I am trying to log into my previously running instance that is setup with sso auth. I am getting an error now “External Authentication Failed” with popup errors “$config[‘sso’][‘user_attr’] was not found or was empty” and “No user () []”. When I switch back to mysql auth I am able to log into the web interface using my previously setup local credentials. Anyone else experiencing this error?
I’ve run the validate check and everything comes back fine.
./validate.php
| Component | Version |
|---|---|
| LibreNMS | 1.43-82-gcf31776 |
| DB Schema | 267 |
| PHP | 7.2.9 |
| MySQL | 5.5.60-MariaDB |
| RRDTool | 1.4.8 |
| SNMP | NET-SNMP 5.7.2 |
====================================
[OK] Composer Version: 1.7.2
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
When I run the auth_test.php in the scripts folder, everything looks ok to me:
./scripts/auth_test.php -u redacted
Authentication Method: sso
Password:
Authenticate user redacted:
AUTH SUCCESS
User (6):
user_id => 6
auth_type => sso
auth_id => 6
username => redacted
realname =>
email =>
descr => SSO User
level => 10
can_modify_passwd => 0
created_at => 2018-09-17 08:24:42
updated_at => 2018-09-17 08:24:42
I’m kind of at a loss as to the issue. Any help would be appreciated.
I have the exact same problem here, is there any solution/explanation available?
If you figured it out could you please post the resolution here @Brian_Brown?
I was having the same issue, using mod_auth_openidc with apache 2.4.6-90 on CentOS 7.
Basically it came down to this issue with Apache CGI handling – it . was stripping any non-standard HTTP headers from the request, so LibreNMS never saw them. In the end I used the SetEnvIf solution from the accepted answer to that question to map each of the OIDC_CLAIM_xxx headers into the CGI env:
SetEnvIf OIDC_CLAIM_name "(.*)" OIDC_CLAIM_NAME=$1
SetEnvIf OIDC_CLAIM_username "(.*)" OIDC_CLAIM_USERNAME=$1
SetEnvIf OIDC_CLAIM_email "(.*)" OIDC_CLAIM_EMAIL=$1
SetEnvIf OIDC_CLAIM_groups "(.*)" OIDC_CLAIM_GROUPS=$1
Note that mod_auth_openidc passes them in mixed case but LibreNMS SSO module expects to find them all uppercase, so I converted the case via SetEnvIf above.
Also I changed my SSO mode from header to env in order to avoid the HTTP_ header prefix issue, but you could probably just add it to these settings and achieve the same result.
Resulting SSO config:
$config['auth_mechanism'] = "sso";
$config['sso']['trusted_proxies'] = ['127.0.0.1/8'];
$config['sso']['mode'] = 'env';
$config['sso']['create_users'] = true;
$config['sso']['update_users'] = true;
$config['sso']['user_attr'] = 'OIDC_CLAIM_USERNAME';
$config['sso']['realname_attr'] = 'OIDC_CLAIM_NAME';
$config['sso']['email_attr'] = 'OIDC_CLAIM_EMAIL';
$config['sso']['group_strategy'] = 'map';
$config['sso']['group_attr'] = 'OIDC_CLAIM_GROUPS';
$config['sso']['group_filter'] = '/(librenms-.*)/i';
$config['sso']['group_delimiter'] = ',';
$config['sso']['group_level_map'] = ['librenms-adm' => 10, 'librenms-user' => 5, 'librenms-guest' => 1];