Password authentication on the NetManager is required for many services such as:
If the NetManager is stand-alone, passwords will be checked against the local password file. This is one-way encrypted text file (offering easy backup and restoration without allowing passwords to be determined). If the password field in the file is empty, no password will be required (but many services will not allow login without a password being specified, e.g. imap, ftp.). Alternatively, the account can exist but have an invalid password field (just a *); this will not allow the user to log on at all unless they can be authenticated using a different method (e.g. see LDAP below).
NetManager passwords are changed by simply going to http://netmanager/pass/ from a webbrowser on your internal network. By default, if the NetManager is part of Active Directory, the password will be changed on Active Directory first and if this succeeds, then the new password will be forced on the NetManager. In this way, passwords are kept in sync between the two systems.
The behaviour of the password-changing page can be altered by going to Security > Passwords in webadmin (default Password Changing tab). Any combination of change on NetManager and change on Active Directory can be configured.
You may change passwords from the Console Menu by choosing option A Ongoing server administration and then choosing one of:
- R Change 'root' password
- N Change 'ncadmin' password
- O Change other passwords
Alternatively, all passwords can be checked against Active Directory (technically LDAP) first. If this fails, it will fallback to the standard NetManager password check. This means that passwords can be changed using standard Windows mechanisms (such as Ctrl-Alt-Delete or through Active Directory Users and Computers). Note, this means that both the LDAP and NetManager passwords will work.
To enable LDAP authentication, go to Security > Passwords in webadmin and then choose the Authentication Method tab. You may alter the domain and directory servers to test against, by default they are the internal DNS domain and the server(s) configured when joining the domain.
The authentication mechanisms used are controlled by setting
authentication_type in the
NetManager configuration file. The default value is
local which checks NetManager passwords only. Enabling LDAP authentication as above sets
ldap. However, it is possible to achieve much finer control than this so, for example you can:
- Connect to other LDAP servers rather than Active Directory (e.g. Apple OpenDirectory)
- Alter the order of the mechanisms in which passwords are checked
To enable advanced mode, set
multi. You may then define your own authentication schemes and specify the order in which they will be checked by listing them in
authentication_schemes. The scheme
local is always automatically defined, but you may choose whether to use it or not.
To define your own scheme, just give it a single-word name. You must then define the servers to use in
ldap://10.0.0.2 to do an LDAP connection to 10.0.0.2. You may also define the name format to use when connecting to the LDAP server in
%USER will be replaced by current username and
%DOMAIN by the Windows domain that the NetManager is joined to. If not specified the default is %USER@%DOMAIN (which is accepted by Active Directory).
You may optionally specify a list of users and groups that will use this scheme (this is based on NetManager groups) in
authentication_users_<SCHEME>; groups are specified beginning with @. If you do not specify a list of users/groups, all users will use this scheme. For the local scheme this list will effectively specify which users will also have their password checked locally even if LDAP rejects the username/passwd.
authentication_type="multi" authentication_schemes="activedirectory opendirectory" authentication_servers_opendirectory="ldap://10.0.0.2" authentication_dn_opendirectory="uid=%USER,cn=Users,dc=open,dc=domain,dc=local" authentication_servers_activedirectory="ldap://10.0.0.3" authentication_dn_activedirectory="%USER@%DOMAIN" authentication_users_activedirectory="@admin"
This defines two authentication schemes: activedirectory and opendirectory. The two schemes have different servers and different username formats. Scheme activedirectory is checked before opendirectory, but only users in the NetManager group admin are checked against 'activedirectory. The steps taken are:
- Is user in group wheel, e.g. root, ncadmin? If so, and password matches that on NetManager allow login
- If user in group admin? If so, and username/password is accepted by Active Directory, allow login
- Otherwise check username/password against Open Directory
- If username/password are not approved by Open Directory, reject the login