Versions Compared

Old Version 27

changes.mady.by.user Paul McClendon

Saved on

compared with

New Version Current

changes.mady.by.user Simon May

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

MethodDescription
apacheApache will perform authentication and provide an authenticated user to NMIS, which will have authorisation policies applied.
htpasswdNMIS will use the users defined in the NMIS Users file, by default /usr/local/nmis8/conf/users.dat
ldap

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Module: Net::LDAP

 Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ldaps (secure)

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ms-ldap

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Module: Net::LDAP

Config:
auth_ms_ldap_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/DomainName\account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

ms-ldaps (secure)

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/DomainName\account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

If an internal CA is used for the AD server's SSL that CA's root certificate should be imported for SSL trust.

pam

Available in NMIS versions 8.6.8G and newer.

  • Debian/Ubuntu:
    The webserver user must be able to read the /etc/shadow  file, which can be achieved by adding the webserver user to the shadow  group:
    Run sudo adduser www-data shadow
  • CentOS/RedHat:
    CentOS and RHEL require further configuration steps to enable PAM.
  1. Create a PAM configuration file for NMIS as /etc/pam.d/nmis.
    You might clone /etc/pam.d/login and adjust that.
    Unless an 'nmis' PAM configuration file is present, the default configuration from /etc/pam.conf will  reject any authentication attempts.
  2. Allow web user to read /etc/shadow .
radius

NMIS will use the configured radius server (Cisco ACS or Steel Belted Radius for example)

Requires Optional Perl Modules: Authen::Simple::RADIUS

  • Install from CPAN with command:
    • sudo cpanm Authen::Simple::RADIUS --sudo

Config:
auth_radius_server => 'host:port'
auth_radius_secret => 'secret' 

tacacs

NMIS will use the configured Tacacs+ server (Cisco ACS for example)

Requires Optional Perl Modules: Authen::TacacsPlus

Config:
auth_tacacs_server => 'host:port'
auth_tacacs_secret => 'secret' # Also known as the "Key"

ConnectWise
  1. setup Setup ConnectWise API
    'auth_cw_server' => '1.2.3.4’, # IP address of ConnectWise Server
    'auth_cw_company_id' => 'COMPANY', # Company name in ConnectWise
    'auth_cw_public_key' => 'xxxxxxXXXXXxxxxx’, # ConnectWise Public Key
    'auth_cw_private_key' => 'yyyyyYYYYYyyyyy',
  2. setup Setup the system to use the auth method.
    'auth_method_1' => 'connectwise',
    'auth_method_2' => 'ms-ldap',
    'auth_method_3' => 'htpasswd’,

...

In the NMIS configuration you can configure multiple methods which are used for auth failure, so if ms-ldap fails, it will fail back to htpasswd for example.  This means if you set auth_method_1 to be ldap and authand auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in. The limit for different auth_method variables is 3.

It is important to change your default passwords if you expect any level of security.

...

Both the Cookie Type (or flavour) and Authentication Secret (or key) settings can be changed using the Basic Setup dialog, or the NMIS Configuration dialog (they're in section "authentication").
To gather the Opmantek application secret, you can either open /usr/local/omk/conf/opCommon.nmisjson with an editor (look for omkd_secrets), or you can ask the patch_config tool for the value of that setting, like in the following  example:

Code Block
$ /usr/local/omk/bin/patch_config.exe -r /usr/local/omk/conf/opCommon.nmisjson /omkd/omkd_secrets[0]
CHANGE_ME_askdfal2332lkwjflk

...