Access Control Overview
NMIS provides comprehensive access control through:
- User authentication - Multiple authentication methods
- Role-based access - Privilege levels (0-5)
- Group restrictions - Limit access to specific node groups
- Function permissions - Control access to specific features
User Configuration
Users.nmis
User accounts are defined in Users.nmis:
From Users.nmis:1:
%hash = (
'nmis' => {
'user' => 'nmis',
'groups' => 'all',
'privilege' => 'administrator'
},
'admin' => {
'user' => 'admin',
'groups' => 'all',
'privilege' => 'administrator'
},
'operator' => {
'user' => 'operator',
'groups' => 'all',
'privilege' => 'operator'
}
);
User Properties
- user - Username for login
- groups - Comma-separated group list or ‘all’
- privilege - Role name (see Privilege Levels below)
Group-Based Access
From Users.nmis:37:
'dc_ops' => {
'user' => 'dc_ops',
'groups' => 'network,DataCenter,Sales',
'privilege' => 'operator'
}
Privilege Levels
Access Levels (0-5)
From Access.nmis:1:
| Level | Role | Description |
|---|
| 0 | administrator | Full system access |
| 1 | manager | Management operations |
| 2 | operator | Monitoring and reporting |
| 3 | user | Read-only access |
| 4 | guest | Limited read access |
| 5 | disabled | No access |
Privilege Mapping
'table_nodes_rw' => {
'descr' => 'Write access to table Nodes',
'level0' => '1', # Administrator: Yes
'level1' => '1', # Manager: Yes
'level2' => '1', # Operator: Yes
'level3' => '0', # User: No
'level4' => '0', # Guest: No
'level5' => '0' # Disabled: No
}
Authentication Methods
Configuration
From Config.nmis:282:
'authentication' => {
'auth_method_1' => 'htpasswd',
'auth_method_2' => '',
'auth_method_3' => '',
'auth_expire' => '+30min',
'auth_web_key' => 'Please Change Me!'
}
Method 1: htpasswd (Default)
From Auth.pm:460:
Uses Apache-style password file:
# Create password file
htpasswd -c /usr/local/nmis9/conf/users.dat nmis
# Add users
htpasswd /usr/local/nmis9/conf/users.dat operator
'authentication' => {
'auth_method_1' => 'htpasswd',
'auth_htpasswd_file' => '<nmis_conf>/users.dat',
'auth_htpasswd_encrypt' => 'crypt' # or 'md5' or 'plaintext'
}
Method 2: LDAP/Active Directory
From Auth.pm:551:
LDAP Configuration
'authentication' => {
'auth_method_1' => 'ldap', # or 'ldaps' for SSL
'auth_ldap_server' => '192.168.1.5:389',
'auth_ldap_base' => 'dc=corp,dc=example,dc=com',
'auth_ldap_attr' => 'sAMAccountName cn',
'auth_ldap_acc' => 'cn=ldapuser,ou=users,dc=corp,dc=example,dc=com',
'auth_ldap_psw' => 'password',
'auth_ldap_debug' => 'false'
}
LDAPS (Secure LDAP)
'authentication' => {
'auth_method_1' => 'ldaps',
'auth_ldaps_server' => 'ldaps.example.com:636',
'auth_ldaps_verify' => 'optional', # none, optional, require
'auth_ldaps_capath' => '/etc/ssl/certs'
}
Microsoft Active Directory
From Auth.pm:474:
'authentication' => {
'auth_method_1' => 'ms-ldap', # or 'ms-ldaps'
'auth_ldap_server' => 'ad.example.com:389',
'auth_ldap_base' => 'dc=example,dc=com',
'auth_ldap_attr' => 'sAMAccountName',
'auth_ldap_group' => 'memberOf',
'auth_ldap_acc' => 'cn=admin,cn=users,dc=example,dc=com',
'auth_ldap_psw' => 'password'
}
Method 3: RADIUS
From Auth.pm:1271:
'authentication' => {
'auth_method_1' => 'radius',
'auth_radius_server' => '192.168.1.10:1812',
'auth_radius_secret' => 'sharedsecret'
}
Method 4: TACACS+
From Auth.pm:1304:
'authentication' => {
'auth_method_1' => 'tacacs',
'auth_tacacs_server' => '192.168.1.11:49',
'auth_tacacs_secret' => 'sharedsecret',
'auth_tacacs_server_secondary' => '192.168.1.12:49',
'auth_tacacs_secret_secondary' => 'sharedsecret2'
}
Method 5: PAM
From Auth.pm:1212:
Use system PAM authentication:
'authentication' => {
'auth_method_1' => 'pam'
}
For PAM authentication, the web server user must have read access to /etc/shadow.
