...
OMK authentication methods are configured in /usr/local/omk/conf/opCommon.nmis inside the authentication hash. This entire file is a perl PERL hash, so be mindful of the syntax. After editing this file, a 'perl -c opCommon.nmis' will verify if the syntax is correct. For authentication method changes to take effect, the omkd service will need to be restarted. Here 's is an example of the authentication hash inside opCommon.nmis. Remember that statements preceded by the '#' sign are 'commented out' and will not be evaluated.
...
Configuration of the External Authentications
In the OMK configuration, you can configure multiple methods, which are used for auth failure. Therefore, for example, so if ms-ldap fails, it will fail back to htpasswd for example. This This means, if you set auth_method_1 to be ldap and authand auth_method_2 to be htpasswd, and login with the default NMIS credentials (and you have not changed the password), the authentication for LDAP will fail, and then authentication with the users.dat will succeed and the user will be logged in.
...
| Warning |
|---|
Authentication methods are evaluated in sequence. The first method that returns successful authentication, terminates the authentication process. If a method returns an unsuccessful authentication, the process does not terminate, the next authentication method will be evaluated. Consider the following scenario when provisioning authentication for OMK applications.
|
NMIS9 Notes
From NMIS9, changes will instead need to be made to the opCommon.json configuration file (located in /usr/local/omk/conf/). As we are using .json format files instead of .nmis, the format of the attributes to use is slightly different. See below for an example using the examples below:
LDAP:
| Code Block | ||
|---|---|---|
| ||
"authentication" : {
"auth_ldap_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
"auth_ldap_acc" : "svc_omk_admin@contoso.local",
"auth_ldap_dn_psw" : "password_of_the_auth_ldap_acc_above",
"auth_ldap_context" : "dc=contoso,dc=local",
}, |
LDAPS (Secure)
| Code Block | ||
|---|---|---|
| ||
"authentication" : {
"auth_ldaps_server" : "the_fqdn_of_your_ad_server:389", # you could also use an IP address here, but you need to ensure that the LDAP/LDAPS port is added in the value, eg. 192.168.1.22:389
"auth_ldap_acc" : "svc_omk_admin@contoso.local",
"auth_ldap_dn_psw" : "password_of_the_auth_ldap_acc_above",
"auth_ldap_context" : "dc=contoso,dc=local",
}, |
TACACS:
| Code Block |
|---|
"auth_tacacs_server" : "host:port", "auth_tacacs_secret" : "secret", |
MS-LDAP
An example of integrating your ms-ldap setup with modules such as opConfig, opEvents, opCharts etc. is below. Ensure you have also included ms-ldap as in one of the auth_methods:
| Code Block | ||
|---|---|---|
| ||
"authentication" : {
...
"auth_ms_ldap_server" : "IP_ADDRESS_OF_YOUR_MS_LDAP_SERVER", #eg. 192.168.1.22
"auth_ms_ldap_dn_acc" : "svc_omk_admin", #you should only need to use the username of the user here, but if this is not successful, you can use username@domain as well.
"auth_ms_ldap_dn_psw" : "password_of_the_dn_acc_above",
"auth_ms_ldap_attr" : "sAMAccountName",
"auth_ms_ldap_base" : "OU=Network Admins,DC=contoso,DC=local",
...
}, |
MS-LDAPS (Secure)
| Code Block | ||
|---|---|---|
| ||
"authentication" : {
...
"auth_ms_ldaps_server" : "IP_ADDRESS_OF_YOUR_MS_LDAPS_SERVER", #eg. 192.168.1.23
"auth_ms_ldap_dn_acc" : "svc_omk_admin", #you should only need to use the username of the user here, but if this is not successful, you can use username@domain as well.
"auth_ms_ldap_dn_psw" : "password_of_the_dn_acc_above",
"auth_ms_ldap_attr" : "sAMAccountName",
"auth_ms_ldap_base" : "OU=Network Admins,DC=contoso,DC=local",
...
}, |
RADIUS
| Code Block |
|---|
"auth_radius_server" : "host:port",
"auth_radius_secret" : "secret", |
Once you have saved the updated opCommon.json configuration, you will then need to restart the omkd daemon.
...