Versions Compared

Old Version 1

changes.mady.by.user Doug Reed

Saved on

compared with

New Version Current

changes.mady.by.user Doug Reed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document supersedes 'Configuring NMIS to use Active Directory Authentication (ms-ldap or ms-ldaps)' as of March 2024 and covers both traditional LDAP servers, and Microsoft ActiveDirectory.


Retired configuration items

'auth_method_[1-3]' => 'ms-ldap',  # 'ms-ldap' and 'ms-ldaps' are retired, use 'ldap' or 'ldaps' for secure.

'auth_ldap_context' => 'ou=people,dc = example, dc = com',     # Merged with 'auth_ldap_base' .

'auth_ms_

method

ldap_

1

attr' => '

ms-ldap

sAMAccountName',  # Use '

ms-

auth_ldap

'  is retired, use 'ldap' or 'ldaps' for secure

_attr'.

'auth_ms_ldap_

attr

base' => '

sAMAccountName

dc=corp, dc=example,dc=com',  # Use  'auth_ldap_

attr

base'.

'auth_ms_ldap_

base

debug' =>

'dc=corp, dc=example,dc=com',

'true'/'false',   # Use

 

'auth_ldap_

base

debug'.

'auth_ms_ldap_dn_acc' => 'CN=omklatam, ou = Services, dc = OPMANTEK, dc = corp',    # Use 'auth_ldap_acc'.

'auth_ms_ldap_dn_psw' => 'password,',    # Use 'auth_ldap_psw'.

'auth_ms_ldap_server' => 'host_LDAP: 389',   # Use 'auth_ldap_server'.

'auth_ms_ldaps_server' => 'host_LDAP: 636',   # Use 'auth_ldaps_server'.


  • Outline of the current configuration items

    'auth_

...

  • method_[1-3]' => '

...

  • ldap',  

...

Outline of the current configuration items

...

  • # Up to three types of Authentication.  Use 'ldap', or ldaps' for ldaps

    'auth_ldap_acc' => 'CN=omklatam, ou = Services, dc = OPMANTEK, dc = corp',   # The Admin read-only access distinctive name used to query the database.

    'auth_ldap_attr' => 'sAMAccountName cn',  # Spare or comma separated list (often 'sAMAccountName', for Active Directory and 'cn' for standard LDAP.

    'auth_ldap_base' => 'dc=corp, dc=example,dc=com',   # Base to search in LDAP

    'auth_ldap_

...

  • debug' =>

...

  • 'true'/'false',  #

...

  • How to enable debug mode to capture the LDAP Server output (default 'false').

    'auth_ldap_psw' => 'password,',   # The Admin read-only access password used to query the database.

    'auth_ldap_server' => 'host_LDAP: 389',  # The LDAP Server name and and port.

    'auth_ldaps_server' => 'host_LDAP: 636',  # The LDAP Server name and and port for secure access.

    'auth_

...

  • ldaps_

...

  • capath' =>

...

  • '<pathname>',  # The full path to an SSL certificate directory.

    'auth_ldaps_verify' => 'optional',  # One of  'none' ,  'optional' , or 'require' (default 'optional')

  • .


    Aspects to consider:


    Info
    titleNOTE on MS-LDAPS SSL

    To use SSL/TLS secured LDAP (LDAPS) see the differences in the table in User Management in NMIS8 .

    In summary it requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS and uses config items:
    'auth_method_1' => 'ldaps'
    'auth_ldaps_server' => 'host[:port]'    (note the s at the end of ldaps vs ldap)

    If you use an internal CA for your AD LDAP SSL certificates you will need to import your internal root CA public certificates so that SSL can trust the connection.  Search processes for your NMIS servers OS.


    LDAP Base: The base is the root of the LDAP/Active Directory database, since it is the place where the search of the users who need to authenticate will be carried out. Taking as reference the structure of the

...

  • Directory will be as follows: 

    'auth_ldap_base' => 'dc = OPMANTEK, dc = corp', #base to search in LDAP

'auth_ldap_context' => 'dc = OPMANTEK, dc = corp', # LDAP context

  • The account is the service account which user is going to authenticate with the

...

