, there has been a problem with self-service filtering and AD groups
Published: January 20, 2025 - 09:21
by tux
Hello,
since upgrading to version 2.6, we've been experiencing a packet filtering issue in the self-service interface.
We have a self-service configuration package that defines filters based on the user's Active Directory (AD) group membership.
For some groups, the applications no longer appear in the self-service interface.
I've checked, and the setting is the same in both the AD configuration and the configuration package.
Server: Debian 12, Wapt Enterprise 2.6.0.16795.
Client: Windows 10
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 10:11 AM
by sfonteneau
Hello,
could you please specify your authentication method for the self-service portal?
Do you have an Active Directory forest? Could you please specify your "service_auth_type" in wapt-get.ini?
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 11:43 AM
by tux
Hello,
WAPT is linked to our Active Directory domain and performs SSO at the self-service level.
Kerberos is configured on the server.
Clients are configured with the following parameter:
`service_auth_type=waptserver-ldap`
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 12:01
by sfonteneau
If I understand correctly, the problem is not systematic but only affects certain groups?
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 1:04 PM
by tux
That's right.
I put some software in the "Domain Users" group => everyone can see it.
Software put in other groups isn't visible.
For example, I have a "Systems_information" group, and the software isn't displayed to users who are part of that group.
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 1:42 PM
by sfonteneau
Do you have commas in your users' DNS records?
We recently released a patch for this, but it's not yet live.
On the server, you can run:
/opt/wapt/waptserver/scripts/testing-ldap-connectivity.sh
to check the result.
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 4:00 PM
by tux
I ran the script, it tells me that the user is not part of the group even though they are.
{'success': True, 'groups' : [], 'error': False, 'msg': ''}
Yes, there are commas in the Distinguished Name (DN).
Re: Since version 2.6, self-service filtering and AD group issues
Published: January 20, 2025 - 4:27 PM
by sfonteneau
Okay, this is a problem identified last week in the current version.
If there's a comma in the user's DN, it doesn't work...
We need to release a new version with the fix. I'll write here when it's done.
Re: Since version 2.6, self-service filtering and AD group issues
Published: February 5, 2025 - 10:18 AM
by tux
Hello,
I see that a new version has been released: 2.6.0.16881.
Does it include the fix?
Re: Since version 2.6, self-service filtering and AD group issues
Published: February 5, 2025 - 12:30 PM
by dcardon
Hi Sébastien,
yes, it's in this release. However, I advise you to wait until tomorrow; we should have a new release today or tomorrow with several fixes, including a problem with the registration loop if the local machine name is different from its AD samAccountName, which is quite common under Linux (shortnames in /etc/hostname are longer than 15 characters, with samAccountName being the truncated 15-character version...).
Best regards,
Denis