NetXMS has it’s own user database. All NetXMS user accounts stored in backend SQL database. Each account has it’s own unique login name and identifier. The account may also have a password.
Terms and Definitions¶
NetXMS has the following attributes for users:
- Unique identifier
- Unique login name
- First name
- Last name
- Authentication method
Not all attributes are mandatory.
Before version 2.1-M0 there was only 1 default user
admin with user ID 0 and
access to everything by default. After version 2.1-M0 admin was made a normal user which
can be deleted or disabled. As a default user with access to everything was created
system user, that by default is disabled.
NetXMS has built-in superuser with ID
0, which always has full access to
the system. Default login name for superuser is
system. By default user is
disabled. Superuser account can be renamed or disabled/enabled, but cannot be deleted.
System user can be used to correct access rights to object, that exists, but none has access to it.
Each user can be member of several groups. Groups are the preferred way to organize access permissions. You should always grant permission to groups instead of using individual users. That way you will get a much shorter access control list which is easier to handle. Access rights from multiple groups are summarized to calculate effective user access rights.
Other groups can also be added as group members, in this case, the user access rights will be calculated by summarizing the access rights from all the groups in the path to the user.
NetXMS has built-in virtual group called Everyone. This group always contains all users in the system. It cannot be deleted, and it’s members list cannot be edited.
System Access Rights¶
NetXMS has 2 types of access rights access rights per system that are described in this section and per object.
System access rights used to grant access to system-wide configuration (like Event processing) and functions (like agent registration).
The following system access rights can be granted:
|Access server console||Allow user to access server’s debug console. Server debug console|
|Configure event templates||Allow user to configure event templates. Event processing|
|Configure object tools||Allow user to configure object tools. Object Tools|
|Configure server actions||Allow user to configure server actions. Event processing|
|Configure situations||Allow user to configure situations. Event processing|
|Configure SNMP traps||Allow user to configure SNMP trap mapping.|
|Control user sessions||Allow user to see active user sessions and force terminate them. (Not yet implemented)|
|Edit event processing policy||Allow user to edit Event Processing Policy. Event processing|
|Edit server configuration variables||Allow user to edit server configuration variables.|
|Execute commands via XMPP||Allows user to execute commands via XMPP.|
|Login as mobile device||Allows user to login with help of mobile application.|
|Manage agent configurations||Allow user to create, edit and delete agent configurations stored on server. Agent configuration options from server|
|Manage all scheduled tasks||Allow user to create, edit and delete all Scheduled tasks.|
|Manage DCI summary table||Allows user to manage DCI summary table. Summary table|
|Manage image library||Allows user to manage image library. Image library|
|Manage mapping tables||Allows user to manage mapping tables.|
|Manage own scheduled tasks||Allow user to create new and modify Scheduled tasks created by the user.|
|Manage packages||Allow user to install, remove, and deploy server agent packages. Centralized agent upgrade|
|Manage server files||Allow user to upload files to server and delete files stored on server. Server File Managment|
|Manage script library||Allow user to manage scripts in Script Library.|
|Manage users||Allow user to manage user accounts. Please note that user having this access right granted can modify own account to get any other system right granted.|
|Manage user scheduled tasks||Allow user to create, edit and delete user`s Scheduled tasks.|
|Read server files||Allow user to read files stored on server and upload to agents (user still needs appropriate object rights for upload). Server File Managment|
|Register agents||Allow user to register NetXMS agents.|
|Reporting server access||Allow user to access the Reporting server configuration. Reporting|
|Schedule file upload||Allow user to schedule server file upload to an agent. Scheduled tasks|
|Schedule object maintenance||Allow user to schedule maintenance for an object. Scheduled tasks|
|Schedule script execution||Allow user to schedule script execution. Scheduled tasks|
|Send SMS||Allow user to send SMS via NetXMS server. This access right has no
effect unless server configuration variable
|Unlink helpdesk tickets||Allow user to unlink alarm from external heldesk system Integration with external HelpDesk.|
|View all alarms||Allow user to view all alarms generated by Event Processing Policy rules.|
|View audit log||Allow user to view audit log.|
|View event log||Allow user to view event log, alarm log.|
|View event templates configuration||Allow user to view configured event templates.|
|View SNMP trap log||Allow user to view SNMP trap log.|
By granting the View all alarms access right, the user (or members of the group) will have access to view all generated alarms. Should it be required to configure alarm viewing access for specific users or groups, please refer to Alarm Caregory Configurator.
This is the default method for user authentication. Password provided by user compared against password stored in NetXMS database.
