...
OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash. This entire file is a PERL hash, so be mindful of the syntax. After editing this file, a 'perl -c opCommon.nmis' will verify if the syntax is correct. For authentication method changes to take effect, the omkd service will need to be restarted.
The supported authentication methods are:
htpasswd
This is used by NMIS as the default authentication method.
LDAP
The Opmantek products will use the configured LDAP server to perform authentication.
Following are the configuration items in opCommon.json:
Key | Description | Example | Comment |
---|---|---|---|
auth_ldap_privs | User's local privileges | 0/1 | By default, set to 0. To enable the feature, set the value to 1. |
auth_ldap_server | LDAP Server Name | host[:port] | No defaults. Entry must be created. |
auth_ldap_acc | Account Name | The LDAP account name to search for. The entry must be created. | |
auth_ldap_psw | Account Password | The password associated with the above LDAP account. The entry must be created. | |
auth_ldap_context | Base Context | ou=people,dc=opmantek,dc=com | Base context to attempt to bind to. |
auth_ldap_attr | LDAP Attributes | The LDAP attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn') |
LDAPS
The Opmantek products will use the configured LDAP (Secure) server to perform authentication.
Following are the configuration items in opCommon.json:
Key | Description | Example | Comment |
---|---|---|---|
auth_ldap_privs | User's local privileges | 0/1 | By default, set to 0. To enable the feature, set the value to 1. |
auth_ldaps_server | LDAPS Server Name | host[:port] | No defaults. Entry must be created. |
auth_ldap_acc | Account Name | The LDAP account name to search for. Entry must be created | |
auth_ldap_psw | Account Password | The password associated with the above LDAP account. The entry must be created. | |
auth_ldap_context | Base Context | ou=people,dc=opmantek,dc=com | Base context to attempt to bind to. |
auth_ldap_attr | LDAP Attributes | The LDAPs attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn') |
MS-LDAP
OMK will use the configured Microsoft Active Directory LDAP server to perform authentication.
Following are the configuration items in opCommon.json:
Key | Description | Example | Comment |
---|---|---|---|
auth_ms_ldap_server | MS-LDAP Server Name | host[:port] | No defaults. Entry must be created. |
auth_ms_ldap_acc | Account Name | The MS-LDAP Distinguished Name (DN)/account to bind with | |
auth_ms_ldap_psw | Account Password | The password associated with the above MS-LDAP account. The entry must be created. | |
auth_ms_ldap_base | Base Context | dc=corp,dc=opmantek,dc=com | Base context to search from. |
auth_ms_ldap_attr | MS-LDAP Attributes | sAMAccountName | The MS-LDAP attribute(s) to match to username. |
auth_ms_ldap_group | Checks if the user logging in is associated with the defined group. | Sales, SNMPSIM, GPON | Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local |
MS-LDAPS
The Opmantex products will use the configured Microsoft Active Directory LDAP (Secure) server to perform authentication.
Following are the configuration items in opCommon.json:
Key | Description | Example | Comment |
---|---|---|---|
auth_ms_ldaps_server | MS-LDAPS Server Name | host[:port] | No defaults. Entry must be created. |
auth_ms_ldap_acc | Account Name | The MS-LDAP Distinguished Name (DN)/account to bind with | |
auth_ms_ldap_psw | Account Password | The password associated with the above MS-LDAP account. The entry must be created. | |
auth_ms_ldap_base | Base Context | dc=corp,dc=opmantek,dc=com | Base context to search from. |
auth_ms_ldap_attr | MS-LDAP Attributes | sAMAccountName | The MS-LDAP attribute(s) to match to username. |
auth_ms_ldap_group | Checks if the user logging in is associated with the defined group. | Sales, SNMPSIM, GPON | Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local |
TACACS
The Opmantex products will use the configured Tacacs+ server (for example, Cisco ACS).
Key | Description | Example | Comment |
---|---|---|---|
auth_tacacs_server | The Tacacs Server Name | host:port | |
auth_tacacs_secret | The Key | secret |
Multiple Authentication Methods
You can use up to 3 Authentication Methods for fail back. For example, if you set auth_method_1 to be LDAP and auth_method_2 to be htpasswd and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.
Here is an example of the authentication hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated. Note: The limit for different auth_method options is 3. In this example, if ms-ldap fails, it will fail back to htpasswd.
Code Block | ||
---|---|---|
| ||
'authentication' => {
'auth_htpasswd_file' => '<omk_conf>/users.dat',
'auth_htpasswd_encrypt' => 'crypt',
'auth_method_1' => 'htpasswd',
'auth_method_2' => '',
'auth_method_3' => '',
'auth_login_motd' => 'Authentication required: default credentials are nmis/nm1888',
'auth_crowd_server' => '',
'auth_crowd_user' => '',
'auth_crowd_password' => '',
'auth_sso_domain' => '',
'auth_expire_seconds' => '3600',
'auth_lockout_after' => 0,
#'auth_ms_ldap_attr' => 'sAMAccountName',
#'auth_ms_ldap_base' => 'CN=Users,DC=your_domain,DC=com',
#'auth_ms_ldap_group' => 'CN=Users,DC=your_domain,DC=com',
#'auth_ms_ldap_debug' => 'false',
#'auth_ms_ldap_dn_acc' => 'CN=Administrator,CN=Users,DC=your_domain,DC=com',
#'auth_ms_ldap_dn_psw' => 'your_administrator_password',
#'auth_ms_ldap_server' => 'your.ip.address.here'
}, |
The following table lists OMK configuration options and the type of authentication which it works with.
...
...
OMK will use the configured LDAP server to perform authentication
Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to
...
OMK will use the configured LDAP server to perform authentication
auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to
...
ms-ldap
OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication
...
, |
...
...
...
OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication
Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the LDAP Distinguished Name (DN)/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from
auth_ms_ldap_group => '' # checks if the user logging in is associated with the defined group.
...
OMK will use the configured radius server (Cisco ACS or Steel Belted Radius for example)
Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret'
...
OMK will use the configured Tacacs+ server (Cisco ACS for example)
Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"
...
Configuration of the External Authentications
...
Code Block | ||
---|---|---|
| ||
"authentication" : {
"auth_ldap_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
"auth_ldap_acc" : "svc_omk_admin@contoso.local",
"auth_ldap_dn_psw" : "password_of_the_auth_ldap_acc_above",
"auth_ldap_context" : "dc=contoso,dc=local",
}, |
...