25.1.1 api\auth\group\set and api\auth\user\add issues

Started by SoloS, March 13, 2025, 10:11:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 13, 2025, 10:11:22 PM
Hello everyone,
I'm trying to add a local user to a local group via OPNsense's REST API, but I keep getting the Option not in list. (or result: failed) error despite following the official documentation and various tips. Below are the details:

Version and Context
OPNsense Version: latest stable release (e.g., 25.1.1)
Authentication: The API user has full privileges (e.g., "System: User Manager" or "Administrator").
Environment: Primarily local setup (no LDAP/Radius servers involved).
What I'm Trying to Do
Create a new local user and directly associate it with a local group via the API.
I have tried both the "user side" approach (using group_memberships in user/add or user/set) and the "group side" approach (updating the member field in group/set).
Achieve the same result as using the GUI ("Add User," select a group, and save) but programmatically through the API.
Errors Encountered
When attempting to specify the group during user creation (/api/auth/user/add) with JSON like this:
json

{
  "user": {
    "name": "PROVA555",
    "password": "12345678Ab!",
    "scope": "local",
    "authserver": "Local Database",
    "disabled": "0",
    "group_memberships": {
      "8ed3818e-cd33-46b5-977b-6d258215a1a2": "1"
    }
  }
}
I receive the error:
json
Copia
Modifica
"result": "failed",
"validations": {
    "user.group_memberships": "Option not in list."
}
The same happens when trying scope: "user" instead of "local", or sending an array instead of an object for the group memberships.
On the group side (e.g., /api/auth/group/set?uuid=<GROUP_UUID>), I retrieve the JSON via group/get, add the user's UUID in the member array, but still get result: failed or a similar "Option not in list" error.
Preliminary Checks Already Performed
Verified the group's UUID and the user's UUID via search/get calls, so I'm certain the IDs are correct.
Attempted:
Creating a new group via /api/auth/group/add (local scope, empty member list).
Creating a new user via /api/auth/user/add (local scope, no group).
Updating the group to add the user in member.
This still results in the same error.
The API user definitely has full administrative privileges (or "System: User Manager").
Checked field validity (name, scope, description, priv) to ensure no invalid characters.
Running the latest OPNsense release and have tried disabling plugins that might interfere.
Additional Details
The error message is almost always "Option not in list." on user.group_memberships, or user.group_memberships=Option not in list..
I haven't found a more detailed error in System Logs or Backend logs.
If I create a user without any groups, it works fine. Adding the group afterwards still fails.
I've tried various combinations like scope="local", authserver="Local Database", and disabled="0".
Question
What could cause Option not in list for local groups/users, given that I've verified the UUID and permissions? Is there an additional step required to make the group "selectable"? Or might this be a bug in this version? Any advice on where to check logs or possible extra configuration steps is appreciated!

Thank you in advance for any help!

(All sensitive data has been omitted; names and UUIDs are just examples.)
April 07, 2025, 03:58:08 PM #1
SoloS, everyone,

I am facing the same situation and appreciate any feedback, especially because I found *no help* anywhere on Internet but also because such situation appears each time of a 'special field': GroupMembershipField, OpenVPNServerField etc.

I tried with obvious information, complied with requested, extracted details of these 'special fields', tried everything possible, without debugging info from the API functions + just that 'option list' message, hard to find out by myself.

OPNsense guys, what is painful to us might be comical to you. Some help ? :-)

Thanks !

Brgrds
April 07, 2025, 06:20:10 PM #2
Try to follow what the UI is doing. It's easy to inspect the payload using the browser dev console and will avoid all the guesswork.


Cheers,
Franco
April 08, 2025, 10:59:27 AM #3
Hello Franco,

Shame on me. that is JS and obviously it was simple. I installed burp community and hop solved.

However, this raises an issue for OPNsense: API documentation is incorrect. For example API doc refers group_membership data is 'GroupMembershipField', same for OpenVPN server. Following the API doc, format should not simply be the number of the object (Group 2000 or VPN 3 for example).

I would suggest to correct the API doc to simply tell to use the gid or vpnid.

Thanks for suggestion anyway, solved my issue !

Brgrds
April 08, 2025, 01:33:22 PM #4
> API documentation is incorrect.

Let's settle for nowhere near perfect. I assume you refer to the User.xml model file, which merely suggests GroupMembershipField handles the data, which is opaque from the documentation standpoint because no field types are linked/listed.

https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Auth/FieldTypes/GroupMembershipField.php

It would probably make sense to try and document the values offered/accepted by the individual fields which can also be difficult to infer since custom field types provide dynamic abstractions of user defined data, but also note that api/auth/user/get/<UUID> returns all the possible values (keys) when they are limited to a number of explicit choices, e.g.:

Quote"language": {
    "": {
      "value": "Default",
      "selected": 1
    },
    "cs_CZ": {
      "value": "Czech",
      "selected": 0
    },
    "de_DE": {
      "value": "German",
      "selected": 0
    },
    [...]


Cheers,
Franco
Print
Go Up Pages1
User actions