I’ve got LibreNMS deployed using SSO authentication via mod_auth_cas in Apache. That’s working just fine. I’d like to add Oxidized into the mix with its http source type, but it only seems to support authentication via the X-Auth-Token header. Is there a way to exempt API calls from the full SSO treatment?
Sorry, I see where my question wasn’t clear enough. Oxidized itself can’t access the LibreNMS API because its request to https://librenms.example.org/api/v0/oxidized isn’t SSO-authenticated.
Running oxidized from the command line shows the following output, revealing that it’s getting redirected to our CAS server to go through the authentication process:
$ oxidized -d
751: unexpected token at '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://cas.stage.example.org/cas/login?service=https%3a%2f%2flibrenms.stage.example.org%2fapi_v0.php%2foxidized">here</a>.</p>
</body></html>
'
/usr/share/ruby/json/common.rb:156:in `parse': 751: unexpected token at '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> (JSON::ParserError)
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://cas.stage.example.org/cas/login?service=https%3a%2f%2flibrenms.stage.example.org%2fapi_v0.php%2foxidized">here</a>.</p>
</body></html>
'
Any chance you could post a sanitized copy of your Apache config? I suspect that’s where my issue is, but I’m not certain. I’m assuming there’s some sort of <Location "/api"> alchemy that can be done to override the CAS Auth configuration that I have in <Location "/">, but I haven’t been able to get it right yet.
Just to circle back in case anyone else runs into this, my eventual solution was to run a separate VirtualHost just on the loopback address that didn’t use the CAS authentication module. This allowed the API to query localhost without getting redirected to our IdP.
Doesn’t feel like the cleanest solution, but it’s working.