User management

Introduction

NetXMS has it’s own user database. All NetXMS user accounts stored in backend SQL database. Each account has it’s own unique login name and identifier. The account may also have a password.

Terms and Definitions

Users

NetXMS has the following attributes for users:

  • Unique identifier

  • Unique login name

  • First name

  • Last name

  • Description

  • Authentication method

  • Password

  • Certificate

Not all attributes are mandatory.

Superuser

Note

Before version 2.1-M0 there was only 1 default user admin with user ID 0 and access to everything by default. After version 2.1-M0 admin was made a normal user which can be deleted or disabled. As a default user with access to everything was created system user, that by default is disabled.

NetXMS has built-in superuser with ID 0, which always has full access to the system. Default login name for superuser is system. By default user is disabled. Superuser account can be renamed or disabled/enabled, but cannot be deleted.

System user can be used to correct access rights to object, that exists, but none has access to it.

Groups

Each user can be member of several groups. Groups are the preferred way to organize access permissions. You should always grant permission to groups instead of using individual users. That way you will get a much shorter access control list which is easier to handle. Access rights from multiple groups are summarized to calculate effective user access rights.

Other groups can also be added as group members, in this case, the user access rights will be calculated by summarizing the access rights from all the groups in the path to the user.

Everyone Group

NetXMS has built-in virtual group called Everyone. This group always contains all users in the system. It cannot be deleted, and it’s members list cannot be edited.

System Access Rights

NetXMS has 2 types of access rights access rights per system that are described in this section and per object.

System access rights used to grant access to system-wide configuration (like Event processing) and functions (like agent registration).

_images/user_access_rights.png

The following system access rights can be granted:

Access Right

Description

Access server console

Allow user to access server’s debug console. Server debug console

Configure event templates

Allow user to configure event templates. Event processing

Configure object tools

Allow user to configure object tools. Object Tools

Configure server actions

Allow user to configure server actions. Event processing

Configure SNMP traps

Allow user to configure SNMP trap mapping.

Control user sessions

Allow user to see active user sessions and force terminate them. (Not yet implemented)

Edit event processing policy

Allow user to edit Event Processing Policy. Event processing

Edit server configuration variables

Allow user to edit server configuration variables.

Execute commands via XMPP

Allows user to execute commands via XMPP.

Login as mobile device

Allows user to login with help of mobile application.

Manage agent configurations

Allow user to create, edit and delete agent configurations stored on server. Agent configuration options from server

Manage all scheduled tasks

Allow user to create, edit and delete all Scheduled tasks.

Manage DCI summary table

Allows user to manage DCI summary table. Summary table

Manage image library

Allows user to manage image library. Image library

Manage mapping tables

Allows user to manage mapping tables.

Manage own scheduled tasks

Allow user to create new and modify Scheduled tasks created by the user.

Manage packages

Allow user to install, remove, and deploy server agent packages. Centralized agent upgrade

Manage server files

Allow user to upload files to server and delete files stored on server. Server File Management

Manage script library

Allow user to manage scripts in Script Library.

Manage users

Allow user to manage user accounts. Please note that user having this access right granted can modify own account to get any other system right granted.

Manage user scheduled tasks

Allow user to create, edit and delete user`s Scheduled tasks.

Read server files

Allow user to read files stored on server and upload to agents (user still needs appropriate object rights for upload). Server File Management

Register agents

Allow user to register NetXMS agents.

Reporting server access

Allow user to access the Reporting server configuration. Reporting

Schedule file upload

Allow user to schedule server file upload to an agent. Scheduled tasks

Schedule object maintenance

Allow user to schedule maintenance for an object. Scheduled tasks

Schedule script execution

Allow user to schedule script execution. Scheduled tasks

Send notifications

Allow user to send notifications via NetXMS server. This access right has no effect unless server configuration variable AllowDirectNotifications set to 1.

Unlink helpdesk tickets

Allow user to unlink alarm from external helpdesk system Integration with external HelpDesk.

View all alarms

Allow user to view all alarms generated by Event Processing Policy rules.

View audit log

Allow user to view audit log.

View event log

Allow user to view event log, alarm log.

