Web GUI user authentication

Web GUI users needs to reside in two places: in Dashboard Application Services Hub so that you can log in to the Web GUI, and in the ObjectServer, to use tools that write to the ObjectServer, such as the event lists. The authentication mechanism for Web GUI users is provided by the Virtual Member Manager (VMM) component, which is included in the administrative console.

You can use VMM to access and maintain user data in multiple repositories, and federate that data into a single virtual repository. The federated repository consists of a single named realm, which is a set of independent user repositories. The ObjectServer can be defined as a repository, or an LDAP directory can be defined. All user names need to be unique across repositories. All repositories in the realm need to be running when the Web GUI is started.

The quickest way to configure user authentication is to use the OMNIbus Web GUI Configuration Tool after the product installation is complete. The required configuration steps differ depending on which repository you defined. The following configuration scenarios are possible. These configuration scenarios are mutually exclusive.

Users are authenticated externally. This scenario is most useful in an environment that hosts only the Web GUI.
Users are authenticated against an ObjectServer. This scenario is most useful in an environment that hosts both the server components and the Web GUI.

Users are authenticated externally

Web GUI users are authenticated against an external source, typically an LDAP directory. The users are synchronized with the ObjectServer so that they can use functions that write to the ObjectServer. To set up external authentication:

Use the OMNIbus Web GUI Configuration Tool to perform an advanced configuration and specify the file-based repository. For more information on how to launch the OMNIbus Web GUI Configuration Tool, see Start the OMNIbus Web GUI Configuration Tool.
Contact your LDAP administrator and obtain information about the LDAP directory. You need this information to add the LDAP repository to the realm.
Add the LDAP directory as a repository to the VMM realm and configure the repository.
Assign the ncw_admin role or the ncw_user role to the users that you want to be synchronized to the ObjectServer. If you assign the roles to user groups, rather than the individual users, the roles cascade to the users in the groups.
Enable the synchronization of the LDAP users with the ObjectServer.

Users with the specified roles are then synchronized with the ObjectServer so that they can use the Web GUI functions that write to the ObjectServer. The default roles are ncw_admin and ncw_user. All synchronized users are added to a user group called vmmusers. This group is defined in the Web GUI server.init file. Only users in this group are synchronized. The name of the group can be changed. If required, you can disable the synchronization function.

Important: While this synchronization is enabled, the ObjectServer cannot be defined as a repository in the VMM realm, remove the ObjectServer before you define the LDAP directory. As a result, these users cannot log on. If an ObjectServer is defined in the realm, remove the ObjectServer before you define the LDAP directory.

In a load-balanced environment, the group name vmmusers can be used on only one node in a cluster. To enable user synchronization against multiple groups in the cluster, on each node, the name of the group that contains the synchronized users must be unique. Errors occur if you enable the user synchronization function on more than one node in the cluster and do not ensure that the group name is unique. If you enable user synchronization against multiple groups in the cluster, the stability of the cluster is increased.

You cannot change the synchronized users in the ObjectServer, that is, the users in the default vmmusers group. These users are disabled. As a result, if you need to access the Web GUI and the Desktop client, you need separate user accounts to do so.

Users are authenticated against an ObjectServer

Web GUI users are defined in the ObjectServer. The ObjectServer itself can be configured to authenticate against an external source, such as an LDAP directory or Pluggable Authentication Modules (PAM). To set up this type of authentication:

Use the OMNIbus Web GUI Configuration Tool to specify a running ObjectServer as the authentication source. The ObjectServer is added as a user repository to the realm.
Configure the ObjectServer repository.
Configure the ObjectServer to authenticate against the external source.
Enable the users for external authentication. Users that are not configured for external authentication cannot authenticate against the external source.

Users that are created from the administrative console are written to the ObjectServer. When the ObjectServer authenticates a user account against the LDAP server, only the credentials, that is the user and the password, are checked. All other attributes, such as group membership, are not checked. The Web GUI cannot read these attributes.

The benefit of this type of authentication is that it is possible to change user accounts in the ObjectServer. The same user account can be used for both the Web GUI and the Desktop client.

This type of authentication involves more maintenance than external authentication. As the ObjectServer administrator, you must perform the following additional tasks, to maintain this type of authentication:

Create user accounts in the ObjectServer.
Enable users for external authentication. External authentication is not a default user property and needs to be defined explicitly for each user.
Maintain user groups in the ObjectServer because there is no access to LDAP user groups.