Configuration¶
OMNI is configured using a text-based configuration file which is typically
located at /etc/omni.conf
. The configuration file is read using the
wcfg module, so it uses the
same basic syntax as recognized by it.
Stores¶
Each source that can provide OMNI with a method to authenticate users and information about them is a store. Multiple stores can be defined in the configuration, and any number of stores can be grouped under a realm. Stores can be used for authentication themselves, too.
Plain Text¶
PAM¶
Authenticates users using PAM.
Uses PAM (via the simplepam
module) to authenticate users using a PAM service. By default, the login
service will be used, which typically authenticates user accounts for the
local machine. You may want to use the service
option to change this:
1 2 3 4 5 | stores {
pam.omni {
service "omni"
}
}
|
With this snippet in the configuration file, the /etc/pam.d/omni
service definition file
will be expected to be readable by OMNI.
Configuration options:
service
(optional)- Name of the PAM service used to perform authentication. If not provided
the
login
service is used by default. min-uid
(optional)- Users with an UID smaller that this value will not be useable. This is typically used to hide special system users from user listings. The default value is 1000, which is a typical value for GNU/Linux systems and some BSD systems as well.
Trivial¶
Authenticates a single user with a fixed password.
An username and password pair is kept in memory to be checked against. A typical usage of this store is to provide a single user that is known only by OMNI; for example, to define an user with administrative privileges that can access the OMNI web interface without restrictions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | stores {
trivial.omni-admin {
username "baron"
password "redtriplane"
}
# Other stores...
}
http {
web {
admin "trivial.omni-admin"
}
}
|
Configuration options:
username
- Fixed user name.
password
(optional)- Password for the user, in plain text.
Realms¶
A realm is a collection of stores. Authentication and authorization are
typically performed by using a realm. When checking credentials, a realm will
try each one of the methods from the method
list, in order. It is enough
for one of the methods to succeed; otherwise access is denied if all the
methods fail to grant access. Any number of realms can be defined, and an
optional description can be attached to them:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | stores {
# Configure a couple of stores.
pam.pam {
service: "login"
}
trivial.simple {
username: "alice"
password: "s3cr3t"
}
}
realms {
default {
# Methods are tried in the order defined here.
methods: ["trivial.simple", "pam.pam"]
# The description is optional, if missing the name of
# the realm (in this case, "default") will be used.
description: "Tries trivial, fall-backs to PAM"
}
}
|