6 Replies Latest reply on Jun 26, 2009 3:28 PM by chris.lapoint

    My Top 10 for the next release

    chris.lapoint

      Transferred on behalf of pserwe from NPM feature request forum:

      Unfortunately, NCM has some critical auth issues that kill it's functionality for more than feeding some relatively trivial information into Orion's interface.

      I need the ability to provision users just as I do in Orion or just preferably USE Orion users I already have and assign them all the necessary rights, including the ability (if I so choose) to allow them to log directly into a device via SSH or telnet proxied by the NPM or NCM server.  As it is, NCM is considerably less than useful, because it doesn't support AD auth, admin-defined user auth, or Orion auth. Tech support has been far less than useful in proxy for dev, and the whole thing has me considerably upset that I'm paying good money for software that for most everything that I actually want to use it for, is broken.  I was grateful to find that the NCM does actually respect the view limitations of NPM, that was a big plus.

      NCM Also has a critical lack of functionality in the security arena.  It *must* parse out the snmp strings, servers, and local users from the router configurations.  I understand, post-parsing the output of show run requires some regex skills and some really complicated programming language like perl, but it's still critical.  Sorry to thread-hijack, but I've spent 6 months getting nowhere with support on the autho issues, and while I love every new release of NCM as it integrates even tighter into NPM, there are several *crucial* things that seem to be getting ignored, or not moving fast enough for our investment to be more than paying for software we can't use effectively for what we need.

      Peter

        • Re: My Top 10 for the next release
          chris.lapoint

          I need the ability to provision users just as I do in Orion or just preferably USE Orion users I already have and assign them all the necessary rights, including the ability (if I so choose) to allow them to log directly into a device via SSH or telnet proxied by the NPM or NCM server. 

          Just to make sure I understand this request (which btw I think is a good one), you want the ability to launch an SSH or Telnet client from the web interface and have the authentication process handled based on the credentials stored in the NCM database.

          As it is, NCM is considerably less than useful, because it doesn't support AD auth, admin-defined user auth, or Orion auth.

          I'm not sure I understand what you mean by this?    NCM does support storing of device credentials per user.   NCM also supports AD authentication.   Can you elaborate?

          Tech support has been far less than useful in proxy for dev, and the whole thing has me considerably upset that I'm paying good money for software that for most everything that I actually want to use it for, is broken. 

          Can you please outline in detail the use-cases you'd like to use it for?   I want to make sure we capture the underlying scenarios appropriately in the feature request.

          NCM Also has a critical lack of functionality in the security arena.  It *must* parse out the snmp strings, servers, and local users from the router configurations.  I understand, post-parsing the output of show run requires some regex skills and some really complicated programming language like perl, but it's still critical. 

          We can definitely look at doing this, but as you noted, it's not going to be a cheap feature so we'll need to prioritize this against other requests.

          Are there others out there that require this feature?

            • Re: My Top 10 for the next release
              pserwe

              Number one is a feature request, ssh or telnet from the web interface of Orion.  User credentials need to be shared from NPM to NCM.  I want a central auth for SolarWinds products.  Since NPM was the first product I had, I created tons of users.  I want NCM to use NPM users.  NCM offers NO method to create users internally, only offering recently 3 'web' accounts for tying into NPM.  I need it to use the users from NPM.

              So, to re-phrase your statement in a way that means what I mean:

              I want the ability to launch an ssh or telnet client from the NPM website provided the user has authorization to do so.  I want it to use the stored credentials (an NCM-specific feature at the moment, but as an integrated tie-on for NPM, it should be configurable from the admin portion of the NPM web ui).

              AD authentication is completely broken in my installation.  In 6 months, I have not gotten tech support or development to take charge of figuring out why.  I don't have hours upon hours to spend on this, I've provided detailed information.  If they need more, they need to schedule a time, come in remotely, get the information they need, and go look at it on the backend.  I've sent responses to tickets and not gotten a response back for weeks.  As far as I'm concerned, the product is broken.  I pay for support, and I pay for the software, because I want it to work.  It doesn't work.  I have my own job to do keeping the various systems I did build/write/configure running, and taking proactive steps to ensure they are working whenever there's trouble.

              The use cases I'd like to be using NCM for are as follows:

              As an addon to NPM, I want to be able to look at stored configs, with access to NCM controlled by the NPM user accounts.  I don't really care about AD, AD is unnecessary in my environment.  I'd also like high-auth users (Tier 3 engineers) to be able to have selective and configureable login privileges to those devices.  If I could really have my cake and eat it as well, I'd like NPM users to filter into a TACACS and/or RADIUS server, with a built-in facility to support the granular centralized device authentication for all devices managed by NCM, along with AAA implementation commands documented in the manual so that we could get rid of all but 1 emergency backup local user on all devices (routers, switches) and have a secure, central auth.  Having to change/add/remove users on 1000's of routers gets tedious even with automation.  One wants to do it in one place, and forget the rest.

              The security feature of parsing the sensitive data out of the configs is not an expensive feature.  You can find all the code to do it (that works quite admirably) in the open source.  Take a look at www.shrubbery.net/rancid/.

