Introduction
Authorisation with LDAP allow users to get privileges and groups assigned based on a LDAP group.
If a user belongs to more than one group, the privilege will be selected based on the priority (1 is higher priority than 10):
Prerequisites
- LDAP authentication must be set. See Configuring NMIS to use Active Directory Authentication (ms-ldap or ms-ldaps) and OMK Authentication Methods for further details.
Configuration
Configuration items in opCommon.json
Item | Example Value | Description | Default |
---|---|---|---|
auth_ldap_privs | 0/1 | Set to 1 to enable the feature | 0 |
auth_ldap_context | CN=Users,DC=opmantek,DC=local | The base search | No defaults. Entry must be created. |
auth_ldap_acc | administrator@domain.local | The LDAP account to be able to search | No defaults. Entry must be created. |
auth_ldap_psw | Password | The password for being able to search | No defaults. Entry must be created. |
auth_ldap_group | memberOf | The attribute to lookup the group values. Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local | memberOf |
auth_ldap_server | server.domain.com:389 | The LDAP server | No defaults. Entry must be created. |
The mapping file
The mapping file by default, is named AuthLdapPrivs.json and it should be placed in <omk_dir>/conf.
It should contain a list of groups containing:
- privilege
- level
- groups
- priority
As an example:
{ "OMK Admin" : { "privilege" : "administrator", "level" : "0", "groups": "all", "priority": 1 }, "OMK Eng" : { "privilege" : "engineer", "level" : "2", "groups": "SNMPSIM,GPON", "priority": 3 } }
You can find an example in <omk_dir>/install.
It is possible to change the default location/name in the configuration file opCommon.json:
auth_ldap_privs_file