Child pages
  • User Management in NMIS8

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated incorrect pam documentation

...

MethodDescription
apacheApache will perform authentication and provide an authenticated user to NMIS, which will have authorisation policies applied.
htpasswdNMIS will use the users defined in the NMIS Users file, by default /usr/local/nmis8/conf/users.dat
ldap

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Module: Net::LDAP

 Config:
auth_ldap_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ldaps (secure)

NMIS will use the configured LDAP server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

auth_ldaps_server => 'host[:port]'
auth_ldap_attr => '' # attributes to match to username, can be blank, then defaults to ('uid','cn')
auth_ldap_context => 'ou=people,dc=opmantek,dc=com', # base of context to attempt to bind to 

ms-ldap

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Module: Net::LDAP

Config:
auth_ms_ldap_server => 'host[:port]'
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

ms-ldaps (secure)

NMIS will use the configured Microsoft Active Directory (LDAP) server to perform authentication

Requires Optional Perl Modules: IO::Socket::SSL and Net::LDAPS

Config:
auth_ms_ldaps_server => 'host[:port]'
auth_ms_ldap_dn_acc => '' # the DN/account to bind with
auth_ms_ldap_dn_psw => 'password'
auth_ms_ldap_attr => 'sAMAccountName', # attribute to match to username
auth_ms_ldap_base => 'dc=corp,dc=opmantek,dc=com' # base to search from

pam

Available in NMIS versions 8.6.8G and newer.

As for the operating system like Debian or Ubuntu pam works out of the box. No special installation or any configuration needed.

However operating system like CentOS or RHEL required to follow some specific steps.

Config:

  • Create pam.d configuration file on nmis8 .The presence of this will cause Linux-PAM to ignore  /etc/pam.conf 
  • Allow web user to access  /etc/shadow with the authorisation to read. 
    • Debian/Ubuntu:
      The webserver user must be able to read the /etc/shadow  file, which can be achieved by adding the webserver user to the shadow  group:
      Run sudo adduser www-data shadow
    • CentOS/RedHat:
      CentOS and RHEL require further configuration steps to enable PAM.
    1. Create a PAM configuration file for NMIS as /etc/pam.d/nmis.
      You might clone /etc/pam.d/login and adjust that.
      Unless an 'nmis' PAM configuration file is present, the default configuration from /etc/pam.conf will  reject any authentication attempts.
    2. Allow web user to read /etc/shadow .
    radius

    NMIS will use the configured radius server (Cisco ACS or Steel Belted Radius for example)

    Requires Optional Perl Modules: Authen::Simple::RADIUS

    Config:
    auth_radius_server => 'host:port'
    auth_radius_secret => 'secret' 

    tacacs

    NMIS will use the configured Tacacs+ server (Cisco ACS for example)

    Requires Optional Perl Modules: Authen::TacacsPlus

    Config:
    auth_tacacs_server => 'host:port'
    auth_tacacs_secret => 'secret' # Also known as the "Key"

    ...