Skip to end of metadata
Go to start of metadata
These instructions assume the Opmantek VM is being used.  If it is not your milage may vary (eg, certutil and the certdb is not supported by older IO::Socket::SSL).
One issue with getting NMIS to authenticate using secure LDAP is getting the CA certificate installed on the NMIS server and having NMIS send it when it connects.  These instructions are here to help with this process.  This does not cover getting your Active Directory server to use or allow secure LDAP in the first place, there are plenty of resources on the internet to help wit this already.  A simple way to test if your server does support this already is with the ldp program on your windows server (with ssl checked, connectionless unchecked, the correct port and server).
  1. Make sure Net::LDAP is up to date ( min version 0.64 )
    1. cpan Net::LDAP
  2. Make sure IO::Socket::SSL is new enough (must be 1.998 or newer)
    1. cpan -f IO::Socket::SSL ( -f is because some tests don't pass on some VMs )
  3. Copy CA cert onto server, in this example it goes into /tmp/YOUR_CACERT.pem, only pem files have been tested, others may work.

  4. Add CA cert into DB (line requires a nickname, as well as the path to the cert copied onto the server)

  5. Verify the cert is in the DB 

  6. Verify LDAP connectivity using ldapsearch, you will have to set -H, -b and -D, they can come from your current NMIS ms-ldap config if you have one:  -b is auth_ms_ldap_base, -D is auth_ms_ldap_dn_acc:

  7. Change NMIS Auth code to use certificate directory, note it's using LDAP instead of LDAPS and adds a new line with a new config item.

  8. Modify configuration to use ms-ldaps and set new auth_openldap_certs path 

  9. Test login, check /var/log/httpd/error_log and /usr/local/nmis8/logs/auth.log for issues.

Users.nmis will need to have an entry for each user who can authenticate or the default settings for a user will need to be set.

 

  • No labels