This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

REST - API; DoLogon - LDAP_PASSWORD_UNDEFINED

Hello,

I'm trying to do the "sample Authentication flow" according to the documentation (https://www.netiq.com/documentation/advanced-authentication-64/apidoc/data/apidoc.html)

What is working:

  • Create Endpoint
  • Create Endpoint Session
  • Read User Chains
  • Start Logon Process

What is not working:

  • Perform the "do_logon" REST-Call

My REST-Call:

POST:

https://[AAF-SERVER]/api/v1/logon/[LOGON_PROCESS_ID]/do_logon

Payload:

{
"endpoint_session_id": "8eTaHqJEO6JYB8TMXZe7Roanwd2uDzUE",
"response": {
"answer": "aafDemo1234!"
}
}

Response:

{
    "status": "FAILED",
    "msg": "Provide a clear password or CHAP/MS-CHAP2 fields",
    "linked_logon": false,
    "reason": "LDAP_PASSWORD_UNDEFINED",
    "plugins": [],
    "msgid": "AUCORE-2003",
    "chains": [
        {
            "id_hex": "c0dd7a32ec7a11ecb45b66ee5cacced1",
            "tenant_id": "def0def0def0def0def0def0def0def0",
            "is_trusted": null,
            "is_enabled": true,
            "name": "Domain Password",
            "short_name": "",
            "methods": [
                "LDAP_PASSWORD:1"
            ],
            "position": 1,
            "apply_for_ep_owner": false,
            "image_name": "LDAP_PASSWORD_1.png",
            "required_chain_id_hex": null,
            "grace_period": null,
            "mfa_tags": [],
            "risk_level": "NONE"
        }
    ],
    "categories": null,
    "current_method": "LDAP_PASSWORD:1",
    "completed_methods": [],
    "logon_process_id": "DCMyxLcsgOM9poX38H64Y35Ow6YXHJav",
    "event_name": "Helpdesk",
    "event_type": "Generic",
    "event_all_categories": true,
    "event_data_id": "HELPDESK",
    "data_id": "HELPDESK",
    "category_id": "",
    "current_category_id": ""
}

I don't know what "LDAP_PASSWORD_UNDEFINED" means exactly, I didn't find any information about it in the documentation. For me it seems that the server does not understand the payload and does not use the password accordingly. Assumption is based on the fact that if I do not send a "response" in the payload, that the error remains the same, as well as the message "provide a clear password". According to the documentation this should be enough.

Anyone has an idea what could be the issue?

BR

Tobias

  • 0  

    Hello Tobias,

    Yes, it would seem the password is not understood as that error means the password is empty.

    I've only seen this when the JSON was not properly formatted.

    Perhaps you can try a different JSON value: {"endpoint_session_id":"8eTaHqJEO6JYB8TMXZe7Roanwd2uDzUE","response":{"answer":"aafDemo1234!"}}

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to   

    Hello Luciano,

    Unfortunately, the result remained the same. I noticed in the admin interface for a login statistic that there are differences in the display when I login via REST API and when I do it via the browser (/Helpdesk).

    I use the "Helpdesk" event for the REST API and I see in the entry at 10:52 that it shows the "Chain name". This entry was done via browser using the helpdesk module.

    When I use the REST API (specifically the doLogon call), only the "method name" is displayed, but no chain. Is this how it should be?

  • 0   in reply to   

    Yes, the process states you have to:

    • Read all chains available for user and event combination. Read user chains

    • Select a chain to attempt if multiple chains are returned.

  • 0   in reply to   

    Is there a way to select a specific chain?

    In my case I only have one chain for this user

    And in the "start Logon" procces I'm using a method_id but I don't specify a chain.

  • Verified Answer

    +1  

    The problem was due to a wrong formatted JSON (I used the software 'Postman'). The JSON itself was vaild (checked with a validator) but it sees that Postman didn't send it correctly.

    The support sent the following link: [Advanced Authentication] Authentication API Flow using postman (microfocus.com). I already used the same API as mentioned in the link but I found a setting in Postman to format the payload/body correctly as JSON.