Introduction
Authorisation with LDAP allow users to get privileges and groups assigned based on a LDAP group.
If a user belongs to more than one group, the privilege will be selected based on the priority (1 is higher priority than 10):
Prerequisites
- LDAP authentication must be set. See Configuring NMIS to use Active Directory Authentication (ms-ldap or ms-ldaps) and OMK Authentication Methods for further details.
Configuration
Configuration items in opCommon.json
| Item | Example Value | Description | Default |
|---|---|---|---|
| auth_ldap_privs | 0/1 | Set to 1 to enable the feature | 0 |
| auth_ldap_context | CN=Users,DC=opmantek,DC=local | The base search | No defaults. Entry must be created. |
| auth_ldap_acc | administrator@domain.local | The LDAP account to be able to search | No defaults. Entry must be created. |
| auth_ldap_psw | Password | The password for being able to search | No defaults. Entry must be created. |
| auth_ldap_group | memberOf | The attribute to lookup the group values. Must follow: CN=OMK Ops,CN=Users,DC=opmantek,DC=local | memberOf |
| auth_ldap_server | server.domain.com:389 | The LDAP server | No defaults. Entry must be created. |
The mapping file
The mapping file by default, is named AuthLdapPrivs.json and it should be placed in <omk_dir>/conf.
It should contain a list of groups containing:
- privilege
- level
- groups
- priority
As an example:
{
"OMK Admin" : {
"privilege" : "administrator",
"level" : "0",
"groups": "all",
"priority": 1
},
"OMK Eng" : {
"privilege" : "engineer",
"level" : "2",
"groups": "SNMPSIM,GPON",
"priority": 3
}
}
You can find an example in <omk_dir>/install.
It is possible to change the default location/name in the configuration file opCommon.json:
auth_ldap_privs_file