Open-AudIT https://www.open-audit.org/phpBB3/ |
|
[help] API authentication {"valid": false, "admin": false} https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6566 |
Page 1 of 1 |
Author: | steven.cherry [ Thu Nov 24, 2016 2:42 am ] |
Post subject: | [help] API authentication {"valid": false, "admin": false} |
Hi All, when attempting to retrieve a valid auth token regardless of the credentials I always get {"valid": false, "admin": false} as a response. See detailed commands below curl -L -v -u open-audit_enterprise -H "Content-Type: applicatil+json" -c ./cookiefile -XGET "http://localhost/open-audit/index.php/login/login_auth" Enter host password for user 'open-audit_enterprise': * About to connect() to localhost port 80 (#0) * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 80 (#0) * Server auth using Basic with user 'open-audit_enterprise' > GET /open-audit/index.php/login/login_auth HTTP/1.1 > Authorization: Basic b3Blbi1hdWRpdF9lbnRlcnByaXNlOnMwMHBBS2lYOg== > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost > Accept: */* > Content-Type: applicatil+json > < HTTP/1.1 200 OK < Date: Wed, 23 Nov 2016 16:32:38 GMT < Server: Apache/2.2.15 (CentOS) < X-Powered-By: PHP/5.3.3 * Added cookie PHPSESSID="carogn77idh05pv2n705odnmb1" for domain localhost, path /, expire 0 < Set-Cookie: PHPSESSID=carogn77idh05pv2n705odnmb1; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Content-Length: 32 < Connection: close < Content-Type: application/json < * Closing connection #0 {"valid": false, "admin": false} Despite being issued a cookie, when I try to use it, it rejects any API query I may choose to issue Open Audit version 1.12.8.1 |
Author: | jpa [ Thu Nov 24, 2016 8:14 am ] |
Post subject: | Re: [help] API authentication {"valid": false, "admin": fal |
Login code in controllers\login.php looks to URI segment 3 and 4 for username and password or POST variables username and password. So try "http://localhost/open-audit/index.php/login/login_auth/specify_username/specify_password" It does look like the response is not correct for a properly authenticated LDAP login for a non-admin user. Seems like line 386 [code]echo '{"valid": false, "admin": false}';[/code]should be [code]echo '{"valid": true, "admin": false}';[/code] And the response header should be 200 not 403. |
Page 1 of 1 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |