Hello hello,

I wanted to change displayed items, like below with "manager":

# Search
$search_attributes = array('uid', 'cn', 'mail');
$search_result_items = array('identifier', 'mail', 'manager');

However, the attribute isn't displayed. If I change the line in the config file with the config below, it is displayed, but as far as I understand, the attribute should actually be listed as a link ("dn_link") to the user, instead of "text":
'manager' => array( 'attribute' => 'manager', 'faclass' => 'user-circle-o', 'type' => 'text' ),

Not sure, if the display format "dn_link" is actually supported or not, therefore, is this an issue or "missing feature"?

Thanks in advance and wishing a great evening.

We could have a page to display all locked account. A button would be available to unlock them

The goal is to move from Travis to OW2 gitlab-ci

Create some config options to enable/disable features

Provide RPM and Debian packages

Since OpenLDAP 2.5, Behera draft version 10 is used and we can display more ppolicy informations

Hi @ALL,
I have set up the page on Nginx but it doesn't seem to work.
Maybe the problem is Smarty. Can anybody help me answer?

The pwdpolicysubentry is defined by default in $display_password_items but not in $attributes_map so it is never displayed. This is part of issue #43.

Allowing this would also require to create the dn_link displayer as reported in issue #51

If the account is active, we may want to lock it.

It requires to set value 000001010000Z in attribute pwdAccountLockedTime

The account password has expired, but the web interface does not show that the password has expired

i have install service-desk on centos 7 success ,but i find some question:

1. Cannot disable user account on web page
2. Unable to unlock user account on web page
3. actually the user account has been locked, but the web page shows that the account is not disabled

We should not join debug on server side and on client side. This would allow to debug on server side without any impact for users.

We should not write pwdAccountLockedTime if pwdLockout is FALSE, or no ppolicy is active for the account

Would be great to add a posthook like we have in Self Service Password

We should have a prehook that could for example refuse a password change (because the password should be changed from another place for example, or do not respect some requirements)

Having an official Docker container for this would be pretty nice.

I can provide a PR for that, with docker-compose.

Button to generate a random password based on a RegExp .

When admin click on this button, password is updated automatically in LDAP, hook is processed and new password is displayed or sent by email to user. Admin does not have to know the new password.

Option to display or not button to force reset at next login.

Default option can be used

Hi,

I'm trying to get ltb service desk to work with Microsoft Active Directory but some features like "Change password" and "Lock account" don't work, so I've been looking for a useful log file to debug this behavior with no luck. I also did not get results activating the debug mode.

So my question is: This application works with Active Directory?

My environment is:

• Red Hat Enterprise Linux 8.5
• Microsoft Active Directory 2019
• PHP versión 7.4
• Smarty 3

My config.inc.local.php

$debug = false;
$ldap_url = "ldaps://ip.to.my.ad:636";
$ldap_starttls = false;
$ldap_binddn = "CN=Administrator,CN=Users,DC=mydomain,DC=cnp";
$ldap_bindpw = "MyAdminPassword";
$ldap_base = "DC=mydomain,DC=cnp";
$ldap_user_base = $ldap_base;
$ldap_user_filter = "(objectClass=user)";
$ldap_size_limit = 100;

lock user feature is enabled by set
$use_lockaccount = true;

and default policy is applied correctly by set
$ldap_default_ppolicy = "cn=default,ou=ppolicy,dc=example,dc=com";

but on the dashboard. there is a only text shows:
Account is not locked

there is no button for lock the user.

btw, unlock botton works fine.
Anyone knows how to troubleshoot this issue or shed some light on this please?
thanks advance!

We call datepicker in our code but it is not used, it should be removed

If this project would have the ability to add users in a tree, it could replace the old phpldapadmin and LDAP-Account-Manager
in a lot of day-to-day use-cases.

Linked to #71 and #72

If administrator identity is known, send a mail to confirm the action has been done. It will be a configuration option of course.

Possibility to load different configurations depending on the host name.

As initially discussed here: ltb-project/self-service-password#569
We may want to improve AD support, which may involve more than pwdAccountLockedTimes.

See:

• https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties#list-of-property-flags
• https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
• https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-useraccountdisabled

For RPM, I suggest the easy way: take the distribution tarball as source, which already contains vendor dependencies, remove system packaged dependencies in build.

For Debian, seems the process is to patch the composer.json/composer.lock from sources and run the composer update during build. Quite more complex than relying on the distribution tarball, any help is welcomed.

We could add a page where we can update some attributes of the user (the list of available attributes will be a configuration parameter)

A specific option can be added to update the photo too.

Hello,

I made a dedicated ldap user to be used by Service-Desk with the following olcAccess :

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.subtree="ou=ppolicies,dc=dom" by dn="cn=bot ldap,ou=users,dc=dom" read by * break
-
add: olcAccess
olcAccess: {2}to dn.subtree="ou=users,dc=dom" attr=userPassword by dn="cn=bot ldap,ou=users,dc=dom" write by * break
-
add: olcAccess
olcAccess: {3}to dn.subtree="ou=users,dc=dom" by dn="cn=bot ldap,ou=users,dc=dom" read by * break

Everything is working well except for the locking/unlocking feature of LDAP accounts.
I can't manage to get the proper access rules for that feature, if anyone could share it, I would be a happy man.

thanks

Recently, a problem was discovered in the process of using the service desk。
The service desk does not show that the password has expired, use non-ldap management users

If you use the ldap administrator user to query the account, it can show that the account password has expired on the web page：

If you use ldap as a non-administrator user, and you can query the account, it cannot show that the account password has expired on the web page：

The content of the service desk configuration file is as follows：

We should add the possibility to send a mail to user after its mail was changed. This require to use PHPMailer (we should use the same configuration parameter as Self Service Password).

