Skip to end of banner
Go to start of banner

OMK Authentication Methods

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 31 Next »

Purpose

State the different authentication methods available for OMK applications

Authentication Methods

OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash.  This entire file is a PERL hash, so be mindful of the syntax.  After editing this file, a 'perl -c opCommon.nmis' will verify if the syntax is correct.  For authentication method changes to take effect, the omkd service will need to be restarted. 

The supported authentication methods are:

htpasswd

This is used by NMIS as the default authentication method.

LDAP

The Opmantek products will use the configured LDAP server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ldap_privsUser's local privileges0/1By default, set to 0. To enable the feature, set the value to 1.
auth_ldap_server LDAP Server Namehost[:port]No defaults. Entry must be created.

auth_ldap_acc

Account Name


The LDAP account name to search for. The entry must be created.

auth_ldap_psw

Account Password
The password associated with the above LDAP account. The entry must be created.
auth_ldap_context Base Contextou=people,dc=opmantek,dc=comBase context to attempt to bind to.

auth_ldap_attr

LDAP Attributes
The LDAP attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn')

LDAPS

The Opmantek products will use the configured LDAP (Secure) server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ldap_privsUser's local privileges0/1By default, set to 0. To enable the feature, set the value to 1.
auth_ldaps_server LDAPS Server Namehost[:port]No defaults. Entry must be created.

auth_ldap_acc

Account Name


The LDAP account name to search for. Entry must be created

auth_ldap_psw

Account Password
The password associated with the above LDAP account. The entry must be created.
auth_ldap_context Base Contextou=people,dc=opmantek,dc=comBase context to attempt to bind to.

auth_ldap_attr

LDAP Attributes
The LDAPs attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn')

MS-LDAP

OMK will use the configured Microsoft Active Directory LDAP server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ms_ldap_server MS-LDAP Server Namehost[:port]No defaults. Entry must be created.

auth_ms_ldap_acc

Account Name


The MS-LDAP Distinguished Name (DN)/account to bind with

auth_ms_ldap_psw

Account Password
The password associated with the above MS-LDAP account. The entry must be created.
auth_ms_ldap_base Base Contextdc=corp,dc=opmantek,dc=comBase context to search from.

auth_ms_ldap_attr

MS-LDAP AttributessAMAccountNameThe MS-LDAP attribute(s) to match to username. 
auth_ms_ldap_group Checks if the user logging in is associated with the defined group.Sales, SNMPSIM, GPON

 Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local

MS-LDAPS

The Opmantex products will use the configured Microsoft Active Directory LDAP (Secure) server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ms_ldaps_server MS-LDAPS Server Namehost[:port]No defaults. Entry must be created.

auth_ms_ldap_acc

Account Name


The MS-LDAP Distinguished Name (DN)/account to bind with

auth_ms_ldap_psw

Account Password
The password associated with the above MS-LDAP account. The entry must be created.
auth_ms_ldap_base Base Contextdc=corp,dc=opmantek,dc=comBase context to search from.

auth_ms_ldap_attr

MS-LDAP AttributessAMAccountNameThe MS-LDAP attribute(s) to match to username. 
auth_ms_ldap_group Checks if the user logging in is associated with the defined group.Sales, SNMPSIM, GPON

 Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local

TACACS

The Opmantex products will use the configured Tacacs+ server (for example, Cisco ACS).

KeyDescriptionExampleComment
auth_tacacs_server The Tacacs Server Namehost:port

auth_tacacs_secret

The Key

secret


Multiple Authentication Methods

You can use up to 3 Authentication Methods for fail back. For example, if you set auth_method_1 to be LDAP and auth_method_2 to be htpasswd and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.

Here is an example of the authentication hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated. In this example, if ms-ldap fails, it will fail back to htpasswd.

/usr/local/omk/conf/opCommon.nmis
  'authentication' => {
    'auth_htpasswd_file' => '<omk_conf>/users.dat',
    'auth_htpasswd_encrypt' => 'crypt',
    'auth_method_1' => 'htpasswd',
    'auth_method_2' => '',
    'auth_method_3' => '',
    'auth_login_motd' => 'Authentication required: default credentials are nmis/nm1888',
    'auth_crowd_server' => '',
    'auth_crowd_user' => '',
    'auth_crowd_password' => '',
    'auth_sso_domain' => '',
    'auth_expire_seconds' => '3600',
    'auth_lockout_after' => 0,
    #'auth_ms_ldap_attr' => 'sAMAccountName',
    #'auth_ms_ldap_base' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_group' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_debug' => 'false',
    #'auth_ms_ldap_dn_acc' => 'CN=Administrator,CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_dn_psw' => 'your_administrator_password',
    #'auth_ms_ldap_server' => 'your.ip.address.here'
 },


Configuration of the External Authentications

In the OMK configuration, you can configure multiple methods, which are used for auth failure. Therefore, for example, if ms-ldap fails, it will fail back to htpasswd. This means, if you set auth_method_1 to be ldap and auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.

