...
| Key | Description | Example | Comment | |
|---|---|---|---|---|
| auth_htpasswd_file | Location of the password file | Default is /usr/local/nmis9/conf/users.dat | Not in GUI | |
| auth_htpasswd_encrypt | Enable encrypted passwords | 0/1 | Default is 1. Plain plain text passwords are checked ONLY if encmode value is 0 or 'plaintext' | Not in GUI |
ldap
...
and ldaps
You can choose to use ldap or ldaps (secure) you can not use both of these at the same time.
ldap
The Opmantek products will use the configured The Opmantek products will use the configured LDAP server to perform authentication.
Following are the configuration items in opCommon.json:
| Key | Description | Example | Comment | |||||
|---|---|---|---|---|---|---|---|---|
| auth_ldap_ | privsUser's local privileges | 0/1 | By default, set to 0. To enable the feature, set the value to 1. | server | auth_ldap_server | LDAP Server Name | host[:port] | The LDAP Server Name. No defaults. Entry must be created. |
auth_ldap_acc | Account Name | The LDAP account name to login to search forthe Server. The entry must be created. | ||||||
auth_ldap_psw | Account Password | The password associated with the above LDAP account. The entry must be created. | ||||||
| auth_ldap_context context | Base Context | ou=people,dc=opmantek,dc=com | Base context to attempt to bind to. | |||||
auth_ldap_attr | Username LDAP Attributes | The | LDAP attributeLDAP attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', | 54.85'cn') | ||||
| auth_ldap_privs | Use LDAP Privileges | 0/1 | Use LDAP for Privileges and Groups. See User Authorisation with Active Directory and LDAP. By default, set to 0 (disabled). |
ldaps
The Opmantek products will use the configured LDAP (Secure) server to perform authentication.
Following are the configuration items in opCommon.json:
| Key | Description | Example | Comment | ||||||
|---|---|---|---|---|---|---|---|---|---|
| auth_ | ldap_privsUser's local privileges | 0/1 | By default, set to 0. To enable the feature, set the value to 1. | ldaps_server | LDAPS Server Name | auth_ldaps_server | LDAPS Server Name | host[:port] | The LDAP Server Name. No defaults. Entry must be created. |
auth_ldap_acc | Account Name | The LDAP account name to login to search forthe Server. Entry must be created | |||||||
auth_ldap_psw | Account Password | The password associated with the above LDAP account. The entry must be created. | |||||||
| auth_ldap_context context | Base Context | ou=people,dc=opmantek,dc=com | Base context to attempt to bind to. | ||||||
auth_ldap_attr | Username LDAP Attributes | The | LDAPs attributeLDAP attribute(s) to match to username. Can be blank; if so, it defaults to ('uid', | 54.85'cn') |
...
| auth_ldap |
...
| _privs | Use LDAP Privileges | 0/1 | Use LDAP for Privileges and Groups. See User Authorisation with Active Directory and LDAP. By default, set to 0 (disabled). |
ms-ldap and ms-ldaps
You can choose to use ms-ldap or ms-ldaps (secure) you can not use both of these at the same time.
ms-ldap
OMK will use the configured Microsoft Active Directory LDAP server to perform authentication.
Following are the configuration items:
| Key | Description | Example | Comment |
|---|
OMK will use the configured Microsoft Active Directory LDAP server to perform authentication.
Following are the configuration items in opCommon.json:
| Key | Description | Example | Comment | ||
|---|---|---|---|---|---|
| auth_ms_ldap_server | MS-LDAP Server Name | host[:port] | No defaults. Entry must be created. | ||
auth_ms_ldap_acc | Account Name | The MS-LDAP Distinguished Name (DN)/account to bind with||||
| auth_ms_ldap_ | pswAccount Password | The password associated with the above MS-LDAP account. The entryserver | Microsoft LDAP Server Name | host[:port] | The LDAP Server Name. No defaults. Entry must be created. |
auth_ms_ldap_dn_ baseacc | Account Name | The MS-LDAP Distinguished Name (DN)/account to login to the Server. | |||
auth_ms_ldap_dn_psw | Account Password | The password associated with the above MS-LDAP account. The entry must be created. | |||
| auth_ms_ldap_base | Base Context | Base Context | dc=corp,dc=opmantek,dc=com | Base context to search from. | |
auth_ms_ldap_attr | MS-Username LDAP Attributes | sAMAccountName | The MS-LDAP attribute(s) to match to username. | ||
| auth_ms_ldap_group | Checks if the user logging in is associated with the defined group.LDAP Group | Sales, SNMPSIM, GPON | MustOptional. The user is only allowed to log in if they are a member of the defined group. Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local |
ms-ldaps
The Opmantek products will use the configured Microsoft Active Directory LDAP (Secure) server to perform authentication.
Following are the configuration items in opCommon.json:
| auth_ldap_privs | Use LDAP Privileges | 0/1 | Use LDAP for Privileges and Groups. See User Authorisation with Active Directory and LDAP. By default, set to 0 (disabled). |
| auth_ldap_group | Group LDAP Attribute | memberOf | Default is memberOf. The attribute to lookup the groups the user belongs to. |
ms-ldaps
The Opmantek products will use the configured Microsoft Active Directory LDAP (Secure) server to perform authentication.
Following are the configuration items:
| Key | Description | Example | Comment | ||
|---|---|---|---|---|---|
| auth_ms_ldaps_server | Microsoft LDAPS Server Name | host[:port] | The LDAP Server Name. No defaults. Entry | ||
| Key | Description | Example | Comment | ||
| auth_ms_ldaps_server | MS-LDAPS Server Name | host[:port] | No defaults. Entry must be created. | ||
auth_ms_ldap_acc | Account Name | The MS-LDAP Distinguished Name (DN)/account to bind with | auth_ms_ldap_psw | Account Password | The password associated with the above MS-LDAP account. The entrymust be created. |
auth_ms_ldap_dn_ baseacc | Account Name | The MS-LDAP Distinguished Name (DN)/account to to login to the Server. | |||
auth_ms_ldap_dn_psw | Account Password | The password associated with the above MS-LDAP account. The entry must be created. | |||
| auth_ms_ldap_base | Base Context | dc=corp,dc | Base Context | dc=corp,dc=opmantek,dc=com | Base context to search from. |
auth_ms_ldap_attr | MS-Username LDAP Attributes | sAMAccountName | The MS-LDAP attribute(s) to match to username. | ||
| auth_ldap_privs | Use LDAP Privileges | 0/1 | Use LDAP for Privileges and Groups. See User Authorisation with Active Directory and LDAP. By default, set to 0 (disabled). | ||
| auth_ms_ldap_group | LDAP GroupChecks if the user logging in is associated with the defined group. | Sales, SNMPSIM, GPON | Must follow: CNOptional. The user is only allowed to log in if they are a member of the defined group. Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local |
novell-ldap
-- Deprecated --
apache
The Opmantek products will use Apache will to perform authentication and provide an authenticated user to Opmantek , which will have products with all the authorisation policies applied.
...
Following are the configuration items for setting up the ConnectWise API in opCommon.json (Cannot be configured in GUI):
| Key | Description | Example | Comment |
|---|---|---|---|
| auth_cw_server | IP address of the ConnectWise Server | 1.2.3.4 | No defaults. Entry must be created. |
auth_cw_company_id | The company name in ConnectWise | COMPANY | |
| auth_cw_public_key | The ConnectWise Public Key | xxxxxxXXXXXxxxxx | |
| auth_cw_private_key | The Private Key associated with the above Public Key | yyyyyYYYYYyyyyy |
crowd
openaudit
...
The Opmantek products use OKTA's OpenID Connect for authentication. In the authentication > auth_method_1 entry of opCommon.json, use the openid_connect. For more information, see OKTA OpenID authentication.will use Atlassian Crowd authentication. Use Crowd to assign additional groups to a user and define each service that requires authentication as an application in Crowd.
Following are the configuration items
...
:
| Key | Description | Example | Comment |
|---|---|---|---|
| type | Authentication type | okta | The authentication type shall be "okta". |
| url | URL for your subdomain | https://YOUR_SUBDOMAIN.okta.com/oauth2/default/v1/token | Replace only the text in red with your subdomain name. |
| password | Password | password | The password shall remain "password", since the Opmantek's internal password field is mapped to the one returned by the OKTA service. |
| username | User name | username | The user name shall remain "username", since the Opmantek's internal username field is mapped to the one returned by the OKTA service. | client_id | The user's client ID | Enter the user's client ID. | client_secret | The user's client secret | Enter the user's client secret. | grant_type | password | This grant type shall be "password". | scope | openid | The scope shall be "openid". |
After making the required changes, restart the omkd service.