Various restrictions can be put on internal passwords to force users to choose stronger passwords. The following server configuration variables controls password policy:
|MinPasswordLength||Default minimum password length for a NetXMS user. The default applied only if per-user setting is not defined.||0|
|PasswordComplexity||Required pasword complexity. See table bellow for details.||0|
|PasswordExpiration||Password expiration time in days. If set to
|PasswordHistoryLength||Number of previous passwords to keep. Users are not allowed to set password if it matches one from previous passwords list.||0|
Possible flags for
|1||Password must contain digits|
|2||Password must contain uppercase letters|
|4||Password must contain lowercase letters|
|8||Password must contain special characters|
|16||Forbid alphabetical sequences (password considered invalid if it contains alphabetical sequence of 3 or more letters of same case).|
|32||Forbid keyboard sequences (password considered invalid if it
contains sequence of 3 or more characters that are located on
keyboard next to each other, like
Complexity flags can be added together to get desired restrictions. For example, to
force passwords to contain uppercase and lowercase letters,
PasswordComplexity variable must be set to
2 + 4).
Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.
If RADIUS authentication method selected password provided by user
sent to RADIUS server for validation. User is granted access if RADIUS server
Access-Accept. Communication between NetXMS server and RADIUS
server controlled by the following server configuration variables:
|RADIUSNumRetries||The number of retries for RADIUS authentication.||5|
|RADIUSPort||Port number used for connection to primary RADIUS server.||1645|
|RADIUSSecondaryPort||Port number used for connection to secondary RADIUS server.||1645|
|RADIUSSecondarySecret||Shared secret used for communication with secondary RADIUS server.||netxms|
|RADIUSSecondaryServer||Host name or IP address of secondary RADIUS server.||none|
|RADIUSSecret||Shared secret used for communication with primary RADIUS server.||netxms|
|RADIUSServer||Host name or IP address of primary RADIUS server.||none|
|RADIUSTimeout||Timeout in seconds for requests to RADIUS server||3|
Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.
This type of authentication can be selected manually in user preferences.
Login process using certificate is following:
- Server send random challenge to client
- Client sign server’s challenge with his certificate’s private key and send signed challenge along with public part of certificate to server
- Server validates certificate using CA certificate
- If certificate is valid, server validates challenge signature using certificate’s public key
- If signature is valid, server compares certificate subject with mapping data from user record
- If mapping data match with certificate subject, access is granted
So, to login successfully, user must posses valid certificate with private key. Authentication by certificate also allows smart card login - you just need to store certificate used for login on smart card instead of local certificate store.
CA certificates can be managed in “Certificate Manager” view.
Certificate can be added, deleted and edited. Edit window allows to change comment and to copy the subject of certificate. Certificate subject is one of the ways to link a certificate with a user.
Integration with LDAP¶
New in version 1.2.15.
NetXMS can perform one-way synchronization of users and groups with external LDAP server. User list replica is refreshed automatically.
Already existing NetXMS users or groups will not be modified during initial synchronization (e.g. user “admin” or group “Everyone”).
LDAP synchronization configuration¶
Server parameters controlling LDAP synchronization:
Comma- or whitespace-separated list of URIs in a format schema://host:port. Supported schemas: ldap://, ldaps:// (LDAP over TLS), ldapi:// (LDAP over IPC), and cldap:// (connectionless LDAP).
Windows specific: for server based on Windows system this parameter should be set according to this rules: empty string(attempts to find the “default” LDAP server), a domain name, or a space-separated list of host names or dotted strings that represent the IP address of hosts running an LDAP server to which to connect. Each host name in the list can include an optional port number which is separated from the host itself with a colon (:).
Note: most LDAP implementations except recent versions of OpenLDAP do not support mixed schema types in the single connection string.
||User login for LDAP synchronization|
||User password for LDAP synchronization|
|LdapSearchBase||The LdapSearchBase configuration parameter is the DN of the entry at which to start the search.|
||The LdapSearchFilter is a string representation of the filter to apply in the search.|
||This parameter specifies what should be done while synchronization with deleted from LDAP user/group. 0 - if user should be just deleted from NetXMS DB. 1 - if it should be disabled. If it is chosen to disable user, then on LDAP sync user will be disabled and it’s description will be change on “LDAP entry was deleted.” Afterwards this user/group can be detached from LDAP and enabled if it is required or just deleted manually.||1|
||There should be specified name of attribute that’s value will be used as a user’s login name|
||There should be specified name of attribute that’s value will be used as a group’s login name|
|LdapMappingFullName||There should be specified name of attribute that’s value will be used as a user full name|
|LdapMappingDescription||There should be specified name of attribute that’s value will be used as a user description|
|LdapGroupClass||There is specified which object class represents group objects. If found entry will not be of a user ot group class, it will be just ignored.|
||There is specified which object class represents user objects. If found entry will not be of a user ot group class, it will be just ignored.|
|LdapGroupUniqueId||Unique identifier for LDAP group object. By default LDAP groups are identified by DN. If in your configuration DN can be changed any time it is useful to choose other attribute as unique group identifier.|
|LdapUserUniqueId||Unique identifier for LDAP user object. By default LDAP users are identified by DN. If in your configuration DN can be changed any time it is useful to choose other attribute as unique user identifier.|
||This parameter is for setting synchronization interval in minutes between NetXMS server and LDAP server. If synchronization parameter is set to 0 - synchronization will not be done.||0|
||Limit of records that can be returned in one search page.||1000|
* Required fields
Synchronization also can be done manually with ldapsync or just ldap command in server console.
