Skip to main content

Overview

The NMISNG::Auth module handles user authentication and authorization for NMIS. It supports multiple authentication backends including local files, LDAP, RADIUS, TACACS+, and more. Version: 9.6.5 Location: lib/NMISNG/Auth.pm

Authentication

authenticate()

Authenticates a user against configured authentication backends.
username
string
required
Username to authenticate
password
string
required
Password (plaintext, will be hashed)
config
hash
Configuration hash with auth settings
use NMISNG::Auth;

my $auth = NMISNG::Auth->new(config => $config);
my $user = $auth->authenticate(
    username => 'admin',
    password => 'secret123'
);

if ($user) {
    print "Authenticated: " . $user->{username};
} else {
    print "Authentication failed";
}
Returns: User hash on success, undef on failure

Supported Authentication Methods

Local (htpasswd)

Uses Apache htpasswd file format. Config: 
'auth_method' => 'htpasswd',
'auth_htpasswd_file' => '/usr/local/nmis9/conf/users.dat'
Password hashing: bcrypt

LDAP/Active Directory

Authenticates against LDAP server. Config: 
'auth_method' => 'ldap',
'auth_ldap_server' => 'ldap://ldap.example.com',
'auth_ldap_dn' => 'cn=%s,ou=users,dc=example,dc=com',
'auth_ldap_ssl' => 1

RADIUS

Authenticates via RADIUS server. Config: 
'auth_method' => 'radius',
'auth_radius_server' => 'radius.example.com',
'auth_radius_secret' => 'sharedsecret'

TACACS+

Authenticates via TACACS+ server. Config: 
'auth_method' => 'tacacsplus',
'auth_tacacs_server' => 'tacacs.example.com',
'auth_tacacs_secret' => 'secret'

PAM

Uses system PAM authentication. Config: 
'auth_method' => 'pam',
'auth_pam_service' => 'nmis'

Authorization

check_access()

Checks if user has required privilege level.
user
hash
required
User object from authentication
required_priv
number
required
Required privilege level (0-5)
if ($auth->check_access($user, required_priv => 1)) {
    # User has admin privileges
}

Privilege Levels

LevelNamePermissions
0Super AdminFull system access
1AdministratorManage nodes, config
2Power UserManage own nodes
3OperatorAcknowledge events
4MonitorView status only
5GuestLimited view access

User Management

get_user_config()

Retrieves user configuration from Users.nmis. 
my $user_config = $auth->get_user_config($username);
print "Privilege: " . $user_config->{privilege};

update_user()

Updates user configuration.
username
string
required
Username to update
properties
hash
required
User properties to update
$auth->update_user(
    username => 'john',
    properties => {
        privilege => 2,
        email => '[email protected]'
    }
);

Session Management

create_session()

Creates a new user session. 
my $session_id = $auth->create_session(
    user => $user,
    remote_addr => $ENV{REMOTE_ADDR}
);

validate_session()

Validates existing session. 
my $user = $auth->validate_session($session_id);

destroy_session()

Ends user session (logout). 
$auth->destroy_session($session_id);

Password Management

hash_password()

Hashes password using bcrypt. 
my $hashed = $auth->hash_password('plaintext_password');

verify_password()

Verifies password against hash. 
if ($auth->verify_password('plaintext', $hashed)) {
    print "Password correct";
}

Account Lockout

Prevents brute force attacks: Config: 
'auth_lockout_enabled' => 1,
'auth_lockout_attempts' => 5,
'auth_lockout_duration' => 300  # seconds

check_lockout()

if ($auth->is_locked_out($username)) {
    print "Account temporarily locked";
}

LDAP Group Mapping

Map LDAP groups to NMIS privileges. AuthLdapPrivs.nmis: 
'cn=nmis-admins,ou=groups' => 1,
'cn=nmis-operators,ou=groups' => 3,
'cn=nmis-viewers,ou=groups' => 5

get_ldap_privileges()

my $privilege = $auth->get_ldap_privileges($username);

Security Features

Password Requirements

  • Minimum length: 8 characters
  • Complexity: Letters + numbers
  • Expiry: Configurable
  • History: Prevents reuse

SSL/TLS

Force HTTPS connections: 
'auth_require_https' => 1

Two-Factor Authentication

Supports TOTP (Time-based One-Time Password): 
'auth_2fa_enabled' => 1,
'auth_2fa_issuer' => 'NMIS'

Troubleshooting

Authentication Failures

Check logs: 
tail -f /usr/local/nmis9/logs/auth.log
Common issues:
  • Incorrect LDAP DN format
  • RADIUS secret mismatch
  • Password expired
  • Account locked out

Debug Mode

Enable auth debugging: 
'auth_debug' => 1

Configuration Example

Complete auth configuration: 
'authentication' => {
    'auth_method' => 'ldap',
    'auth_ldap_server' => 'ldaps://ldap.example.com',
    'auth_ldap_dn' => 'uid=%s,ou=people,dc=example,dc=com',
    'auth_ldap_ssl' => 1,
    'auth_ldap_group_base' => 'ou=groups,dc=example,dc=com',
    'auth_require_https' => 1,
    'auth_lockout_enabled' => 1,
    'auth_lockout_attempts' => 5,
    'auth_session_timeout' => 3600
}

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us