It is important to change your default passwords if you expect any level of security.

Authentication methods are evaluated in sequence.  The first method that returns successful authentication, terminates the authentication process.  If a method returns an unsuccessful authentication, the process does not terminate, the next authentication method will be evaluated. Consider the following scenario when provisioning authentication for OMK applications.

  •  OMK First authentication method: LDAP
  •  OMK Second authentication method: htpasswd
    •  User Bob has an LDAP account and has a user in the htpasswd users file.
    •  User Bob leaves the company
      •  The IT department removes Bob's LDAP account assuming he will no longer be able to access corporate systems.
      •  Bob will still be able to access OMK applications because there is a user Bob in the htpasswd user file.

NMIS9 Notes

From NMIS9, changes will instead need to be made to the opCommon.json configuration file (located in /usr/local/omk/conf/). As we are using .json format files instead of .nmis, the format of the attributes to use is slightly different. See the examples below:

LDAP:

/usr/local/omk/conf/opCommon.json
"authentication" : {
   "auth_ldap_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
   "auth_ldap_acc" : "svc_omk_admin@contoso.local",
   "auth_ldap_psw" : "password_of_the_auth_ldap_acc_above",
   "auth_ldap_context" : "dc=contoso,dc=local",
   
   

},


LDAPS (Secure)

/usr/local/omk/conf/opCommon.json
"authentication" : {
   "auth_ldaps_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
   "auth_ldap_acc" : "svc_omk_admin@contoso.local",
   "auth_ldap_dn_psw" : "password_of_the_auth_ldap_acc_above",
   "auth_ldap_context" : "dc=contoso,dc=local",
   
   

},


TACACS:

"auth_tacacs_server" : "host:port",
"auth_tacacs_secret" : "secret",


MS-LDAP
An example of integrating your ms-ldap setup with modules such as opConfig, opEvents, opCharts etc. is below. Ensure you have also included ms-ldap as in one of the auth_methods:

/usr/local/omk/conf/opCommon.json
"authentication" : {
...
   "auth_ms_ldap_server" : "IP_ADDRESS_OF_YOUR_MS_LDAP_SERVER", #eg. 192.168.1.22
   "auth_ms_ldap_dn_acc" : "svc_omk_admin", #you should only need to use the username of the user here, but if this is not successful, you can use username@domain as well.
   "auth_ms_ldap_dn_psw" : "password_of_the_dn_acc_above",
   "auth_ms_ldap_attr" : "sAMAccountName",
   "auth_ms_ldap_base" : "OU=Network Admins,DC=contoso,DC=local",
...


},


MS-LDAPS (Secure)

/usr/local/omk/conf/opCommon.json
"authentication" : {
...
   "auth_ms_ldaps_server" : "IP_ADDRESS_OF_YOUR_MS_LDAPS_SERVER", #eg. 192.168.1.23
   "auth_ms_ldap_dn_acc" : "svc_omk_admin", #you should only need to use the username of the user here, but if this is not successful, you can use username@domain as well.
   "auth_ms_ldap_dn_psw" : "password_of_the_dn_acc_above",
   "auth_ms_ldap_attr" : "sAMAccountName",
   "auth_ms_ldap_base" : "OU=Network Admins,DC=contoso,DC=local",
...


},


RADIUS

"auth_radius_server" : "host:port",
"auth_radius_secret" : "secret",

Once you have saved the updated opCommon.json configuration, you will then need to restart the omkd daemon.

Troubleshooting

If you are experiencing issues with configuring your external authentication method, extra debug can be enabled to assist.

Depending on the authentication method you are using, the following two attributes can be added to your opCommon.json. This should cover most, if not all of our authentication methods to debug.

/usr/local/omk/conf/opCommon.json
"authentication" : {
...
	"auth_debug" : 1,
	"auth_ldap_debug" : "true"
...

},

Save the file once you have added these two extra lines and restart omkd. Repeat the authentication process again, then review auth.log (located in the /usr/local/omk/log directory) and troubleshoot.

Related Topics

  • No labels