Hello all,
The last days, we have discovered an issue while restarting oxidized service.
After analyzing logs, the cause seemed to be an issue with de API Token usage.
When we launched a curl from the oxidized on /api/v0/oxidized, we were getting a “Insufficient privileges” message from the API. But not on calling just /api/v0.
We use LDAP to authenticate our users on LibreNMS.
Only one specific ldap group has a level 10 privileges.
Then, we can create a Token for all these ldap user, but these users are not inserted in the users table and it is maybe a cause issue for the futur API auth …
If I disable ldap auth, I can generate a Token for the “local” admin and use it without problems with Oxidized for example. But if I reactivate the LDAP auth, it fail.
I have check the html/includes/api_functions.inc.php file and see the existence of the is_admin() function in html/includes/functions.inc.php. I temporarly modify this function in order to bypass the is_admin check as bellow
function is_admin()
{
if ($_SESSION['userlevel'] >= '10') {
$allowed = true;
} else {
//$allowed = false;
$allowed = true;
}
It work fine with this modification.
So the userlevel reading seem to be the issue in my case, as if the userlevel was not inserted on header or not correctly interpreted.
Maybe a problem after the announcement about API enforcement as seen in topic 2675
Thank for the help hand.
Regards
Nicolas
See bellow the result of a validate.php
====================================
Component | Version |
---|---|
LibreNMS | 1.33-214-g0c36cd7a8 |
DB Schema | 222 |
PHP | 7.0.19-1 |
MySQL | 10.1.26-MariaDB-0+deb9u1 |
RRDTool | 1.6.0 |
SNMP | NET-SNMP 5.7.3 |
====================================
[OK] Database connection successful
[OK] Database schema correct