Versions Compared

Old Version 30

changes.mady.by.user Krishna Devaraya

Saved on

compared with

New Version 31

changes.mady.by.user Krishna Devaraya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash.  This entire file is a PERL hash, so be mindful of the syntax.  After editing this file, a 'perl -c opCommon.nmis' will verify if the syntax is correct.  For authentication method changes to take effect, the omkd service will need to be restarted. 

The supported authentication methods are:

htpasswd

This is used by NMIS as the default authentication method.

LDAP

The Opmantek products will use the configured LDAP server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ldap_privsUser's local privileges0/1By default, set to 0. To enable the feature, set the value to 1.
auth_ldap_server LDAP Server Namehost[:port]No defaults. Entry must be created.

auth_ldap_acc

Account Name


The LDAP account name to search for. The entry must be created.

auth_ldap_psw

Account Password
The password associated with the above LDAP account. The entry must be created.
auth_ldap_context Base Contextou=people,dc=opmantek,dc=comBase context to attempt to bind to.

auth_ldap_attr

LDAP Attributes
The LDAP attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn')

LDAPS

The Opmantek products will use the configured LDAP (Secure) server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ldap_privsUser's local privileges0/1By default, set to 0. To enable the feature, set the value to 1.
auth_ldaps_server LDAPS Server Namehost[:port]No defaults. Entry must be created.

auth_ldap_acc

Account Name


The LDAP account name to search for. Entry must be created

auth_ldap_psw

Account Password
The password associated with the above LDAP account. The entry must be created.
auth_ldap_context Base Contextou=people,dc=opmantek,dc=comBase context to attempt to bind to.

auth_ldap_attr

LDAP Attributes
The LDAPs attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', 54.85'cn')

MS-LDAP

OMK will use the configured Microsoft Active Directory LDAP server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ms_ldap_server MS-LDAP Server Namehost[:port]No defaults. Entry must be created.

auth_ms_ldap_acc

Account Name


The MS-LDAP Distinguished Name (DN)/account to bind with

auth_ms_ldap_psw

Account Password
The password associated with the above MS-LDAP account. The entry must be created.
auth_ms_ldap_base Base Contextdc=corp,dc=opmantek,dc=comBase context to search from.

auth_ms_ldap_attr

MS-LDAP AttributessAMAccountNameThe MS-LDAP attribute(s) to match to username. 
auth_ms_ldap_group Checks if the user logging in is associated with the defined group.Sales, SNMPSIM, GPON

 Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local

MS-LDAPS

The Opmantex products will use the configured Microsoft Active Directory LDAP (Secure) server to perform authentication.

Following are the configuration items in opCommon.json:

KeyDescriptionExampleComment
auth_ms_ldaps_server MS-LDAPS Server Namehost[:port]No defaults. Entry must be created.

auth_ms_ldap_acc

Account Name


The MS-LDAP Distinguished Name (DN)/account to bind with

auth_ms_ldap_psw

Account Password
The password associated with the above MS-LDAP account. The entry must be created.
auth_ms_ldap_base Base Contextdc=corp,dc=opmantek,dc=comBase context to search from.

auth_ms_ldap_attr

MS-LDAP AttributessAMAccountNameThe MS-LDAP attribute(s) to match to username. 
auth_ms_ldap_group Checks if the user logging in is associated with the defined group.Sales, SNMPSIM, GPON

 Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local

TACACS

The Opmantex products will use the configured Tacacs+ server (for example, Cisco ACS).

KeyDescriptionExampleComment
auth_tacacs_server The Tacacs Server Namehost:port

auth_tacacs_secret

The Key

secret


Multiple Authentication Methods

You can use up to 3 Authentication Methods for fail back. For example, if you set auth_method_1 to be LDAP and auth_method_2 to be htpasswd and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.

Here is an example of the authentication hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated. Note: The limit for different auth_method options is 3. In this example, if ms-ldap fails, it will fail back to htpasswd.

Code Block
title/usr/local/omk/conf/opCommon.nmis
  'authentication' => {
    'auth_htpasswd_file' => '<omk_conf>/users.dat',
    'auth_htpasswd_encrypt' => 'crypt',
    'auth_method_1' => 'htpasswd',
    'auth_method_2' => '',
    'auth_method_3' => '',
    'auth_login_motd' => 'Authentication required: default credentials are nmis/nm1888',
    'auth_crowd_server' => '',
    'auth_crowd_user' => '',
    'auth_crowd_password' => '',
    'auth_sso_domain' => '',
    'auth_expire_seconds' => '3600',
    'auth_lockout_after' => 0,
    #'auth_ms_ldap_attr' => 'sAMAccountName',
    #'auth_ms_ldap_base' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_group' => 'CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_debug' => 'false',
    #'auth_ms_ldap_dn_acc' => 'CN=Administrator,CN=Users,DC=your_domain,DC=com',
    #'auth_ms_ldap_dn_psw' => 'your_administrator_password',
    #'auth_ms_ldap_server' => 'your.ip.address.here'
 },

The following table lists OMK configuration options and the type of authentication which it works with.

...

Description

...

OMK will use the configured LDAP server to perform authentication

 Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

...

OMK will use the configured LDAP server to perform authentication

auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

...

ms-ldap

OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication

...

,

...

...

...
OMK will use the configured Microsoft Active Directory (LDAP) server to perform authentication
Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the LDAP Distinguished Name (DN)/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from
auth_ms_ldap_group => '' # checks if the user logging in is associated with the defined group.
...
OMK will use the configured radius server (Cisco ACS or Steel Belted Radius for example)
Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret' 
...
OMK will use the configured Tacacs+ server (Cisco ACS for example)
Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"
...
Configuration of the External Authentications
...
 Code Block
title/usr/local/omk/conf/opCommon.json
"authentication" : {
   "auth_ldap_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
   "auth_ldap_acc" : "svc_omk_admin@contoso.local",
   "auth_ldap_dn_psw" : "password_of_the_auth_ldap_acc_above",
   "auth_ldap_context" : "dc=contoso,dc=local",
   
   

},
...