Bugreport: daily.php/purgeusers removes user with valid API keys

Tags: #<Tag:0x00007f3b80cc0d40>


after the upgrade to the latest release (1.49) and the first run of daily.sh some of our Icinga checks - which use the LibreNMS API - did not work anymore. Apache returned a HTTP/1.1 500 Internal Server Error for the specified API key.
There were some errors in the logfile:
production.ERROR: Undefined index: username {"exception":"[object] (ErrorException(code: 0): Undefined index: username at /opt/librenms/app/Providers/LegacyUserProvider.php:65)
(The full stacktrace is available here).

We use active directory as our authentication method and a special user (which isn’t used except for the creation of new API keys) to make sure that no changes are required if someones AD account is disabled.
Using database backups from before and after the run of daily.sh I figured out that the purgeusers function of daily.php removed the special user from the database.

Requiring users to log in periodically to ensure their API keys keep working seems to be a bug.

$config['active_directory']['users_purge'] = 0; in config.php does work as a hotfix.

Is your bind user set up correctly?

Does ./scripts/authtest.php -l show a list of users?

./scripts/auth_test.php -l output:

Authentication Method: active_directory
Could not bind to AD, you will not be able to use the API or alert AD users
Users: [redacted, 18 pairs of 'username (some id)', including the ones used for API access]
Total users: 18

So the script can’t bind to AD, but is able to list the users anyway? The user list contains users which are not in the users table and the login using ad-credentials does work.

some things can be done with anonymous bind, some things cannot.

You’ll need to get your bind user working to use the API, as the error message describes.

I updated our internal ticket, so someone will check the values of $config['auth_ad_binduser'] and $config['auth_ad_bindpassword'].

Thanks for the fast replies!

It seems that there is a bug in auth_test.php and that the error message is slightly misleading: The Success-Line in the script’s output above is the result of echo $ldap_error . PHP_EOL; in auth_test.php (here).

The bug might be in ActiveDirectoryAuthorizer.php's bind(): It saves the return value of ldap_bind() in $bind_result [missing link] and returns if ldap_bind() was successful (here) - but it doesn’t return $bind_result itself.
Therefore $bind_success in auth_test.php [missing link] is always false.

If I replace the return; in ActiveDirectoryAuthorizer.php with return $bind_result; everything works as expected:

[email protected]:~$ ./scripts/auth_test.php -l
Authentication Method: active_directory
AD bind success
Users: [18x username(id)]
Total users: 18

This bug is still present in the latest git commit on the master branch.

If you have fixed a bug, please submit it for inclusion :wink:

We’re running into the same issue. After patching ActiveDirectoryAuthorizer.php per @feuerrot it does appear that the bind is successful, but the API tokens still will not stay linked to a user past the users_purge period.