...
- LDAP authentication must be set. See Configuring NMIS to use Active Directory Authentication (ms-ldap or ms-ldaps) and OMK Authentication Methods for further details.
Caveats
- Currently Before opEvents 4.3.2 using this feature disables the use of the NMIS User Table completely. This will be .
- From opEvents 4.3.2, opCharts 4.5.5, this feature has been enhanced to allow local user local privileges and LDAP learnt privilegesprivileges when auth_ldap_privs is enabled.
- If local user exists, use privilege and groups for that local user from Users.nmis
- If local user does not exist and we're using auth_ldap_privs, retrieve LDAP groups, match them to privilege and groups in AuthLdapPrivs.json
- If we do not have a local user and we are not using LDAP and we have auth_default_privilege set, use that from opCommon.json. If we have auth_default_groups set, use that.
auth_default_privilege and auth_default_groups
When accessing NMIS, you have a choice on how to handle authenticated users who do not have authorisations defined, you can reject them, or you can allow them default access. This is so that you do not have to define every user in the system if the authentication system is providing a reduced list of users, to have the users become an operator or guest by default and be able to see all groups of devices, the following would apply: 'auth_default_privilege' => 'guest', 'auth_default_groups' => 'all'. To prevent default authorisation, simply define them as blank, which is the default in the NMIS Install configuration.
Configuration
Configuration items in opCommon.json
| Item | Example Value | Description | Default |
|---|---|---|---|
| auth_ldap_privs | 0/1 | Set to 1 to enable the feature | 0 |
| auth_ldap_server | server.domain.com:389 | The LDAP server | No defaults. Entry must be created. |
| auth_ldap_acc | administrator@domain.local | The LDAP account to be able to search | No defaults. Entry must be created. |
| auth_ldap_psw | Password | The password for being able to search | No defaults. Entry must be created. |
| auth_ldap_context | CN=Users,DC=opmantek,DC=local | The base search | No defaults. Entry must be created. |
| auth_ldap_group | memberOf | The attribute to lookup the group values. Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local | memberOf |
The mapping file
The mapping file by default, is named AuthLdapPrivs.json and it should be placed in <omk_dir>/conf.
...
Once saved, you will then need to restart the omkd daemon for this to take affect.
If your organisation uses ms-ldaps authentication, the process is very similar. You will need to replace the following:
"auth_ms_ldap attributes with auth_ms_ldaps (for example using _server" to "auth_ms_ldaps_server). You will also need to replace "
"auth_ldap attributes with auth_ldaps (for example using _server" to "auth_ldaps_server)."
Examples of integrating ms-ldap, ms-ldaps, ldap, ldaps and other authentication methods can be found here: OMK Authentication Methods
...