External Authentication Recipes

Sample Configuration "Local Authentication and AD LDAP Authentication

See also:

Modify the <authentication-manager> section of $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml to uncomment the externalAuthProvider bean-reference:

    <authentication-provider ref="hybridAuthenticationProvider" />
    <!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
         You must also rename and customize exactly ONE of the example files in the
         spring-security.d subdirectory. -->
    <authentication-provider ref="externalAuthenticationProvider" />

This adds LDAP authentication in addition to the normal user authentication.

Copy spring-security.d/activeDirectory.xml.disabled to $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/spring-security.d/activeDirectory.xml or another filename of your choice, as long as it ends in .xml. Most of this file is boilerplate, but you will need to customize the following items to match your own AD environment:

  • AD LDAP server URLs (list just one, or as many as you like):
        <beans:value>ldap://ad-dc1.example.org:389/</beans:value>
        <beans:value>ldap://ad-dc2.example.org:389/</beans:value>
  • The optional base distinguished name (DN) for searches; you can omit this (which may have a large performance penalty) or do fancy things if you know what you’re doing, but usually it should be set to a DN describing the root of your AD domain:
    <beans:property name="base" value="dc=example,dc=org" />
  • The account principal and password to use when binding to the AD LDAP server:
    <beans:property name="defaultUser" value="opennms_bind_username"/>
    <beans:property name="defaultPassword" value="ulfsentme"/>

In some cases, rather than specifying the ‘‘defaultUser’’ property as an LDAP principal, it’s necessary to list it in USER@DOMAIN form:

    <beans:property name="defaultUser" value="opennms_bind@example.org"/>
  • The filter and query used to search for users in the directory, and whether to search sub-trees:
    <beans:constructor-arg index="0" value="ou=Users" />
...
    <beans:constructor-arg index="1" value="(sAMAccountName={0})" />
...
    <beans:property name="searchSubtree" value="true" />
  • The names of the AD groups to which normal OpenNMS users and OpenNMS administrators must belong in order to have the respective roles assigned to them in the authorization phase:
          <!-- Name of the AD group for normal (non-admin) OpenNMS users -->
          <beans:key><beans:value>OpenNMS-Users</beans:value></beans:key>
...
          <!-- Name of the AD group for OpenNMS administrators -->
          <beans:key><beans:value>OpenNMS-Admins</beans:value></beans:key>
  • OpenNMS must be restarted for Spring Security configuration changes to take effect.

List of Roles

ROLE DESCRIPTION
ROLE_USER OpenNMS User <== Must be included in with each group.
ROLE_ADMIN OpenNMS Administrator
ROLE_READONLY OpenNMS Read-Only User
ROLE_DASHBOARD OpenNMS Dashboard User
ROLE_RTC OpenNMS RTC Daemon
ROLE_PROVISION OpenNMS Provision User
ROLE_REMOTING OpenNMS Remote Poller User
1 Like