Webui value breaking non-privacyIDEA service (LAM)

I have a privacyIDEA server set up and it’s working. I have several policies, but only one with scope “webui”. How is it that the login_mode value in this policy effects a service that is not related to the privacyIDEA web interface?

I’m using LAM for ldap account management, and when I change the login_mode value from “userstore” to “privacyIDEA” it breaks LAM’s logins. Shouldn’t a policy based on webui not effect outside services and only effect the web interface for privacyIDEA?

Thanks.

You need to ask yourself what kind of plugin in LAM you are using and how it is connected to privacyIDEA.
Which API call is it using?
Who wrote the code, that connects LAM to privacyIDEA - maybe you need to clarify with them?


the LAM uses the privacyIDEA endpoint /auth, which is wrong, since it is the endporint for login in the webui. It should use /validate/check.

Thank you @cornelinux, this is helpful. I contacted the developer of LAM and he is looking into the issue. His comment was:

"The background for using /auth is to get the list of possible OTP serials. But maybe this is not needed any more. "

I would recommend that a plugin, that wants to know the serial numbers of a user, should use an administrative service account to do so.

Thank you. I’ve forward this info on to the developer of LAM.