Configuration

OMNI is configured using a text-based configuration file which is typically located at /etc/omni.conf. The configuration file is read using the wcfg module, so it uses the same basic syntax as recognized by it.

Stores

Each source that can provide OMNI with a method to authenticate users and information about them is a store. Multiple stores can be defined in the configuration, and any number of stores can be grouped under a realm. Stores can be used for authentication themselves, too.

Plain Text

PAM

Authenticates users using PAM.

Uses PAM (via the simplepam module) to authenticate users using a PAM service. By default, the login service will be used, which typically authenticates user accounts for the local machine. You may want to use the service option to change this:

1
2
3
4
5
 stores {
     pam.omni {
         service "omni"
     }
 }

With this snippet in the configuration file, the /etc/pam.d/omni service definition file will be expected to be readable by OMNI.

Configuration options:

service (optional)
Name of the PAM service used to perform authentication. If not provided the login service is used by default.
min-uid (optional)
Users with an UID smaller that this value will not be useable. This is typically used to hide special system users from user listings. The default value is 1000, which is a typical value for GNU/Linux systems and some BSD systems as well.

Trivial

Authenticates a single user with a fixed password.

An username and password pair is kept in memory to be checked against. A typical usage of this store is to provide a single user that is known only by OMNI; for example, to define an user with administrative privileges that can access the OMNI web interface without restrictions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
 stores {
     trivial.omni-admin {
         username "baron"
         password "redtriplane"
     }

     # Other stores...
 }

 http {
     web {
         admin "trivial.omni-admin"
     }
 }

Configuration options:

username
Fixed user name.
password (optional)
Password for the user, in plain text.

Realms

A realm is a collection of stores. Authentication and authorization are typically performed by using a realm. When checking credentials, a realm will try each one of the methods from the method list, in order. It is enough for one of the methods to succeed; otherwise access is denied if all the methods fail to grant access. Any number of realms can be defined, and an optional description can be attached to them:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
stores {
	# Configure a couple of stores.
	pam.pam {
		service: "login"
	}
	trivial.simple {
		username: "alice"
		password: "s3cr3t"
	}
}

realms {
	default {
		# Methods are tried in the order defined here.
		methods: ["trivial.simple", "pam.pam"]

		# The description is optional, if missing the name of
		# the realm (in this case, "default") will be used.
		description: "Tries trivial, fall-backs to PAM"
	}
}