Purpose
State the different authentication methods available for OMK applications
Authentication Methods
OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash. This entire file is a perl hash, so be mindful of syntax. After editing this file a 'perl -c opCommon.nmis' will verify if the syntax is correct. For authentication method changes to take effect the omkd service will need to be restarted. Here's an example of the authenticaion hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated.
'authentication' => { 'auth_htpasswd_file' => '<omk_conf>/users.dat', 'auth_htpasswd_encrypt' => 'crypt', 'auth_method_1' => 'htpasswd', 'auth_method_2' => '', 'auth_method_3' => '', 'auth_login_motd' => 'Authentication required: default credentials are nmis/nm1888', 'auth_crowd_server' => '', 'auth_crowd_user' => '', 'auth_crowd_password' => '', 'auth_sso_domain' => '', 'auth_expire_seconds' => '3600', 'auth_lockout_after' => 0, #'auth_ms_ldap_attr' => 'sAMAccountName', #'auth_ms_ldap_base' => 'CN=Users,DC=your_domain,DC=com', #'auth_ms_ldap_group' => 'CN=Users,DC=your_domain,DC=com', #'auth_ms_ldap_debug' => 'false', #'auth_ms_ldap_dn_acc' => 'CN=Administrator,CN=Users,DC=your_domain,DC=com', #'auth_ms_ldap_dn_psw' => 'your_administrator_password', #'auth_ms_ldap_server' => 'your.ip.address.here' },
The following table lists OMK configuration options and the type of authentication which it works with.
Method | Description |
---|---|
ldap | OMK will use the configured LDAP server to perform authentication Config: |
ldaps (secure) | OMK will use the configured LDAP server to perform authentication auth_ldaps_server => 'host[:port]' |
ms-ldap | OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication Config: |
ms-ldaps (secure) | OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication Config: |
radius | OMK will use the configured radius server (Cisco ACS or Steel Belted Radius for example) Config: |
tacacs | OMK will use the configured Tacacs+ server (Cisco ACS for example) Config: |
htpasswd | OMK will use the users defined in the OMK Users file, by default /usr/local/omk/conf/users.dat |
Configuration of the External Authentications
In the OMK configuration you can configure multiple methods which are used for auth failure, so if ms-ldap fails, it will fail back to htpasswd for example. This means if you set auth_method_1 to be ldap and auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.
It is important to change your default passwords if you expect any level of security.