[SOLVED] New API restrictions and LDAP userlevel issue

Hello all,

The last days, we have discovered an issue while restarting oxidized service.
After analyzing logs, the cause seemed to be an issue with de API Token usage.

When we launched a curl from the oxidized on /api/v0/oxidized, we were getting a “Insufficient privileges” message from the API. But not on calling just /api/v0.

We use LDAP to authenticate our users on LibreNMS.
Only one specific ldap group has a level 10 privileges.

Then, we can create a Token for all these ldap user, but these users are not inserted in the users table and it is maybe a cause issue for the futur API auth …

If I disable ldap auth, I can generate a Token for the “local” admin and use it without problems with Oxidized for example. But if I reactivate the LDAP auth, it fail.

I have check the html/includes/api_functions.inc.php file and see the existence of the is_admin() function in html/includes/functions.inc.php. I temporarly modify this function in order to bypass the is_admin check as bellow

function is_admin()
{
    if ($_SESSION['userlevel'] >= '10') {
        $allowed = true;
    } else {
        //$allowed = false;
        $allowed = true;
    }

It work fine with this modification.
So the userlevel reading seem to be the issue in my case, as if the userlevel was not inserted on header or not correctly interpreted.

Maybe a problem after the announcement about API enforcement as seen in topic 2675

Thank for the help hand.

Regards

Nicolas

See bellow the result of a validate.php

====================================

Component Version
LibreNMS 1.33-214-g0c36cd7a8
DB Schema 222
PHP 7.0.19-1
MySQL 10.1.26-MariaDB-0+deb9u1
RRDTool 1.6.0
SNMP NET-SNMP 5.7.3

====================================

[OK] Database connection successful
[OK] Database schema correct

I have seen the issue 2785 about the same type of problem with AD Auth.

if it can help, when I run ./scripts/auth_test.php, it doesn’t return a line with :

level => 10

My ldap.conf contain :

$config['auth_ldap_groups']['nocusers']['level'] = 10;

getUser does not return a level at least for LDAP, so a better way to fake the session seems to be:

--- a/html/includes/api_functions.inc.php
+++ b/html/includes/api_functions.inc.php
@@ -25,10 +25,11 @@ function authToken(\Slim\Route $route)
         && ($username = Auth::get()->getUser($user_id))
     ) {
         // Fake session so the standard auth/permissions checks work
+        $userlevel = Auth::get()->getUserlevel($username['username']);
         $_SESSION = array(
             'username' => $username['username'],
             'user_id' => $username['user_id'],
-            'userlevel' => $username['level']
+            'userlevel' => $userlevel
         );
         $permissions = permissions_cache($_SESSION['user_id']);

I am suffering from the same issue. I have confirmed that the LDAP user level being returned is 10 but we are still getting the same. Is this patch that is listed above going to be put into main branch…??

oxidized@nms01-eqch2
[/home/oxidized]$ curl --insecure -H ‘X-Auth-Token: a1a17fb5a26aef3068547bc4c29d7e57’ https://librenms.xxxxxxx.net/api/v0/oxidized
{
“status”: “error”,
“message”: “Insufficient privileges”
}

The patch by Ultra2D work fine for me

fix has already been pushed out https://github.com/librenms/librenms/pull/7896