Method 6: Atlassian Crowd
From Auth.pm:1349:
'authentication' => {
'auth_method_1' => 'crowd',
'auth_crowd_server' => 'https://crowd.example.com',
'auth_crowd_user' => 'nmis',
'auth_crowd_password' => 'password'
}
Method 7: ConnectWise
From Auth.pm:836:
'authentication' => {
'auth_method_1' => 'connectwise',
'auth_cw_server' => 'connectwise.example.com',
'auth_cw_company_id' => 'company',
'auth_cw_public_key' => 'publickey',
'auth_cw_private_key' => 'privatekey'
}
LDAP Privilege Mapping
AuthLdapPrivs.nmis
Map LDAP groups to NMIS privileges:
From AuthLdapPrivs.nmis:1:
%hash = (
'domain admins' => {
'ldap_group' => 'domain admins',
'privilege' => 'administrator',
'level' => '0',
'groups' => 'all',
'priority' => 1
}
);
Properties
- ldap_group - LDAP/AD group name
- privilege - NMIS privilege level
- level - Numeric level (0-5)
- groups - Node groups accessible
- priority - Evaluation order (lower = higher priority)
Enable LDAP Privileges
'authentication' => {
'auth_ldap_privs' => 1
}
Access Table
Access.nmis
Defines feature-level permissions:
From Access.nmis:69:
'cfg_nodes' => {
'descr' => 'Enable button Config Nodes',
'group' => 'button',
'level0' => '1', # Admin
'level1' => '0', # Manager
'level2' => '1', # Operator
'level3' => '0', # User
'level4' => '0', # Guest
'level5' => '0' # Disabled
}
Permission Categories
From Access.nmis:
Configuration Access
cfg_nodes - Node managementcfg_users - User administrationcfg_locations - Location managementcfg_contacts - Contact managementcfg_system - System configuration
Table Access
table_nodes_rw - Node table writetable_nodes_view - Node table readtable_events_rw - Event managementtable_users_rw - User management
Network Views
ntw_overview - Network overviewntw_summary - Network summaryntw_top10 - Top 10 view
tls_ping - Ping tooltls_trace - Traceroute tooltls_snmp - SNMP tool
Session Management
From Config.nmis:321:
Session Configuration
'authentication' => {
'auth_expire' => '+30min',
'max_sessions' => 3,
'max_sessions_enabled' => 'false',
'expire_users' => 'false',
'expire_users_after' => 7776000 # 90 days
}
Cookie Configuration
From Config.nmis:285:
'authentication' => {
'auth_cookie_flavour' => 'omk', # 'nmis' or 'omk'
'auth_web_key' => 'Please Change Me!',
'auth_sso_domain' => '.example.com' # For SSO
}
Security Critical: Always change auth_web_key to a unique random string. This key signs authentication cookies.
Account Lockout
From Auth.pm:1438:
Lockout Configuration
'authentication' => {
'auth_lockout_after' => 5 # Lock after 5 failed attempts
}
0 to disable lockout.
Manual Unlock
Reset failure counter:
# Remove lockout file
rm /usr/local/nmis9/var/nmis_system/auth_failures_USERNAME
Login Customization
Login Page
From Config.nmis:310:
'authentication' => {
'auth_login_title' => 'NMIS9 login',
'auth_login_motd' => 'Please log in to access NMIS',
'auth_banner_title' => 'NMIS9',
'company_logo' => '/menu9/img/company-logo.png'
}
Default Accounts
Built-in Users
From Users.nmis:
| Username | Privilege | Default Password |
|---|
| nmis | administrator | Set during install |
| admin | administrator | Set during install |
| operator | operator | Set during install |
| guest | guest | Set during install |
Change all default passwords immediately after installation.
Security Best Practices
1. Use Strong Authentication
- Prefer LDAP/RADIUS over local authentication
- Use SNMPv3 with authentication and privacy
- Enable HTTPS for web access
2. Change Default Keys
'authentication' => {
'auth_web_key' => 'Random-String-Here' # Generate random key
}
3. Enable Session Limits
'authentication' => {
'max_sessions_enabled' => 'true',
'max_sessions' => 3
}
4. Set Appropriate Timeouts
'authentication' => {
'auth_expire' => '+15min' # Shorter timeout
}
5. Use Account Expiration
'authentication' => {
'expire_users' => 'true',
'expire_users_after' => 2592000 # 30 days
}
Troubleshooting Authentication
Enable Debug Logging
From Config.nmis:290:
'authentication' => {
'auth_debug' => 'true',
'auth_ldap_debug' => 'true'
}
Check Auth Logs
tail -f /usr/local/nmis9/logs/auth.log
LDAP Debug
Detailed LDAP operations:
tail -f /usr/local/nmis9/logs/auth-ldap-debug.log
Test Authentication
From Auth.pm:432:
perl -e 'use NMISNG::Auth;
my $au = NMISNG::Auth->new();
print $au->user_verify("username", "password") ? "OK" : "FAIL"'