Netmagis
| Netmagis configuration |
This documentation aims to help you in various day to day configuration tasks.
Users and group management
LDAP or internal authentication ?
A Netmagis user is based on two distinct concepts:
- for Netmagis, a user is just a login name with a few attributes such as the group membership. Access rights such as authorized networks, allowed IPv4 and IPv6 addresses, and so on are related to the group.
- for the authentication subsystem (LDAP directory used by LDAP or CAS authentication) or internal PostgreSQL authentication), an account is characterized by a login name, a name, a postal address, a telephone number, etc. Netmagis will fetch such informations from your authentication directory.
Consequently, a creation of a user must be handled differently depending on whether you use LDAP or internal authentication:
- If you use an LDAP directory, you must create the account through your usual LDAP tools, then you attach this login to an existing Netmagis group with the Admin / Modify users and groups menu.
- if you use the internal PostgreSQL authentication, you must first create the account with the Internal auth / Add account item. If you want to create a privileged account (i.e. which has rights to create new accounts), add the authadmin realm. Then, you can attach the created login to an existing Netmagis group with the Admin / Modify users and groups menu.
Note: with internal PostgreSQL authentication, you may use realms to delimit parts of your web server. For example, you may allow access to some documentations to some realm of users and some other documentations to another realm. Netmagis, in the default configuration, requires only a valid user (see the example auth-pgsql.conf file provided with the www package), but you may change this.
Accounts and users can be independantly added or removed. If you delete an account, the user is still present in the database, but (s)he can't log-in. If you delete a user and keep the account, (s)he can login but (s)he don't have any access.
Users and groups
You manage Netmagis users via the Admin / Modify users and groups menu.
Adding a user is as simple as adding the login to the members of the group. Removing a user is as simple as removing the login from the members of the group. However, a user is not really removed from the database if its name is attached to some hosts (each resource record in the database stores the date and author of last modification): in this case, the user is moved to a "group of orphaned users" which do not have any access rights (and no name, so you can not normally see it).
Moving a user from an old group to a new group is as simple as removing it from the old group and add it to the new group.
Hint: substitute user
This configuration guide often tells you to add an attribute to a group. Netmagis allows administrators to substitute for another user in order to see what she/he sees. In order to use this facility, append the following string to a Netmagis URL:
?uid=login or &uid=logindepending on the context. For example:
http://yourhost/netmagis/index?uid=joe
Using this facility, you may easily check exact rights that group members have.
Domain management
Domain management is done with the Admin / Modify domains: with this menu item, you can add, rename or remove domains from the reference data.
Once a domain is added, you have to add it to each group that need access to it, with a "sort order" (order in domain menus, for example in host addition), and a "mail role" right (if you use Netmagis mail routing). The "web role" right is not used at this time.
Don't forget to add a DNS zone for this domain (via the Admin / Modify zones menu), as well as the corresponding zone on your DNS servers.
View management (for releases >= 2.2)
View management is done with the Admin / Modify views: with this menu item, you can add, rename or remove views from the reference data.
Once a view is added, you have to add it to each group that need access to it, with a "sort order" (order in view menus, for example in host addition), and a "selected by default" checkbox which allows to pre-select a default view for a given group.
Each host belongs to one view. Thus, even if you don't use multiple views, you have to provide a view to each group. The default view is named "default".
Each zone (forward or reverse) is also associated with a view. If you use multiple views, you can have the same domain (criterion) in two or more different zones. Generated zone files will be named after the Name column (in zone edition). Thus, don't forget to add a DNS zone for all view (via the Admin / Modify zones menu), as well as the corresponding zone on your DNS servers.
Network management
Network management is done with the Admin / Modify networks: with this menu item, you can add, edit or remove networks from the reference data.
Create a network
Each network has the following attributes:
- Name: a short name, used for example with IP address when you select a network for viewing it
- Location: use it as a comment
- IPv4 address, IPv4 gateway, IPv6 address, IPv6 gateway: informations about the network. Please note that IPv4 gateway is only used by Netmagis to provide a default router in the DHCP configuration for this network. IPv6 gateway is not used. It may be interresting to give values to the gateway attributes (both IPv4 and IPv6) to have some reference data.
- DHCP enabled: check this box to enable DHCP configuration for this network.
- Organization, Community: these two attributes refer reference data (that you may modify via the corresponding Admin sub-menu). You may use the community as you want.
- Comment: a comment about the network
A good practice is to respect the "broadcast domain". A single network should match a single broadcast domain. If you have been allocated a /24 IPv4 network and you have choosen to split it in 4 /26 networks, declare 4 networks in the Netmagis database.
Once a network is created, you must allow access to all groups that need it.
Allow access to the network
With the Admin / Modify users and groups, you can grant access to the newly created network.
Access to a network is granted by two sections:
- The "Allowed networks" section allow network appearance in menus (such as in the Consult page). The "sort class" gives the order of network in such menus. The "DHCP management" allows this group to manage dynamic DHCP ranges, and "ACL management" is currently not used.
- The "IP access rights" section define allowed IPv4 and IPv6 addresses for this group. You can tune very precisely allowed and forbidden addresses.
Remove, merge or split networks
In order to delete a network, you must remove it from every group allowed to reference it ("Allowed networks" section). You should also remove corresponding "IP access rights", even if it is not mandatory.
Next, you can remove the network from the Admin / Modify networks menu.
If you want to merge two networks (for example assemble two /25 networks to get one /24 network), you have to delete one of them as described above, and adjust the remaining network in the Admin / Modify networks menu. Next, you have to adapt all IP access rights in groups.
If you want to split a network into two new networks, go to the Admin / Modify networks, adjust the old network to become one of the new networks, and add the other new network. Then, you have to adjust all groups using the old network, and grant access rights to all groups using the new networks.
DHCP management
Netmagis may be used to generate an ISC DHCP file for all your static or dynamic IPv4 allocations. In order to do that, you have to:
- configure a DHCP daemon on a server, and enable DHCP relay on your routers
- enable DHCP on the network in Netmagis
- allow access to DHCP management for some groups
In addition, you may create DHCP profiles, for example for network booting (X11 or RDP terminals, printers, diskless hosts, etc.).
Make your networks DHCP aware
In the Admin / Modify networks menu, check the box "DHCP enabled". This will enable ISC DHCP file generation of hosts for this network. Once you do that:
- every host with an IP address in this network and a declared MAC address will have a static IP allocation
- every DHCP range in this network will have a corresponding dynamic allocation
Allow access to DHCP management
You need to allow access to DHCP management for some groups if you want these groups to be able to manage dynamic ranges. To do that, go to the Admin / Modify users and groups, and check the box "DHCP management" in the "Allowed networks" section. Once enabled, group members will be able to use the DHCP ranges menu.
DHCP profiles management
DHCP profiles management is only allowed for the groups having the Admin privilege (usually the wheel group). The reason behind this is that an error (such as a syntax error, a forgotten semicolon or anything similar) may be fatal to the DHCP daemon. So, management of DHCP profiles is reserved to people which should be able to recover from DHCP daemon errors.
In order to create a DHCP profile, you have to go to the Admin / Modify DHCP profiles menu. Give a meaningful name for the profile (it will appear in host addition menu) and type in the corresponding configuration lines (with the ISC DHCP daemon syntax).
Next, go the Admin / Modify users and groups, and add a sort class to the newly created DHCP profile (sort class will be used to give an order to profiles in the corresponding menu).
Then, members of this group can access the newly created DHCP profile in the Add host menu.
To remove a DHCP profile, as with other Netmagis objects, you have to delete it from allowed users first.