External Authentication
If you have an existing directory for authenticating users, you can configure Horizon to use that system to grant users access to log in, in addition to allowing log in from users defined directly within your Horizon server.
Configure external authentication
The Horizon web app uses Spring Security for its user authentication, authorization, and accounting (AAA) concerns.
The Spring Security configuration files are located in at ${OPENNMS_HOME}/jetty-webapps/opennms/WEB-INF
.
Only one authentication service can be enabled in the spring-security.d
subdirectory.
The following files are used for external authentication:
File | Description |
---|---|
applicationContext-spring-security.xml |
The main Spring Security context configuration file for the OpenNMS web app.
The
|
spring-security.d/* |
Directory containing example files for common use cases.
You must copy one of these files, rename it, and edit its details.
There cannot be more than one active |
*.xml.disabled |
Skeleton files included with Horizon as starting files for your configuration.
The |
Anatomy of an LDAP configuration
Whether the authentication source is an Active Directory, a Novell eDirectory, or some other LDAP-enabled directory, the basic components (expressed as "beans" in Spring Framework lingo) that need to exist and be configured are the same.
While Active Directory and OpenLDAP (and others) implement the same LDAP protocol, their schemas are substantially different.
The biggest difference is the memberOf
attribute, which is not supported by the default LDAP v3 specification and is not present in common OpenLDAP installs, but comes standard with AD.
This has a significant implication in that you cannot filter a user search by nested group membership, and most installs tend not to be fully hierarchical.
You can either create dedicated per-role LDAP groups or map existing groups to roles by selecting and configuring the appropriate userGroupLdapAuthoritiesPopulator
.
Property | Description |
---|---|
authenticationSource |
Provide credentials to bind to your directory in the |
contextSource |
Define your LDAP server URLs and search base.
If you have multiple LDAP servers, include them as separate |
userGroupLdapAuthoritiesPopulator |
Define where Spring Security should find groups in your directory.
By defining |
userSearch |
Define where Spring Security should find users in your directory. |
If your directory requires an SSL connection and is signed with a private certificate authority, make sure to add the certificates to your truststore. |
You must restart Horizon after making any changes to your Spring Security configuration.
Before doing this, we recommend you make sure that your changes have not led to malformed .xml
files:
xmllint --noout applicationContext-spring-security.xml spring-security.d/*.xml
If this command produces no output, then the .xml
files are well formed.
If your configuration is set correctly, you will be able to log in to the Horizon web UI using your directory credentials after restarting OpenNMS.