              Open source means you merely have to re-write it in a framework that fits your software.  I'd be willing to bet a junior developer on your staff could do it in 3 days with debugging, and the rest is all about your QA and release process.  The prioritization from a security standpoint is ludicrously easy.  I can't offer people full view of configs without that stuff removed, so I'm forced to give them merely changes.  That means the configuration view capability is broken, since the risk outweighs the benefit.

              • Re: My Top 10 for the next release
                pserwe
                I need the ability to provision users just as I do in Orion or just preferably USE Orion users I already have and assign them all the necessary rights, including the ability (if I so choose) to allow them to log directly into a device via SSH or telnet proxied by the NPM or NCM server. 

                Just to make sure I understand this request (which btw I think is a good one), you want the ability to launch an SSH or Telnet client from the web interface and have the authentication process handled based on the credentials stored in the NCM database.



                I realized this thread got confusing.. and I'm not sure my previous reply accurately covered it.  I want NCM to use NPM users.  I'd like to be able to telnet or ssh into a router based on the credentials the user logged in with, not per device stored credentials.  This would mean one of two things, but I really hit the nail on the head in a different feature request thread that's very similar.  Have NCM support LDAP auth, which would allow me to tie my NCM installation into an LDAP server, which I can already tie into a TACACS server on the backside.  Whether you guys integrate TACACS or I integrate TACACS, managing users in NCM is still horribly broken, even with the 5.5 integration module, where you've essentially given 9.5 NPM users more privileges to do NCM tasks, if I understand it correctly.

                 

                As it is, NCM is considerably less than useful, because it doesn't support AD auth, admin-defined user auth, or Orion auth.

                I'm not sure I understand what you mean by this?    NCM does support storing of device credentials per user.   NCM also supports AD authentication.   Can you elaborate?



                Sure, NCM doesn't support for me anyway, anything other than built-in users.  I can't create users, therefore I'm stuck with the 3-5 built-in ones.  It's fine if I'm an admin of a small network, it doesn't work if I'm trying to keep very separate something like say, 100 users.  Again, rather than deal with this whole ball of wax, integrate with LDAP, I'm done.  But then I need NPM to integrate with LDAP as well, so I have a centralized place to manage all of my user credentials and access authorization.

                 

                Tech support has been far less than useful in proxy for dev, and the whole thing has me considerably upset that I'm paying good money for software that for most everything that I actually want to use it for, is broken.

                Can you please outline in detail the use-cases you'd like to use it for?   I want to make sure we capture the underlying scenarios appropriately in the feature request.



                Yeah.  I want to use a centralized authentication framework for access to NPM/APM/Netflow, NCM, and router CLI access.  I still like LDAP support for both of those products (I only know APM and Netflow as addons to NPM) because I can tie in other devices, operating systems, and access mechanisms into LDAP.  Support LDAP, the whole feature request goes away.  Additionally, supporting LDAP gives us an easy tie in to AD, if for some crazy reason, I decided to use windows in such a critical role ;)  (Imagine that..)

                 

                NCM Also has a critical lack of functionality in the security arena.  It *must* parse out the snmp strings, servers, and local users from the router configurations.  I understand, post-parsing the output of show run requires some regex skills and some really complicated programming language like perl, but it's still critical.

                We can definitely look at doing this, but as you noted, it's not going to be a cheap feature so we'll need to prioritize this against other requests.

                Are there others out there that require this feature?

                 



                I don't know.  I'm looking at that one from the standpoint of a service provider.  Tier X and customers don't need to know intimate details of our management framework.  At least, not accessible from a publicly accessible web site.  That's kind of a problem for me, in a big way.

                Peter

                  • Re: My Top 10 for the next release
                    chris.lapoint

                    I realized this thread got confusing.. and I'm not sure my previous reply accurately covered it.  I want NCM to use NPM users.  I'd like to be able to telnet or ssh into a router based on the credentials the user logged in with, not per device stored credentials.  .

                    Ok, that makes more sense.

                    This would mean one of two things, but I really hit the nail on the head in a different feature request thread that's very similar.  Have NCM support LDAP auth, which would allow me to tie my NCM installation into an LDAP server, which I can already tie into a TACACS server on the backside.  Whether you guys integrate TACACS or I integrate TACACS, managing users in NCM is still horribly broken, even with the 5.5 integration module, where you've essentially given 9.5 NPM users more privileges to do NCM tasks, if I understand it correctly.

                    Yes, I've got this one.   We're looking at tying NPM/NCM authentication to membership in AD/LDAP groups.  We can probably tease this apart though from request to have the ability to pass-through the user's LDAP/AD userid/password for authentication to the device.

                    Sure, NCM doesn't support for me anyway, anything other than built-in users.  I can't create users, therefore I'm stuck with the 3-5 built-in ones.  It's fine if I'm an admin of a small network, it doesn't work if I'm trying to keep very separate something like say, 100 users.  Again, rather than deal with this whole ball of wax, integrate with LDAP, I'm done.  But then I need NPM to integrate with LDAP as well, so I have a centralized place to manage all of my user credentials and access authorization.

                    You may not know this but you can use local Windows accounts on the NCM server  (no need to be part of a domain).    I hear you on the desire to rely on one centralized location for credentails and auth.