View event templates configuration

Allow user to view configured event templates.

View SNMP trap log

Allow user to view SNMP trap log.

By granting the View all alarms access right, the user (or members of the group) will have access to view all generated alarms. Should it be required to configure alarm viewing access for specific users or groups, please refer to Alarm Category Configurator.

User Authentication

Internal Password

This is the default method for user authentication. Password provided by user compared against password stored in NetXMS database.

Password Policy

Various restrictions can be put on internal passwords to force users to choose stronger passwords. The following server configuration variables controls password policy:

Variable

Description

Default

MinPasswordLength

Default minimum password length for a NetXMS user. The default applied only if per-user setting is not defined.

0

PasswordComplexity

Required password complexity. See table bellow for details.

0

PasswordExpiration

Password expiration time in days. If set to 0, password expiration is disabled. Has no effect on users with Password never expired flag set.

0

PasswordHistoryLength

Number of previous passwords to keep. Users are not allowed to set password if it matches one from previous passwords list.

0

Possible flags for PasswordComplexity:

Value

Description

1

Password must contain digits

2

Password must contain uppercase letters

4

Password must contain lowercase letters

8

Password must contain special characters

16

Forbid alphabetical sequences (password considered invalid if it contains alphabetical sequence of 3 or more letters of same case).

32

Forbid keyboard sequences (password considered invalid if it contains sequence of 3 or more characters that are located on keyboard next to each other, like ASDF).

Complexity flags can be added together to get desired restrictions. For example, to force passwords to contain uppercase and lowercase letters, PasswordComplexity variable must be set to 6 (2 + 4).

Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.

RADIUS

If RADIUS authentication method selected password provided by user sent to RADIUS server for validation. User is granted access if RADIUS server responds with Access-Accept. Communication between NetXMS server and RADIUS server controlled by the following server configuration variables:

Variable

Description

Default value

RADIUSNumRetries

The number of retries for RADIUS authentication.

5

RADIUSPort

Port number used for connection to primary RADIUS server.

1645

RADIUSSecondaryPort

Port number used for connection to secondary RADIUS server.

1645

RADIUSSecondarySecret

Shared secret used for communication with secondary RADIUS server.

netxms

RADIUSSecondaryServer

Host name or IP address of secondary RADIUS server.

none

RADIUSSecret

Shared secret used for communication with primary RADIUS server.

netxms

RADIUSServer

Host name or IP address of primary RADIUS server.

none

RADIUSTimeout

Timeout in seconds for requests to RADIUS server

3

Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.

Certificate Authentication

This type of authentication can be selected manually in user preferences.

Login process using certificate is following:

  1. Server send random challenge to client

  2. Client sign server’s challenge with his certificate’s private key and send signed challenge along with public part of certificate to server

  3. Server validates certificate using CA certificate

  4. If certificate is valid, server validates challenge signature using certificate’s public key

  5. If signature is valid, server compares certificate subject with mapping data from user record

  6. If mapping data match with certificate subject, access is granted

So, to login successfully, user must posses valid certificate with private key. Authentication by certificate also allows smart card login - you just need to store certificate used for login on smart card instead of local certificate store.

Certificate management

CA certificates can be managed in “Certificate Manager” view.

Certificate can be added, deleted and edited. Edit window allows to change comment and to copy the subject of certificate. Certificate subject is one of the ways to link a certificate with a user.

_images/certificate_view.png

CAS authentication

Central Authentication Service (CAS) single sign-on is supported in web interface only. The following server configuration parameters control CAS operation: CAS.AllowedProxies, CAS.Host, CAS.Port, CAS.Service, CAS.TrustedCACert, CAS.ValidateURL. See Server configuration parameters for the expanation of mentioned parameter meaning.

Changes to these configuration variables becomes effective immediately and does not require NetXMS server restart.

Integration with LDAP

New in version 1.2.15.

NetXMS can perform one-way synchronization of users and groups with external LDAP server. User list replica is refreshed automatically.

Already existing NetXMS users or groups will not be modified during initial synchronization (e.g. user “admin” or group “Everyone”).