...
auth_crowd_server | Crowd server | ||
auth_crowd_user | Crowd User name | username | |
auth_crowd_password | Crowd Password | password |
openaudit
Other FirstWave products can use Open-AudIT to authenticate users. See reference. Open-AudIT can use Active Directory and/or OpenLDAP for user authentication and/or authorisation. Open-AudIT will query both types of LDAP servers to validate a user's username and password and retrieve the user details (roles and orgs the user has access to). The user will be automatically created when they are authenticated.
To configure the use of openaudit authentication the following items must be configured:
| Key | Description | Example | Comment |
|---|---|---|---|
| oae_server | IP address of the Open-AudIT server | 1.2.3.4 | The link to Open-AudIT for internal connections. Should always be the original value unless explicitly directed by Opmantek to be changed. |
| oae_type | Unused in on-premise installations. | ||
| oae_cloud_server | cloud server URL | Unused in on-premise installations. | |
| omk_ua_insecure | Validation for editing remote nodes | 0 or 1 | Allows insecure (self-signed) SSL certificates |
openid_connect
Opmantek products use OKTA's OpenID Connect for authentication. In the authentication > auth_method_1 entry of opCommon.json, use the openid_connect. For more information, see OKTA OpenID authentication.
Following are the configuration items:
| Key | Description | Example | Comment |
|---|---|---|---|
| type | Authentication type | okta | The authentication type shall be "okta". |
| YOUR_SUBDOMAIN | URL for your subdomain | https://YOUR_SUBDOMAIN.okta.com/oauth2/default/v1/token | Replace only the text in red with your subdomain name. |
| password | Password | password | The password shall remain "password", since the Opmantek's internal password field is mapped to the one returned by the OKTA service. |
| username | User name | username | The user name shall remain "username", since the Opmantek's internal username field is mapped to the one returned by the OKTA service. |
| YOUR_CLIENT_ID | The client ID | Enter the client ID. | |
| YOUR_CLIENT_SECRET | The client secret | Enter the client secret. | |
| grant_type | password | This grant type shall be "password". | |
| scope | openid | The scope shall be "openid". |
After making the required changes, restart the omkd service.
radius
The Opmantek products will use the configured radius server (for example, Cisco ACS or Steel Belted Radius).
Following are the configuration items:
| Key | Description | Example | Comment |
|---|---|---|---|
| auth_radius_server | The Radius Server Name | host:port | No defaults. Entry must be created. |
auth_radius_secret | Also known as the Key | secret |
tacacs
The Opmantek products will use the configured radius TACACS+ server (for example, Cisco ACS or Steel Belted Radius).
Following are the configuration items in opCommon.json:
| Key | Description | Example | Comment |
|---|---|---|---|
| auth_ |
| tacacs_server | The |
| TACACS Server Name | host:port |
auth_radius_secret
Also known as the Key
system
tacacs
auth_tacacs_secret | The Key | secret |
token
The Opmantek products support a new authentication method called token, which offers delegated authentication. This enables an external party to pre-authenticate a user, who can access the Opmantek products without having to log in with username and passwordThe Opmantek products will use the configured TACACS+ server (for example, Cisco ACS).
| Key | Description | Example | Comment |
|---|
auth_ |
token_ |
The Key
token
...
key | One or more shared keys | extusr-1Kf!yVXt8TrP9zi | |
auth_token_maxage | The maximum length of time a token will remain valid. Must be a positive number, and defines how long a token remains valid after creation (in seconds). | 60 | If not present, the default of 300 seconds is used |
...
| . |
For more information on how to generate and log in with a token, see Delegated Authentication.
...
Multiple Authentication Methods
You can use up to 3 Authentication Methods authentication methods for fail back. If authentication with method 1 fails, then if they are defined, the remaining methods are tried in order. Authentication fails if they all fail. For example, if you set auth_method_1 to be LDAP and auth_method_2 to be htpasswd and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then htpasswd authentication with the users.dat will succeed and the NMIS user will be logged in.
Here is an example of the authentication hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated. In this example, if ms-ldap fails, it will fail back to htpasswd.
...