Unable to create AD users via API

[hbouma]

When attempting to create a group of AD users via the API, I get the following output:
{
"error": "Could not create user. Missing required fields.",
"missing": [
"password"
]

The command we are sending is

Code: Select all

curl -s -XPOST "https://XXXXXXXXXXXXX/nagiosfusion/api/v1/system/user?apikey=XXXXXXXXXXXXXXXXXXXXXXXX&pretty=1" -d 'username=XXXXXXXXXXX&name=XXXXXXXXXXXX&email=XXXXXXXXXXXXXXXXXXXX&dateformat=1&number_format=1&auth_level=user&auth_server_id=XXXXXXXX&allow_local=0&ad_username=XXXXXXX&email_info=0&auth_type=ad'

If I add &password=XXXXXXXXXXXXXXXXXXX anywhere after username, the account is created, but the user cannot log in with their AD account. Instead, a message is displayed that the password doesn't match the one in the database.

Am I missing something here? Does the API not allow for creation of AD users? I can use the same command to create users in Nagios XI without providing passwords.

We are running Nagios Fusion 4.1.1 on Red Hat 7 64bit.

[npolovenko]

Hello, @hbouma. If the "auth_type" is set to "ad" the local password will be ignored unless you set allow_local to 1. In that case, if the LDAP fails you can use a local password instead. This makes me think that the password you're entering doesn't match the password in the LDAP database, or the password is using incompatible special characters.

[hbouma]

Are you saying I need to know there ad passwords before I can create user accounts through the API? That seems rather unsafe to allow me access to hundreds of users passwords just to make their accounts in Fusion.

In Nagios xi, I don't need to know ad passwords to create the accounts through the API.

[npolovenko]

@ hbouma, Oh no. You can enter a random long password when creating an LDAP user. I meant to say that the password you're using to sign in to Fusion may not match the one in LDAP database. Or if the LDAP password is using special characters it may not work with the Fusion.

[hbouma]

I attempted with a random long password, and then entered the correct AD password and received the error about the password not matching the database password.

[npolovenko]

@hbouma, Does the LDAP contain any special characters at all? Can you create a test LDAP user with a simple password "test" and let me know if it works with Fusion?

[hbouma]

As a test, the password was changed to upper case, lower case and a number. This did not resolve the issue. Password works fine when importing from AD through the FUSION GUI.

[npolovenko]

@hbouma, Can you run the following DB query and then upload the nagios.txt file from the tmp foler. You can send it to me in a private message.

Code: Select all

echo "select * from users" | mysql -uroot -pfusion fusion > /tmp/nagios.txt

Also, please indicate which LDAP user was created from the GUI and IS working, and which one was created with the API and is not working. That way I can compare them.

After you send me the file please post something in this thread to bring it up in the support queue.

[hbouma]

Private message sent. To summarize private message:

User added from AD via GUI: Login works with AD credentials.
User added from API with correct password provided in CURL: Login works with AD credentials.
User added from API with incorrect AD password provided in CURL: Login fails with AD credentials. Login works with password provided by CURL.

Curl command

Code: Select all

curl -XPOST "https://XXXXXXXXXXX/nagiosfusion/api/v1/system/user?apikey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&pretty=1" -d 'username=XXXXXXX&password=XXXXXXXXXXXX&name=XXXXXXXXXXXXXXX&email=XXXXXXXXXXXXXXXXXXXXXXXXX&dateformat=1&number_format=1&auth_level=user&auth_server_id=XXXXXXXXXXXXXXX&allow_local=0&ad_username=XXXXXXXXXXXXXXXXXXX&email_info=0&auth_type=ad'

[lmiltchev]

If I add &password=XXXXXXXXXXXXXXXXXXX anywhere after username, the account is created, but the user cannot log in with their AD account.

I was able to recreate the issue in house and notified our developers about it. This will be fixed in the next release of Nagios Fusion. If you don't want to wait, you could try the following "workaround".

1. Make a backup of the "utils-api.inc.php" file (just in case):

Code: Select all

cp -p /usr/local/nagiosfusion/html/api/includes/utils-api.inc.php /usr/local/nagiosfusion/html/api/includes/utils-api.inc.php.backup

2. Open the "/usr/local/nagiosfusion/html/api/includes/utils-api.inc.php" file in a text editor, go to line 420, and change this:

Code: Select all

if ($auth_type == 'ad') {
            set_user_meta("auth_server_id", $ad_server, false, $user_id);
            set_user_meta("ldap_ad_username", $ldap_ad_username, false, $user_id);
        } else if ($auth_type == 'ldap') {
            set_user_meta("auth_server_id", $ldap_server, false, $user_id);
            set_user_meta("ldap_ad_dn", $dn, false, $user_id);
        }

to this:

Code: Select all

if ($auth_type == 'ad') {
            set_user_meta("ldap_ad_username", $ldap_ad_username, false, $user_id);
        } else if ($auth_type == 'ldap') {
            set_user_meta("ldap_ad_dn", $dn, false, $user_id);
        }

Note: you are basically deleting two lines.

3. Save and exit.

Important: While you will be able to create AD users, and use their AD credentials to log in, there is still going to be an issue. When you create a "local" password, users will be able to use it to log in even though the "local login" is disabled (in the GUI or by specifying "allow_local=0" with REST API user creation). We have an internal bug report, filed on the second issue (task_id=13469), which will also be fixed in the next Fusion release.

Thank you!