Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
F: +44 (0)8456 446 899 / +44 (0)1223 359459
E: enquiries@precedence.co.uk
Passwords

Jump To: Support > KB > NetManager > Passwords

Password Management

Password authentication on the NetManager is required for many services such as:

If the NetManager is stand-alone, passwords will be checked against the local password file. This is one-way encrypted text file (offering easy backup and restoration without allowing passwords to be determined). If the password field in the file is empty, no password will be required (but many services will not allow login without a password being specified, e.g. imap, ftp.). Alternatively, the account can exist but have an invalid password field (just a *); this will not allow the user to log on at all unless they can be authenticated using a different method (e.g. see LDAP below).

NetManager passwords are changed by simply going to http://netmanager/pass/ from a webbrowser on your internal network. By default, if the NetManager is part of Active Directory, the password will be changed on Active Directory first and if this succeeds, then the new password will be forced on the NetManager. In this way, passwords are kept in sync between the two systems.

The behaviour of the password-changing page can be altered by going to Security > Passwords in webadmin (default Password Changing tab). Any combination of change on NetManager and change on Active Directory can be configured.

You may change passwords from the Console Menu by choosing option A Ongoing server administration and then choosing one of:

  • R Change 'root' password
  • N Change 'ncadmin' password
  • O Change other passwords

This is probably the best method to alter the root and ncadmin passwords.

LDAP authentication

Alternatively, all passwords can be checked against Active Directory (technically LDAP) first. If this fails, it will fallback to the standard NetManager password check. This means that passwords can be changed using standard Windows mechanisms (such as Ctrl-Alt-Delete or through Active Directory Users and Computers). Note, this means that both the LDAP and NetManager passwords will work.

To enable LDAP authentication, go to Security > Passwords in webadmin and then choose the Authentication Method tab. You may alter the domain and directory servers to test against, by default they are the internal DNS domain and the server(s) configured when joining the domain.

Advanced configuration

The authentication mechanisms used are controlled by setting authentication_type in the NetManager configuration file. The default value is local which checks NetManager passwords only. Enabling LDAP authentication as above sets authentication_type to ldap. However, it is possible to achieve much finer control than this so, for example you can:

  • Connect to other LDAP servers rather than Active Directory (e.g. Apple OpenDirectory)
  • Alter the order of the mechanisms in which passwords are checked

To enable advanced mode, set authentication_type to multi. You may then define your own authentication schemes and specify the order in which they will be checked by listing them in authentication_schemes. The scheme local is always automatically defined, but you may choose whether to use it or not.

To define your own scheme, just give it a single-word name. You must then define the servers to use in authentication_servers_<SCHEME>, e.g. ldap://10.0.0.2 to do an LDAP connection to 10.0.0.2. You may also define the name format to use when connecting to the LDAP server in authentication_dn_<SCHEME>; %USER will be replaced by current username and %DOMAIN by the Windows domain that the NetManager is joined to. If not specified the default is %USER@%DOMAIN (which is accepted by Active Directory).

You may optionally specify a list of users and groups that will use this scheme (this is based on NetManager groups) in authentication_users_<SCHEME>; groups are specified beginning with @. If you do not specify a list of users/groups, all users will use this scheme. For the local scheme this list will effectively specify which users will also have their password checked locally even if LDAP rejects the username/passwd.

If you do not specify local in your list of schemes, no local users passwords will be checked except for system users (i.e. users root, ncadmin and any others in group wheel).

For example:

authentication_type="multi"
authentication_schemes="activedirectory opendirectory"
authentication_servers_opendirectory="ldap://10.0.0.2"
authentication_dn_opendirectory="uid=%USER,cn=Users,dc=open,dc=domain,dc=local"
authentication_servers_activedirectory="ldap://10.0.0.3"
authentication_dn_activedirectory="%USER@%DOMAIN"
authentication_users_activedirectory="@admin"

This defines two authentication schemes: activedirectory and opendirectory. The two schemes have different servers and different username formats. Scheme activedirectory is checked before opendirectory, but only users in the NetManager group admin are checked against 'activedirectory. The steps taken are:

  1. Is user in group wheel, e.g. root, ncadmin? If so, and password matches that on NetManager allow login
  2. If user in group admin? If so, and username/password is accepted by Active Directory, allow login
  3. Otherwise check username/password against Open Directory
  4. If username/password are not approved by Open Directory, reject the login
© Copyright Precedence Technologies 1999-2017
Page last modified on June 29, 2016, at 04:30 PM by sborrill