LDAP synchronization configuration

Server parameters controlling LDAP synchronization:

Variable

Description

Default value

LdapConnectionString *

Comma- or whitespace-separated list of URIs in a format schema://host:port. Supported schemas: ldap://, ldaps:// (LDAP over TLS), ldapi:// (LDAP over IPC), and cldap:// (connectionless LDAP).

Windows specific: for server based on Windows system this parameter should be set according to this rules: empty string(attempts to find the “default” LDAP server), a domain name, or a space-separated list of host names or dotted strings that represent the IP address of hosts running an LDAP server to which to connect. Each host name in the list can include an optional port number which is separated from the host itself with a colon (:).

Note: most LDAP implementations except recent versions of OpenLDAP do not support mixed schema types in the single connection string.

ldap://localhost:389

LdapSyncUser *

User login for LDAP synchronization

LdapSyncUserPassword *

User password for LDAP synchronization

LdapSearchBase

The LdapSearchBase configuration parameter is the DN of the entry at which to start the search.

LdapSearchFilter *

The LdapSearchFilter is a string representation of the filter to apply in the search.

LdapUserDeleteAction *

This parameter specifies what should be done while synchronization with deleted from LDAP user/group. 0 - if user should be just deleted from NetXMS DB. 1 - if it should be disabled. If it is chosen to disable user, then on LDAP sync user will be disabled and it’s description will be change on “LDAP entry was deleted.” Afterwards this user/group can be detached from LDAP and enabled if it is required or just deleted manually.

1

LdapUserMappingName *

There should be specified name of attribute that’s value will be used as a user’s login name

LdapGroupMappingName *

There should be specified name of attribute that’s value will be used as a group’s login name

LdapMappingFullName

There should be specified name of attribute that’s value will be used as a user full name

LdapMappingDescription

There should be specified name of attribute that’s value will be used as a user description

LdapGroupClass

There is specified which object class represents group objects. If found entry will not be of a user ot group class, it will be just ignored.

LdapUserClass *

There is specified which object class represents user objects. If found entry will not be of a user ot group class, it will be just ignored.

LdapGroupUniqueId

Unique identifier for LDAP group object. By default LDAP groups are identified by DN. If in your configuration DN can be changed any time it is useful to choose other attribute as unique group identifier.

LdapUserUniqueId

Unique identifier for LDAP user object. By default LDAP users are identified by DN. If in your configuration DN can be changed any time it is useful to choose other attribute as unique user identifier.

LdapSyncInterval *

This parameter is for setting synchronization interval in minutes between NetXMS server and LDAP server. If synchronization parameter is set to 0 - synchronization will not be done.

0

LdapPageSize *

Limit of records that can be returned in one search page.

1000

* Required fields

Synchronization also can be done manually with ldapsync or just ldap command in server console.

LDAP users/groups relationships with native NetXMS users/groups

LDAP users and groups are handled in exactly the same was as users from internal database. Only difference is that LDAP group membership is refreshed on each synchronisation and any non-LDAP user will be removed from the group.

Login with help of LDAP user

Login process is completely transparent for the user - user name should match attribute set by LdapMappingName and password should be current LDAP password for that user.

LDAP configuration debugging

If users are not synchronized the reason can be found by running manually ldapsync or just ldap command in server console on debug lever 4.

Log when LDAP sync passed correctly:

[11-Sep-2014 16:28:08.352] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server
[11-Sep-2014 16:28:08.353] [DEBUG] LDAPConnection::syncUsers(): Found entry count: 3
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=Users,CN=Customers,DC=Northwind,DC=Extranet
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): CN=Users,CN=Customers,DC=Northwind,DC=Extranet is not a user nor a group
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): User added: dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: zev333, full name: (null), description: (null)
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): Found dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::syncUsers(): User added: dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: user, full name: (null), description: (null)
[11-Sep-2014 16:28:08.354] [DEBUG] LDAPConnection::closeLDAPConnection(): Disconnect from ldap.
[11-Sep-2014 16:28:08.354] [DEBUG] UpdateLDAPUsers(): User added: dn: CN=zev333,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: zev333, full name: (null), description: (null)
[11-Sep-2014 16:28:08.354] [DEBUG] UpdateLDAPUsers(): User added: dn: CN=user,CN=Users,CN=Customers,DC=Northwind,DC=Extranet, login name: user, full name: (null), description: (null)
[11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=john,ou=People,dc=nodomain entry was removed from DB.
[11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=zev,ou=People,dc=nodomain entry was removed from DB.
[11-Sep-2014 16:28:08.354] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=kasio,ou=People,dc=nodomain entry was removed from DB.
[11-Sep-2014 16:28:08.355] [DEBUG] RemoveDeletedLDAPEntry(): Ldap uid=usr1,ou=People,dc=nodomain entry was removed from DB.

