Versions Compared

Old Version 15

changes.mady.by.user Alexander Zangerl

Saved on

compared with

New Version 16

changes.mady.by.user Tania Umme

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleTHESE AUTH METHODS REQUIRE OPTIONAL PERL MODULES

 Each of the authentication methods require there own Perl Modules - you can install them with the cpan command and the module name e.g. "cpan Net::LDAP" or you can check if a module is installed with e.g. "cpan -D Net::LDAP"


MethodDescription
pam

As for the operating system like Debian or Ubuntu pam works out of the box. No special installation or any configuration needed.

However operating system like Centos or RHEL required to follow some specific steps.

Config:

  1. Create pam.d configuration file on nmis8 .The presence of this will cause Linux-PAM to ignore /etc/pam.conf 
  2. Allow web user to access  /etc/shadow with the authorisation to read and write. 
apacheApache will perform authentication and provide an authenticated user to NMIS, which will have authorisation policies applied.
htpasswdNMIS will use the users defined in the NMIS Users file, by default /usr/local/nmis8/conf/users.dat
ldap

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Module: Net::LDAP

 Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ldaps (secure)

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ms-ldap

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Module: Net::LDAP

Config:
auth_ms_ldap_server => 'host[:port]'
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

ms-ldaps (secure)

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

radius

NMIS will use the configured radius server (Cisco ACS or Steel Belted Radius for example)

Requires Optional Perl Modules: Authen::Simple::RADIUS

Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret' 

tacacs

NMIS will use the configured Tacacs+ server (Cisco ACS for example)

Requires Optional Perl Modules: Authen::TacacsPlus

Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"

Configuration of the External Authentications

...

A number of problematic corner-cases were discovered and fixed in May 2018, which have unfortunately required certain changes that are not backwards-compatible.
The following table lists the scenarios:

NMISOpmantek AppsNMIS-Opmantek SSO
before 8.6.3Gany versionnot available
8.6.3 or 8.6.4only application releases before 22.5.2018
present on your system		available but not perfectly robust
in certain circumstances
8.6.5 and neweronly releases older than 22.5.2018 present

not available

8.6.5 and newerat least one application release newer than 22.5.2018 presentavailable

SSO between NMIS and OMK Applications on one system

...

Using the menu access "System -> System Configuration -> Users", select "add" from the top right, and then complete the form, specifying the User which matches the user added using htpasswd, specify Privilege and Groups, using "all" if all groups are permitted, multiple groups can be selected.