Get OpenNMS
Get Involved
Get to Know Us
From OpenNMS
Contents |
Note on OpenNMS Versions
These instructions will likely work with any 1.2.x release (at least up to and including 1.2.9) and with 1.3.1, but releases starting with 1.3.2 use Acegi Security for authentication. Acegi Security can use LDAP / Active Directory for authentication and/or authorization, but the process for configuring it is very different. A good starting point for somebody who wanted to figure this out would be the Acegi Security Reference Documentation. Starting with OpenNMS 1.7.x Spring Security is used, so you should read Spring Security and LDAP.
Basic Setup
Hi folks,
recently I wanted to configure our OpenNMS to authenticate the users against LDAP. After some research I came up with this solution, maybe it will help one of you.
Our setup is OpenNMS-1.2.3-1 with Tomcat 4.1 and OpenLDAP 2.0.27 but it shouldn't be too difficult to apply this to other versions.
First configure Tomcat/OpenNMS to use a different realm than the standard file based one. Edit $OPENNMS_HOME/webapps/opennms.xml and replace the realm with something like:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="0"
connectionURL="ldap://localhost:389"
connectionName="cn=readonly,ou=ldapaccounts,o=company"
connectionPassword="LDAP-PASSWD"
userBase="o=company"
userSubtree="true"
userSearch="(uid={0})"
roleBase="ou=opennms,o=company"
roleName="cn"
roleSearch="(memberUid={1})"/>
Now you need to create an rtc ldap user (password rtc) and three "special" groups which are used later on to assign user priviledges:
dn: uid=rtc,ou=opennms,o=company objectClass: posixAccount objectClass: account cn: rtc gecos: rtc loginShell: /bin/false homeDirectory: /home/rtc uidNumber: 1511 uid: rtc description: opennms rtc user gidNumber: 132 userPassword:: e1NIQX1BYllZcStWenhQNmVpOWNCd0JsTjZ0c09lRFU9Cgo= dn: cn=OpenNMS User,ou=opennms,o=company objectClass: posixGroup description: OpenNMS Users gidNumber: 60085 cn: OpenNMS User memberUid: you memberUid: yourCoAdmin memberUid: poorGuyOnDuty1 memberUid: poorGuyOnDuty2 dn: cn=OpenNMS Administrator,ou=opennms,o=company objectClass: posixGroup description: OpenNMS Administrator Group gidNumber: 60086 cn: OpenNMS Administrator memberUid: you memberUid: yourCoAdmin dn: cn=OpenNMS RTC Daemon,ou=opennms,o=company objectClass: posixGroup description: OpenNMS RTC Daemon group gidNumber: 60087 cn: OpenNMS RTC Daemon memberUid: rtc
With this setup, the admin account will not be accessible anymore, but that shouldn't harm, since you can configure your user as an admin. Note that the user has to be created via the opennms frontend also; Otherwise you will get strange effects. After a tomcat restart everything should be working; OpenNMS does not need to be restarted.
maybe someone will find this useful,
Wiktor Wodecki
net mobile AG
Security Considerations
If you're at all like me, you probably don't want a user in your LDAP directory with a username and password of rtc/rtc. Check out the Security Considerations page for how to change the password (and even username) of the special rtc user.
Changing the Role Names
You may find that the default role names of OpenNMS User, OpenNMS Administrator, and OpenNMS RTC Daemon do not mesh well with your LDAP environment. Your LDAP tree may be set up with traditional UNIX group names (no spaces, limited character length, etc) or you may want to have multiple installations of OpenNMS running from the same LDAP directory. If this sounds like you, you may want to consider having OpenNMS use different role names for the three distinct roles it has. All of the modifications required to change the role names occur in the deployer XML file, web.xml. This file is located in the WEB-INF directory under the opennms application directory (/opt/OpenNMS/webapps/opennms/WEB-INF if you're using one of the Linux RPMs).
In the web.xml file, look for the section that describes the security of the application. It will start with the line <security-constraint>. Change it to look like the following:
<!-- Note: The order of these security-constraints is significant! -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Controls</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINROLE</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Real-Time Console Data Update Servlets</web-resource-name>
<url-pattern>/rtc/post/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>RTCROLE</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USERROLE</role-name>
</auth-constraint>
</security-constraint>
Change the ADMINROLE, RTCROLE, and USERROLE with the group names you added to your LDAP directory for each role. Notice that you're changing the role-name for each constraint. Next, you'll need to change the role-name definitions in the file, which are a little further down. Find the section that start with <security-role>, and change it to look like the following:
<security-role>
<description>
OpenNMS Administrator
</description>
<role-name>ADMINROLE</role-name>
</security-role>
<security-role>
<description>
OpenNMS RTC Daemon
</description>
<role-name>RTCROLE</role-name>
</security-role>
<security-role>
<description>
OpenNMS User
</description>
<role-name>USERROLE</role-name>
</security-role>
The ADMINROLE, RTCROLE, and USERROLE entries are the same as what you entered earlier in the security-constraints section (your group names in LDAP). You're almost done. There's one more thing to do...
The OpenNMS JSPs directly reference the OpenNMS Administrator role directly in a couple of places. In order to make sure these JSPs know about the new role name, we need to add a role reference to the web.xml file. To do this, add the following section after the last <security-role> section:
<security-role-ref>
<role-name>OpenNMS Administrator</role-name>
<role-link>ADMINROLE</role-link>
</security-role-ref>
As before, ADMINROLE is the same ADMINROLE used in the above two sections. This aliases your role name to the OpenNMS Administrator role used in the OpenNMS code.