  • LDAP server, to enable the search of the LDAP Database for users. 

    Therefore, the first part is added is the service account username CN=omklatam

    The second part is the OU = Servicescontainer

    The third part is the domain DC = OPMANTEK and DC = corp.

    The result would be the following: 

    'auth_ldap_acc' => 'CN = omklatam, ou = Services, dc = OPMANTEK, dc = corp',


    To find the user and group base DN, run a query from any member server on your Windows domain:

    Finding the User Base DN

                    For Windows:

    • Open a Windows command prompt.
    • Type the command:
    Code Block
    dsquery user -name <known username>

...

  • "(|(samaccountname=dreed)(cn=dreed)(uid=dreed))"


    Example: If you are searching for all users named "John", you can enter the username as John* to get a list of all users who's name is John.
    The result will look like:

    Code Block
    "CN=John.Smith,CN=Users,DC=MyDomain,DC=com"

Installation and configuration.

  • Make sureNet :: LDAP is up to date (minimum version 0.64).

...

[root @ opmantek] #cpan Net :: LDAP

  • Make sure that IO :: Socket :: SSLis new enough (must be 1998 or newer).

...

[root @ opmantek] #cpan -f IO :: Socket :: SSL

...

  •                 For standard LDAP, Linux, or Windows using standard 'ldapsearch' command:

    • Open a Terminal shell.
    • Type the command:
    Code Block
    ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com"   <- all users without authorization
    ... or ...
ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" -D "cn=admin,MyDomain,dc=com" -w 'MyAdminPassword'  <- all users with authorization
     ... or ...
ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" "(|(samaccountname=john)(cn=john)(uid=john))"   <- users named "John" without authorization
    ... or ...
ldapsearch -H ldap://<server>:389 -x -b "dc=MyDomain,dc=com" -D "cn=admin,MyDomain,dc=com" -w 'MyAdminPassword' "(|(samaccountname=john)(cn=john)(uid=john))"  <- users named "John" with authorization


    Example: If you are searching for all users named "John", you can enter the username as John* to get a list of all users who's name is John.
    The result will look like:

    Code Block
         ... All Users ...
dn: cn=john,dc=MyDomain,dc=com
dn: cn=steve,dc=MyDomain,dc=com
     ... John ...
dn: cn=john,dc=MyDomain,dc=com



Installation and configuration.


  • Configuration items as above in /usr/local/nmis8/conf/Config.nmis
  • If the User exists as a user in the system, or if you want to add one (below) 
    • Perform procedure to add users through the GUI or through the conf/Users.
    • nmios
    • nmis file, the User field for each user must match the User's "sAMAccountName" attribute in AD, or typically the 'cn' in standard LDAP.  The Privilege should be set the appropriate Authorisation level.
    • See here for more information on NMIS User authorisation User Management in NMIS8#AuthorisationinNMIS

                   

  • If the user exits, and has privileges set in NMIS, the local configuration will be used.
  • If  the User does not exist, the file '<config_dir>/AuthLdapPrivs.json' will be consulted.



  • Try to access the credentials granted by the client in the NMIS portal.


Testing LDAP access

  • Perform the installation of the following packages for troubleshooting.

RedHat Based systems:

[root@opmantek] #yum -y install openldap-clients nss-pam-ldapd

Debian based Systems:

[root@opmantek] #apt  install libnet-ldap-perl 

Verify LDAP connectivity

...

using ldapsearch, you will have to configure -H, -by -D, they can come from your current NMIS ldap configuration if you have a: -b is auth_ldap_base, -D isauth_ldap_dn_acc

ldapsearch -H ldap: // ip_LDAP: 389 -x -b "ou = User container, dc = domain, dc = domain" -D "cn = user_ldap, dc = domain, dc = domain" -w 'password_user' - ZZ -d 9

Note: Possibly it shows an SSL certificate error, this error is irrelevant since although the connection is shown it has been successful.


...