LDAP users/groups relationships with native NetXMS users/groups¶
LDAP users and groups are handled in exactly the same was as users from internal database. Only difference is that LDAP group membership is refreshed on each synchronisation and any non-LDAP user will be removed from the group.
Login with help of LDAP user¶
Login process is completely transparent for the user - user name should match attribute set by LdapMappingName and password should be current LDAP password for that user.
LDAP configuration debuging¶
If users are not synchronized the reason can be found by running manually ldapsync or just ldap command in server console on debug lever 4.
Log when LDAP sync passed correctly:
[11-Sep-2014 16:28:08.352] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server [11-Sep-2014 16:28:08.353] [DEBUG] LDAPConnection::syncUsers(): Found entry count: 3 [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=Users,CN=Customers,DC=Northwind,DC=Extranet [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): CN=Users,CN=Customers,DC=Northwind,DC=Extranet is not a user nor a group [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): User added: dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: zev333, full name: (null), description: (null) [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): User added: dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: user, full name: (null), description: (null) [11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::closeLDAPConnection(): Disconnect form ldap. [11-Sep-2014 16:28:08.354] [DEBUG] UpdateLDAPUsers(): User added: dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: zev333, full name: (null), description: (null) [11-Sep-2014 16:28:08.354] [DEBUG] UpdateLDAPUsers(): User added: dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: user, full name: (null), description: (null) [11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=john,ou=People,dc=nodomain entry was removed form DB. [11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=zev,ou=People,dc=nodomain entry was removed form DB. [11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=kasio,ou=People,dc=nodomain entry was removed form DB. [11-Sep-2014 16:28:08.355] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=usr1,ou=People,dc=nodomain entry was removed form DB.
Login credentials incorrect:
[11-Sep-2014 15:49:39.892] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server [11-Sep-2014 15:49:39.896] [DEBUG] LDAPConnection::loginLDAP(): LDAP could not login. Error code: Invalid credentials [11-Sep-2014 15:49:39.896] [DEBUG] LDAPConnection::syncUsers(): Could not login.
Search base is set incorrectly or sync user does not have access to it:
[11-Sep-2014 15:54:03.138] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server [11-Sep-2014 15:54:03.140] [DEBUG] LDAPConnection::syncUsers(): LDAP could not get search results. Error code: No such object
LDAP configuration examples¶
Managing User Accounts¶
All NetXMS user accounts can be managed from User Manager view available at in NetXMS Console. Only users with granted system right Manage users can access User Manager.
- To create new user account, select Create new user from view menu or context menu.
- To create new group, select Create new group from view menu or context menu.
- To delete user account, select it in the list, right-click, and select Delete from pop-up menu. You can delete multiple accounts at a time.
- To modify properties of user or group, select it in the list, right-click, and select Properties from pop-up menu.
- To reset user’s password, select user account in the list, right-click, and select Change password from pop-up menu.
All important user actions are written to audit log. There are two audit logging modes - internal and external. Internal audit logging is on by default and writes audit records into table in NetXMS database. External audit logging allows sending audit records to external system via syslog protocol. External audit logging is off by default. Audit logging controlled by the following server configuration variables:
|AuditLogRetentionTime||Retention time in days for the records in internal audit log. All records older than specified will be deleted by housekeeping process.||90|
|ExternalAuditFacility||Syslog facility to be used in audit log records sent to external server.||13|
|ExternalAuditPort||UDP port of external syslog server to send audit records to.||514|
|ExternalAuditServer||External syslog server to send audit records to. If set to none, external audit logging is disabled.||none|
|ExternalAuditSeverity||Syslog severity to be used in audit log records sent to external server.||5|
|ExternalAuditTag||Syslog tag to be used in audit log records sent to external server.||netxmsd-audit|