No admin logins with RADIUS authentication since automatic update this past weekend

soruk · 30 August 2023 08:49

Since the updates that were automatically applied by the daily.sh script this weekend past, none of the admin logins have admin permissions any more. We use RADIUS authentication here, it’s an AD server (however when setting up it point-blank refused to authenticate in AD mode). All the formerly admin accounts have been downgraded to “user”, and creating a new local admin user at the command line won’t work as we’re not using MySQL authentication.

How do we recover admin access?

The output of ./validate.php

===========================================
Component | Version
--------- | -------
LibreNMS  | 23.8.2-17-g976cb53ea (2023-08-29T13:00:17+00:00)
DB Schema | 2023_06_18_201914_migrate_level_to_roles (257)
PHP       | 8.1.21
Python    | 3.9.16
Database  | MariaDB 10.5.16-MariaDB
RRDTool   | 1.7.2
SNMP      | 5.9.1
===========================================

[OK]    Composer Version: 2.5.8
[OK]    Dependencies up-to-date.
[OK]    Database connection successful
[OK]    Database Schema is current
[OK]    SQL Server meets minimum requirements
[OK]    lower_case_table_names is enabled
[OK]    MySQL engine is optimal
[OK]    Database and column collations are correct
[OK]    Database schema correct
[OK]    MySQl and PHP time match
[OK]    Active pollers found
[OK]    Dispatcher Service not detected
[OK]    Locks are functional
[OK]    Python poller wrapper is polling
[OK]    Redis is unavailable
[OK]    rrd_dir is writable
[OK]    rrdtool version ok

soruk · 30 August 2023 09:18

IN a bit of bad form, I was able to regain control by setting the default permissions level to 10 - admin! Hardly ideal.

So I went nosing around the code, and discovered if I comment out line 53 of: https://github.com/librenms/librenms/blob/master/LibreNMS/Authentication/RadiusAuthorizer.php
(the line containing $user->setRoles($this->roles[$credentials['username']] ?? $this->getDefaultRoles(), true); ) it will use the setting stored in the database as set via the User Manager.

My PHP coding is non-existent but I’d like to propose a config setting for RADIUS auth that enables or disables this line. With it disabled, the user is authenticated by RADIUS but permissions are handled locally.

murrant · 30 August 2023 15:42

Can you set the attribute as outlined by the documentation in your radius server?

An enforce roles option might be a good idea. Hopefully someone can contribute that.

FYI, all the other external auth enforce roles like this.

soruk · 15 September 2023 10:29

I see the recent update has added this into the configuration - thank you!

I’ve backed out my hack and run the suggested
lnms config:set radius.enforce_roles false
instead, and can confirm this is working for me.

system · 22 September 2023 10:30

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.