Login credentials incorrect:

[11-Sep-2014 15:49:39.892] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server
[11-Sep-2014 15:49:39.896] [DEBUG] LDAPConnection::loginLDAP(): LDAP could not login. Error code: Invalid credentials
[11-Sep-2014 15:49:39.896] [DEBUG] LDAPConnection::syncUsers(): Could not login.

Search base is set incorrectly or sync user does not have access to it:

[11-Sep-2014 15:54:03.138] [DEBUG] LDAPConnection::initLDAP(): Connecting to LDAP server
[11-Sep-2014 15:54:03.140] [DEBUG] LDAPConnection::syncUsers(): LDAP could not get search results. Error code: No such object

LDAP configuration examples

Active Directory

Variable

Value

LdapConnectionString

ldap://10.5.0.35:389

LdapSyncUser

CN=user,CN=Users,CN=Customers,DC=Domain,DC=Extranet

LdapSyncUserPassword

xxxxxxxx

LdapSearchBase

CN=Customers,DC=Domain,DC=Extranet

LdapSearchFilter

(objectClass=*)

LdapUserDeleteAction

1

LdapMappingName

sAMAccountName

LdapMappingFullName

displayName

LdapMappingDescription

description

LdapGroupClass

group

LdapUserClass

user

LdapGroupUniqueId

objectGUID

LdapUserUniqueId

objectGUID

LdapSyncInterval

1440

Open LDAP

Variable

Value

LdapConnectionString

ldap://10.5.0.35:389

LdapSyncUser

cn=admin,dc=nodomain

LdapSyncUserPassword

xxxxxxxx

LdapSearchBase

dc=nodomain

LdapSearchFilter

(objectClass=*)

LdapUserDeleteAction

1

LdapMappingName

cn

LdapMappingFullName

displayName

LdapMappingDescription

description

LdapGroupClass

groupOfNames

LdapUserClass

inetOrgPerson

LdapGroupUniqueId

entryUUID

LdapUserUniqueId

entryUUID

LdapSyncInterval

1440

Managing User Accounts

All NetXMS user accounts can be managed from User Manager view available at Configuration ‣ User Manager in NetXMS Console. Only users with granted system right Manage users can access User Manager.

  • To create new user account, select Create new user from view menu or context menu.

  • To create new group, select Create new group from view menu or context menu.

  • To delete user account, select it in the list, right-click, and select Delete from pop-up menu. You can delete multiple accounts at a time.

  • To modify properties of user or group, select it in the list, right-click, and select Properties from pop-up menu.

  • To reset user’s password, select user account in the list, right-click, and select Change password from pop-up menu.

Audit

All important user actions are written to audit log. There are two audit logging modes - internal and external. Internal audit logging is on by default and writes audit records into table in NetXMS database. External audit logging allows sending audit records to external system via syslog protocol. External audit logging is off by default. Audit logging controlled by the following server configuration variables:

Variable

Description

Default value

AuditLogRetentionTime

Retention time in days for the records in internal audit log. All records older than specified will be deleted by housekeeping process.

90

EnableAuditLog

Enable (1) or disable (0) audit logging.

1

ExternalAuditFacility

Syslog facility to be used in audit log records sent to external server.

13

ExternalAuditPort

UDP port of external syslog server to send audit records to.

514

ExternalAuditServer

External syslog server to send audit records to. If set to none, external audit logging is disabled.

none

ExternalAuditSeverity

Syslog severity to be used in audit log records sent to external server.

5

ExternalAuditTag

Syslog tag to be used in audit log records sent to external server.

netxmsd-audit