Configuring NMIS for full LDAP Support

1 General User Authentication Information
2 Setting up LDAP authentication
- 2.1 Retired configuration items
- 2.2 Installation and configuration.
3 Testing LDAP access

General User Authentication Information

For a simple set of configuration items for ALL types of User Authentication systems please refer here:

Setting up LDAP authentication

This document supersedes 'Configuring NMIS to use Active Directory Authentication (ms-ldap or ms-ldaps)' as of March 2024 and covers both traditional LDAP servers, and Microsoft ActiveDirectory.

Retired configuration items

'auth_method_[1-3]' => 'ms-ldap', # 'ms-ldap' and 'ms-ldaps' are retired, use 'ldap' or 'ldaps' for secure.

'auth_ldap_context' => 'ou=people,dc = example, dc = com', # Merged with 'auth_ldap_base' .

'auth_ms_ldap_attr' => 'sAMAccountName', # Use 'auth_ldap_attr'.

'auth_ms_ldap_base' => 'dc=corp, dc=example,dc=com', # Use 'auth_ldap_base'.

'auth_ms_ldap_debug' => 'true'/'false', # Use 'auth_ldap_debug'.

'auth_ms_ldap_dn_acc' => 'CN=omklatam, ou = Services, dc = OPMANTEK, dc = corp', # Use 'auth_ldap_acc'.

'auth_ms_ldap_dn_psw' => 'password,', # Use 'auth_ldap_psw'.

'auth_ms_ldap_server' => 'host_LDAP: 389', # Use 'auth_ldap_server'.

'auth_ms_ldaps_server' => 'host_LDAP: 636', # Use 'auth_ldaps_server'.

Outline of the current configuration items

Aspects to consider:

LDAP Base: The base is the root of the LDAP/Active Directory database, since it is the place where the search of the users who need to authenticate will be carried out. Taking as reference the structure of the Directory will be as follows:
The account is the service account which user is going to authenticate with the LDAP server, to enable the search of the LDAP Database for users.
Therefore, the first part is added is the service account username CN=omklatam
The second part is the OU = Servicescontainer.
The third part is the domain DC = OPMANTEK and DC = corp.
The result would be the following:

To find the user and group base DN, run a query from any member server on your Windows domain:
Finding the User Base DN
For Windows:
- Open a Windows command prompt.
- Type the command:
dsquery user -name <known username>"(|(samaccountname=dreed)(cn=dreed)(uid=dreed))"

Example: If you are searching for all users named "John", you can enter the username as John* to get a list of all users who's name is John.
The result will look like:
"CN=John.Smith,CN=Users,DC=MyDomain,DC=com"
For standard LDAP, Linux, or Windows using standard 'ldapsearch' command:
- Open a Terminal shell.
- Type the command:
ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" <- all users without authorization ... or ... ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" -D "cn=admin,MyDomain,dc=com" -w 'MyAdminPassword' <- all users with authorization ... or ... ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" "(|(samaccountname=john)(cn=john)(uid=john))" <- users named "John" without authorization ... or ... ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" -D "cn=admin,MyDomain,dc=com" -w 'MyAdminPassword' "(|(samaccountname=john)(cn=john)(uid=john))" <- users named "John" with authorization

Example: If you are searching for all users named "John", you can enter the username as John* to get a list of all users who's name is John.
The result will look like:
... All Users ... dn: cn=john,dc=MyDomain,dc=com dn: cn=steve,dc=MyDomain,dc=com ... John ... dn: cn=john,dc=MyDomain,dc=com

Installation and configuration.

Configuration items as above in /usr/local/nmis8/conf/Config.nmis
If the User exists as a user in the system, or if you want to add one (below)

If the user exits, and has privileges set in NMIS, the local configuration will be used.
If the User does not exist, the file '<config_dir>/AuthLdapPrivs.json' will be consulted.