8/28 - Sudden LDAP Authentication Issues

bradlyshoen · 28 August 2023 16:44

This morning our LDAP authentication has stopped working. This is the screen we get upon successful authentication:

The only error message that pops up in librenms.log is:
Trying to access array offset on value of type int {“exception”:“[object] (ErrorException(code: 0): Trying to access array offset on value of type int at /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php:131)”}

./validate.php output:

Component	Version
LibreNMS	23.8.2-12-g744ff7543 (2023-08-28T08:39:03-06:00)
DB Schema	2023_06_18_201914_migrate_level_to_roles (257)
PHP	8.1.22
Python	3.9.16
Database	MariaDB 10.7.8-MariaDB
RRDTool	1.7.0
SNMP	5.8
===========================================

[OK] Composer Version: 2.5.8
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database Schema is current
[OK] SQL Server meets minimum requirements
[OK] lower_case_table_names is enabled
[OK] MySQL engine is optimal
[OK] Database and column collations are correct
[OK] Database schema correct
[OK] MySQl and PHP time match
[OK] Active pollers found
[OK] Dispatcher Service not detected
[OK] Locks are functional
[OK] Python poller wrapper is polling
[OK] Redis is unavailable
[OK] rrd_dir is writable
[OK] rrdtool version ok

./daily.sh output:
Updating to latest codebase OK
Updating Composer packages OK
Updating SQL-Schema OK
Updating submodules OK
Cleaning up DB OK
Fetching notifications OK
Caching PeeringDB data OK

bradlyshoen · 28 August 2023 16:50

This may be unrelated but when I switch to mysql authentication, sign in with an admin account and go to “Manage Users,” I get this screen:

murrant · 28 August 2023 19:03

github.com/librenms/librenms

LDAP Authorizer hand count entry

librenms:master ← murrant:fix-auth-ldap

opened 07:01PM - 28 Aug 23 UTC

murrant

+10 -8

Please give a short description what your pull request is for DO NOT DELETE T…HE UNDERLYING TEXT #### Please note > Please read this information carefully. You can run `./lnms dev:check` to check your code before submitting. - [x] Have you followed our [code guidelines?](https://docs.librenms.org/Developing/Code-Guidelines/) - [x] If my Pull Request does some changes/fixes/enhancements in the WebUI, I have inserted a screenshot of it. - [x] If my Pull Request makes discovery/polling/yaml changes, I have added/updated [test data](https://docs.librenms.org/Developing/os/Test-Units/). #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.

bradlyshoen · 28 August 2023 19:56

Thank you for working on this. With the latest commits pulled, I was able to get signed back in however I’m still unable to access the “Manage Users” screen even though my account is an admin. I’m getting the “403 This Action is Unauthorized screen” with no errors showing up in librenms.log. I also noticed that it is displaying in “Light” mode despite my CSS settings set to “Dark” but this is less important.

murrant · 28 August 2023 19:59

you might need to run lnms db:seed --class='Database\Seeders\RolesSeeder' and lnms tinker --execute='Bouncer::refresh()'

murrant · 28 August 2023 20:02

Also, make sure you are setting roles via the auth_ldap_groups setting

bradlyshoen · 28 August 2023 20:04

Those two commands you provided seems to have done the trick. I’m able to access the Manage Users page now. I can confirm that we configuring LDAP groups via auth_ldap_groups in config.php. My only apparent issue is the CSS setting now. Thank you much!

yarogr · 29 August 2023 17:48

Hello,

Our LibreNMS LDAP Authorization stopped working this morning with the error in the log:

Trying to access array offset on value of type int {“exception”:“[object] (ErrorException(code: 0): Trying to access array offset on value of type int at /opt/librenms/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php:133)”}

Validate output:

./validate.php

Component	Version
LibreNMS	23.8.2-17-g976cb53ea (2023-08-29T09:00:17-04:00)
DB Schema	2023_06_18_201914_migrate_level_to_roles (257)
PHP	8.1.22
Python	3.9.2
Database	MariaDB 10.5.19-MariaDB-0+deb11u2
RRDTool	1.7.2
SNMP	5.9
===========================================

Please advise.

bradlyshoen · 29 August 2023 18:57

Try running ./daily.sh and then afterwards, if everything shows OK, run the two commands murrant provided:
lnms db:seed --class=‘Database\Seeders\RolesSeeder’
lnms tinker --execute=‘Bouncer::refresh()’

yarogr · 29 August 2023 19:12

The problem was in this section of LdapAuthorizationAuthorizer.php file:

public function getRoles(string $username): array|false
    {
        $roles = $this->authLdapSessionCacheGet('roles');
        if ($roles !== null) {
            return $roles;
        }
        $roles = [];

        // Find all defined groups $username is in
        $filter = '(&(|(cn=' . implode(')(cn=', array_keys(Config::get('auth_ldap_groups'))) . '))(' . Config::get('auth_ldap_groupmemberattr') . '=' . $this->getMembername($username) . '))';
        $search = ldap_search($this->ldap_connection, Config::get('auth_ldap_groupbase'), $filter);
        $entries = ldap_get_entries($this->ldap_connection, $search);

        $authLdapGroups = Config::get('auth_ldap_groups');
        // Collect all roles
        foreach ($entries as $entry) {
          if (isset($entry['cn'][0])) {
            $groupname = $entry['cn'][0];

            if (isset($authLdapGroups[$groupname]['roles']) && is_array($authLdapGroups[$groupname]['roles'])) {
                $roles = array_merge($roles, $authLdapGroups[$groupname]['roles']);
            } elseif (isset($authLdapGroups[$groupname]['level'])) {
                $role = LegacyAuthLevel::tryFrom($authLdapGroups[$groupname]['level'])?->getName();
                if ($role) {
                    $roles[] = $role;
                }
            }
         }
        }
        $roles = array_unique($roles);
        $this->authLdapSessionCacheSet('roles', $roles);

        return $roles;
    }

It is the same fix he applied here to a different file LibreNMS/Authentication/LdapAuthorizer.php:

github.com/librenms/librenms

LDAP Authorizer handle count entry

librenms:master ← murrant:fix-auth-ldap

opened 07:01PM - 28 Aug 23 UTC

murrant

+10 -8

Please give a short description what your pull request is for DO NOT DELETE T…HE UNDERLYING TEXT #### Please note > Please read this information carefully. You can run `./lnms dev:check` to check your code before submitting. - [x] Have you followed our [code guidelines?](https://docs.librenms.org/Developing/Code-Guidelines/) - [x] If my Pull Request does some changes/fixes/enhancements in the WebUI, I have inserted a screenshot of it. - [x] If my Pull Request makes discovery/polling/yaml changes, I have added/updated [test data](https://docs.librenms.org/Developing/os/Test-Units/). #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.

Thanks for the fix! Without his commit I won’t be able to find it as I am not a programmer.

murrant · 30 August 2023 14:53

I suggest you submit a pull request with your fix. (go to the file on github and click the edit button, then create a pull request after you have saved your edit)

yarogr · 30 August 2023 17:13

I submitted pull request #15268.
Thanks!

murrant · 1 September 2023 17:33

Thanks @yarogr !

yarogr · 1 September 2023 18:18

You are welcome!

system · 8 September 2023 18:18

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.