As a user of an external authentication system (e.g. LDAP, FreeIPA, AD, etc), I would still like to be able to configure various things that currently require a local user in OpenNMS, including:
On call roles
Group membership
Notification-specific attributes & settings
This should be possible without storing any password at all in OpenNMS's users.xml file. I think that would mean adjusting the users XSD, and relevant code, to make the "password" element optional.
It may also be good to be able to more explicitly "pin" one of these user entries to a specific user in the external system, using, for example, the dn attribute from LDAP, but this may need to be configurable in some way.
I'd expect that either:
1. Some periodic task synchronizes with LDAP, creating, updating & removing these "external" entries as required. 2. When a user successfully logs in the first time via LDAP or whatever, a new "external" entry is created.
A locked/disabled/deleted user in LDAP should no longer be able to authenticate to OpenNMS, or do anything. It is probably less important that the user entry be deleted from OpenNMS than that they are probably excluded from any further access.
A few mostly standardized LDAP attributes to synchronize (note, these attributes need to be configurable, because different LDAP systems use different attribute names):
OpenNMS User Attribute
LDAP Attribute
email
mail
workPhone
telephoneNumber
mobilePhone
mobile
Note that there may be multiple attributes with the same name (especially with mail) in LDAP, so we probably need just pick the first one returned.
Mike Huot June 14, 2017 at 2:08 PM
On first login, it would be nice to validate contact information such as email and others used for notifications.
As a user of an external authentication system (e.g. LDAP, FreeIPA, AD, etc), I would still like to be able to configure various things that currently require a local user in OpenNMS, including:
On call roles
Group membership
Notification-specific attributes & settings
This should be possible without storing any password at all in OpenNMS's
users.xmlfile. I think that would mean adjusting the users XSD, and relevant code, to make the "password" element optional.It may also be good to be able to more explicitly "pin" one of these user entries to a specific user in the external system, using, for example, the
dnattribute from LDAP, but this may need to be configurable in some way.I'd expect that either:
1. Some periodic task synchronizes with LDAP, creating, updating & removing these "external" entries as required.
2. When a user successfully logs in the first time via LDAP or whatever, a new "external" entry is created.
A locked/disabled/deleted user in LDAP should no longer be able to authenticate to OpenNMS, or do anything. It is probably less important that the user entry be deleted from OpenNMS than that they are probably excluded from any further access.