Child pages
  • OMK Authentication Methods
Skip to end of metadata
Go to start of metadata

Purpose

State the different authentication methods available for OMK applications

Authentication Methods

OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash.  This entire file is a perl hash, so be mindful of syntax.  After editing this file a 'perl -c opCommon.nmis' will verify if the syntax is correct.  For authentication method changes to take effect the omkd service will need to be restarted.  Here's an example of the authenticaion hash inside opCommon.nmis.  Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated.

/usr/local/omk/conf/opCommon.nmis
  'authentication' => {
    'auth_htpasswd_file' => '<omk_conf>/users.dat',
    'auth_htpasswd_encrypt' => 'crypt',
    'auth_method_1' => 'htpasswd',
    'auth_method_2' => '',
    'auth_method_3' => '',
    'auth_login_motd' => 'Authentication required: default credentials are nmis/nm1888',
    'auth_crowd_server' => '',
    'auth_crowd_user' => '',
    'auth_crowd_password' => '',
    'auth_sso_domain' => '',
    'auth_expire_seconds' => '3600',
                'auth_lockout_after' => 0,
    #'auth_ms_ldap_attr' => 'sAMAccountName',
    #'auth_ms_ldap_base' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_group' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_debug' => 'false',
    #'auth_ms_ldap_dn_acc' => 'CN=Administrator,CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_dn_psw' => 'your_administrator_password',
    #'auth_ms_ldap_server' => 'your.ip.address.here'
 },

The following table lists OMK configuration options and the type of authentication which it works with.

 

Method
Description
ldap

OMK will use the configured LDAP server to perform authentication

 Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ldaps (secure)

OMK will use the configured LDAP server to perform authentication

auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ms-ldap

OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Config:
auth_ms_ldap_server => 'host[:port]'
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

ms-ldaps (secure)

OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

radius

OMK will use the configured radius server (Cisco ACS or Steel Belted Radius for example)

Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret' 

tacacs

OMK will use the configured Tacacs+ server (Cisco ACS for example)

Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"

htpasswdOMK will use the users defined in the OMK Users file, by default /usr/local/omk/conf/users.dat.  Very often /usr/local/omk/conf/users.dat is a symlink pointing to /usr/local/nmis8/conf/users.dat.  The htpasswd user file may be changed by altering the auth_htpasswd_file key in the opCommon.nmis authentication hash.
tokenDelegated authentication by token as described here:  Delegated Authentication

Configuration of the External Authentications

In the OMK configuration you can configure multiple methods which are used for auth failure, so if ms-ldap fails, it will fail back to htpasswd for example.  This means if you set auth_method_1 to be ldap and auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.

It is important to change your default passwords if you expect any level of security.

Authentication methods are evaluated in sequence.  The first method that returns successful authentication terminates the authentication process.  If a method returns an unsuccessful authentication, the process does not terminate, the next authentication method will be evaluated.  Consider the following scenario when provisioning authentication for OMK applications.

  1.  OMK First authentication method: LDAP
  2.  OMK Second authentication method: htpasswd
  3.  User Bob has an LDAP account and has a user in the htpasswd users file.
  4.  User Bob leaves the company
  5.  The IT department removes Bob's LDAP account assuming he will no longer be able to access corporate systems.
  6.  Bob will still be able to access OMK applications because there is a user Bob in the htpasswd user file.
  • No labels