External Authentication Recipes

From OpenNMS
Jump to navigation Jump to search

Examples for obsolete versions of OpenNMS (1.10 and older) have been relocated to Obsolete External Authentication Recipes. Anybody with the time to adapt the valuable techniques in those examples to the new reality is welcome to do so in this article.

Sample Configuration "Local Authentication and AD LDAP Authentication (OpenNMS 1.12.6/Spring Security 3.1.0)"

OpenNMS Version

OpenNMS version 1.12.6 and later

Spring Security Version

Spring Security 3.1.0 as integrated in OpenNMS 1.12.6

Modify the <authentication-manager> section of $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml to uncomment the externalAuthProvider bean-reference:

    <authentication-provider ref="hybridAuthenticationProvider" />
    <!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
         You must also rename and customize exactly ONE of the example files in the
         spring-security.d subdirectory. -->
    <authentication-provider ref="externalAuthenticationProvider" />

This adds LDAP authentication in addition to the normal user authentication.

Copy spring-security.d/activeDirectory.xml.disabled to $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/spring-security.d/activeDirectory.xml or another filename of your choice, as long as it ends in .xml. Most of this file is boilerplate, but you will need to customize the following items to match your own AD environment:

  • AD LDAP server URLs (list just one, or as many as you like):
        <beans:value>ldap://ad-dc1.example.org:389/</beans:value>
        <beans:value>ldap://ad-dc2.example.org:389/</beans:value>
  • The optional base distinguished name (DN) for searches; you can omit this (which may have a large performance penalty) or do fancy things if you know what you're doing, but usually it should be set to a DN describing the root of your AD domain:
    <beans:property name="base" value="dc=example,dc=org" />
  • The account principal and password to use when binding to the AD LDAP server:
    <beans:property name="defaultUser" value="opennms_bind_username"/>
    <beans:property name="defaultPassword" value="ulfsentme"/>

In some cases, rather than specifying the defaultUser property as an LDAP principal, it's necessary to list it in USER@DOMAIN form:

    <beans:property name="defaultUser" value="opennms_bind@example.org"/>
  • The filter and query used to search for users in the directory, and whether to search sub-trees:
    <beans:constructor-arg index="0" value="ou=Users" />
...
    <beans:constructor-arg index="1" value="(sAMAccountName={0})" />
...
    <beans:property name="searchSubtree" value="true" />
  • The names of the AD groups to which normal OpenNMS users and OpenNMS administrators must belong in order to have the respective roles assigned to them in the authorization phase:
          <!-- Name of the AD group for normal (non-admin) OpenNMS users -->
          <beans:key><beans:value>OpenNMS-Users</beans:value></beans:key>
...
          <!-- Name of the AD group for OpenNMS administrators -->
          <beans:key><beans:value>OpenNMS-Admins</beans:value></beans:key>
  • OpenNMS must be restarted for Spring Security configuration changes to take effect.

List of Roles

ROLE DESCRIPTION
ROLE_USER OpenNMS User <== Must be included in with each group.
ROLE_ADMIN OpenNMS Administrator
ROLE_READONLY OpenNMS Read-Only User
ROLE_DASHBOARD OpenNMS Dashboard User
ROLE_RTC OpenNMS RTC Daemon
ROLE_PROVISION OpenNMS Provision User
ROLE_REMOTING OpenNMS Remote Poller User