To be discussed: an option to include the new password in the mail (as the user could be forced to change it at first login). It is a security flaw and should be disabled by default, but could be useful in some organizations.

I have an LDAP directory with attributes representing quota in bytes. We should have a viewer for it.

on centos 7 install by yum

service-desk only display one pic
https://imgchr.com/i/0rVfCn

The goal is to let users register their account, and only store them in LDAP directory after an admin approval.

• Create a public form (for example in public/register_account.php)
• Store submitted data in a temporary file / LDAP branch?
• Create a dashboard to list all pending registration requests
• Accept or deny a registration request

We should be able to see which ppolicy is associated to user account, and switch to another configured one

We could create an audit log file where all actions done in Service Desk will be regsitered. We can get the connected user trough some en var (REMOTE_USER) to log it with the action. This audit log would be disabled by default.

Installing the software with SELinux enabled is not working, because cache dir and template cache dir are in /usr and should be in /var/cache

We should be able to configure these directories and adapt packaging files

For now, access to Service Desk is anonymous, even if we recommend to add authentication (Web Server or SSO).

We should be able to get the identity of connected user and log every action done.

With PHP 8.1, when displaying an entry:

[Tue Sep 13 14:50:17.575299 2022] [php:error] [pid 27774] [client 127.0.0.1:40204] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /usr/local/service-desk/htdocs/display.php:82\nStack trace:\n#0 /usr/local/service-desk/htdocs/index.php(103): require_once()\n#1 {main}\n  thrown in /usr/local/service-desk/htdocs/display.php on line 82, referer: http://sd.example.com/index.php?page=searchlocked

See https://www.php.net/manual/fr/function.ldap-sort.php and ltb-project/white-pages#115

Hi! We have installed Service Desk in Ubuntu 22.04 using Debian/Ubuntu packages.

After the package and dependencies installation, we enabled the site (using a2ensite service-desk.conf). Then, we receive an error 500 message.

Access messages are logged in sd_access.log but nothing is logged in sd_error.log.

Could you give us further assistance?

Thank you!

When displaying an entry, the radio buttons used to set pwdReset value are not checked

Add a page to add or remove people from groups.

Dear team,

I am also using your password self service tool. Both work very well.
Currently I have no default password policy in my openldap server. When I do a password reset with "service desk" tool, the password get stored in clear format in ldap.
In self service password I can define how it is stored in ldap.

Is there a way to configure it in service desk similarily as in self service password?

Config parameter in self service password with example hash:
$hash = "SSHA";

Thanks in advance!

We could display the account expiration date in policy info. We already compute this date to know if the password is expired or not.

Admin reset user's password.

Browser proposes to store new password.

Maybe use text input type text instead of input type password and obfuscate by using JS.

See also ltb-project/self-service-password#709

Hello,

I'm trying to debug the default policy option. Here is a sample of my conf :

$ldap_url = "ldap://myldap.com";
$ldap_starttls = false;                                  
$ldap_binddn = "cn=admin,dc=mydomain";
$ldap_bindpw = "pwd";
$ldap_base = "dc=mydomain";                                  
$ldap_user_base = "ou=users,".$ldap_base;          
$ldap_user_filter = "(objectClass=inetOrgPerson)";
$ldap_group_filter =       
$ldap_size_limit = 100;  
$ldap_default_ppolicy = "cn=default,ou=ppolicies,dc=mydomain"; 

And here is my policy :

dn: cn=default,ou=ppolicies,dc=mydomain
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdCheckModule: pqchecker.so
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE

And my pqchecker configuration (it's the default):

# Data format: 0|UULLDDSS@)..
# Or         : 1|UULLDDSS@)..
#
# 1st character is the modified passwords broadcast flag. 1 -> Broadcast, 0 -> Don't broadcast
# 2nd character is a separator
# U: Uppercase, L: Lowercase, D: Digit, S: Special characters -> from 3rd to 10th charater.
# From the 11th character begins the list of forbidden characters
# Defaulti: No broadcast, 1 Uppercase, 1 Lowercase, 1 digit, 1 Special and no forbidden characters
# https://www.meddeb.net/pqchecker/?Idx=2
0|01010100

But if I reset a password from Service-Desk, It will accept anything (qwerty for my latest test).
In my ldap logs I can see there is a query for my password policy but that's all. And for service-desk, theses are my only logs :

PHP Notice:  Undefined variable: smarty_compile_dir in /usr/share/service-desk/htdocs/index.php on line 38, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
PHP Notice:  Undefined variable: smarty_cache_dir in /usr/share/service-desk/htdocs/index.php on line 39, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
172.20.0.6 - myuser [06/Dec/2020:16:40:35 +0100] "POST /index.php?page=resetpassword HTTP/1.1" 302 4737 "https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
PHP Notice:  Undefined variable: smarty_compile_dir in /usr/share/service-desk/htdocs/index.php on line 38, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
PHP Notice:  Undefined variable: smarty_cache_dir in /usr/share/service-desk/htdocs/index.php on line 39, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
172.20.0.6 - myuser [06/Dec/2020:16:40:35 +0100] "GET /index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged HTTP/1.1" 200 2954 "https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 

Any hint ?

We could add a page where we can update some attributes of the user (the list of available attributes will be a configuration parameter)

A specific option can be added to update the photo too.