NINO Security



Since NINO version 4 the Apache authentication is integrated with NINO. NINO is able to manage Apache users and groups. Inside NINO groups can be assigned to a cluster of functions. This functionality enables NINO to use different roles for administrating the NINO configuration, monitoring, SNMP and security.

Apache needs to be configured to use authentication and NINO needs to be configured to restrict access to functions. Then each HTTP request is checked using the diagram below. Apache will take care of the authentication process. NINO will take care of the authorization process, this means that NINO will check if the user or user in a group has permissions to execute a NINO function.

NINO can administrate Apache users, groups and passwords. The authorization is managed within NINO, so per function (cluster of NINO functions) one or more groups can be authorized. There are several clusters of functions:

The security model is shown in the diagram below. Using the NINO Admin tools the next steps need to be executed. The first step is to create all users to authenticate in Apache. The second step is to define groups and add users to those groups. The third step is to assign those groups to the NINO functions. The easiest way to setup NINO security is to import a security template. Go to menu ADMIN, IMPORT and click on security.ini. This will assign groups to NINO functions. However, Apache needs still to be configured. For manual setup, see steps below.


NINO Security Admin

How do I create users ?

Go to the ADMIN menu and select SECURITY. The User & Group management screen will appear and there is a choice to manage users, groups, functions and config.

User & Group management
Users
Groups
Functions
Config

Select users to manage the Apache user adminstration.


User management
Username: Do no change password:
New password:
Re-type password:
Groups:
helpdesk
networkadmin
systemadmin
Apply:
How do I create groups ?

Go to the ADMIN menu and select SECURITY. The User & Group management screen will appear and there is a choice to manage users, groups, functions and config. Select groups to manage the group adminstration.

Groups select group
Group:
Apply:

Select the group to manage the users in that group. To create a new group, just type a new group name in the Group text field.

Groups Add users
Group:
systemadmin
helpdesk
jdoe
gbush
aschwarz
jroberts
Apply:
How do I manage the NINO functions and groups ?

Go to the ADMIN menu and select SECURITY. The User & Group management screen will appear and there is a choice to manage users, groups, functions and config. Select functions to manage the function adminstration.

Security Select
NINO Functions:
Apply:

Select the (cluster of) functions to manage. Default no groups are selected, so all NINO functions are available. Enable the group checkboxes to restrict access to the cluster of function only for those groups selected. In the example below only the systemadmin group has permissions to execute the NINO configuration functions. This means that only user admin and aschwarz are able to configure NINO.

Security Select
NINO Function:
helpdesk
networkadmin
systemadmin
Apply:



How does NINO administrate Apache users ?

NINO uses the standard Apache htpasswd utility to create users and set passwords. More information is available at www.apache.org. The GUI described above takes care of the user input. Suppose that Apache is configured to use LDAP or other authentication methods, the users need to be created on the LDAP server. The HTTP requests will be handled the same way.

Apache needs to be configured to authenticate users. The most secure authentication is to use only the Apache SSL (encrypted) server and connect with https. This will prevent network sniffers to detect your MD5 or base64 encoded password. In the httpd.conf the authentication configuration needs to be added, see example below:

# Users & group authentication in Apache:

<LocationMatch "mod_perl">
  AuthName "NINO authentication"
  AuthType Basic
  AuthUserFile  /etc/httpd/conf/passwd
  AuthGroupFile  /etc/httpd/conf/groups
  Require group networkadmin
  Require group systemadmin
  Require group helpdesk
</LocationMatch>

# or let all valid users authenticate and let NINO do the authorization.  

<LocationMatch "mod_perl">
  AuthName "NINO authentication"
  AuthType Basic
  AuthUserFile  /etc/httpd/conf/passwd
  AuthGroupFile  /etc/httpd/conf/groups
  Require valid-user
</LocationMatch>



Top