Configuration¶
To install the Asset Management module, perform neteye-asset additional component installation by means of following steps in additional modules guide; the Asset menu item will then appear in the left side navigation menu. The module can be configured for:
Permissions¶
Access to GLPI from the NetEye GUI is granted by permissions of a particular
user role. In order to create a role with mentioned permissions, go to the
Assetmanagement module in Configuration > Authentication > Roles,
where you can set suitable permissions and restrictions.
It is recommended to inherit role properties from the default role neteye_tenant_master
.
This existing role should never be modified since it has all the GLPI Entity configurations.
The profile and entities in GLPI of users must be mapped correctly in the NetEye (Configuration > Authentication > Roles) to persist across login/logout otherwise the GLPI profile and entity will be lost as soon as the user logged out from NetEye.
Each NetEye role corresponds to a unique combination of GLPI recursive profile/entity. For example, if a user belongs to more than one entity, or has different profile inside GLPI, he should belong to multiple NetEye roles.
Note that, if the GLPI user role will inherit the neteye_tenant_master
role
properties, the already configured GLPI Entity Root entity > master
will be
used without additional configuration steps.
All entities and profiles must be created before users login for having a success permission synchronization. The only exceptions to this are the Root entity and the default GLPI profiles. If the profile/entities does not exist for the users in GLPI, then the mapping between NetEye and GLPI will not be successful.
Note that if you need to investigate on what happens during the permissions synchronization (e.g. for debugging purposes), you can have a look at the following logfile, in which are logged all the actions performed during the permissions synchronization:
/neteye/shared/glpi/data/_log/php-error.log
All the log messages printed during the SSO will be prefixed with GLPI-Plugin-Icingaweb2SSO.
Special Cases¶
There exist two special cases, with pre-defined triple recursive-profile-entity:
NetEye users with Administrative Access
NetEye users with Full Module Access for the Assetmanagement
Both cases correspond to users with Super-Admin recursive profile in the Root entity.
Note that for any reason you must not rename the GLPI Super-Admin profile and the Root entity.
Single Tenancy¶
As described in the concept section, for correctly performing an inventory the system should have the following configuration:
the Master Entity configured in the GLPI server
a NetEye user and role for the GLPI Agent that ensure that the inventory is sent to the correct Entity
GLPI Agents installed on the desired device and configured as described in Asset collection methods
NetEye is preconfigured with a default user and role named neteye_glpi_agent_master
for the Agent related to the Master Entity. By default the Agent can act on the Root entity > Master
entity,
that is automatically created during Assetmanagement Module configuration.
In order to send assets directly to the GLPI Root entity
, you can modify the
GLPI entity of the parent role neteye_tenant_master
with the following command:
neteye tenant config modify master \
--custom-override-glpi-entity "Root entity"
It is also possible to specify other GLPI Entities as main entity for the tenant master role.
If you’re planning to utilize multple tenants in future, it is not recommended to override the
default GLPI Entity. In any case the role neteye_tenant_master
should never be modified by
hand. More information can be found in neteye tenant config create.
Note
The Root entity > Master
entity can be deleted in case you want to directly
use the Root entity
or another custom entity for inventory.
To start collecting assets, you can choose to run in agent-based or agentless configuration. All the configuration details can be found in the Asset collection methods section.
Multi Tenancy¶
Asset Management features in a Multi-tenancy environment can only be used if enabled for a specific Tenant. Execute the following command to enable it:
neteye teneant config modify <tenant_name> \
--enable-module "neteye-asset"
If the Tenant still doesn’t exist, follow neteye tenant to configure it properly.
If Multitenancy is used in GLPI, when creating a new NetEye Tenant as described in
Configuration of Tenants, a dedicated GLPI Entity Root entity > 'New Tenant'
will be created. All the users belonging to that Tenant should then be associated
to the automatically created role neteye_tenant_<tenant_name>
in order to have
access to the Tenant’s entity in GLPI.
For every new tenant created, there will be a connected user named neteye_glpi_agent_<tenant_name>
that can be used for assets collection.
Warning
NetEye Roles, Users and GLPI Entities automatically created with the neteye tenant config create
should never be modified to avoid permission issues or profile/entity mismatch between
NetEye and GLPI.
Once the Tenant is configured to receive assets, agent-based or agentless mode can be selected as asset collection methods. All the configuration details can be found in the Asset collection methods section.
Asset collection methods¶
Asset collection can be performed with the help of GLPI Agent software that can be used in two different ways: agentless or agent-based. To correctly install and configure the GLPI Agent software, the following steps should be executed:
Install GLPI Agent on the desired device following the official GLPI documentation. GLPI Agent can be installed on both Linux and Windows nodes that are external to the NetEye environment. For Windows installation we recommend to use the
.msi
package.Hint
In order to execute
glpi-agent
andglpi-remote
commands on Windows machines, be sure to operate as administrator from theGLPI-Agent
folder.Find credentials for the agent: GLPI Agent has a dedicated NetEye user called
neteye_glpi_agent_<tenant_name>
authorized to send assets to the Master. User’s password can be found in/root/.pwd_neteye_glpi_agent_<tenant_name>
and should be used for authentication when sending inventories.For installations with a Single Tenant the default credentials are:
user:
neteye_glpi_agent_master
password can be found in
/root/.pwd_neteye_glpi_agent_master
.
Configure the user and password credentials for the agent in the config file on the system.
Choose the node where to send assets:
Master: GLPI Agent can send inventories directly to the Master. In that case, the Master hostname should be used as
<neteye_addr>
.Satellite: In order to use a Satellite as a proxy to forward assets to the Master, the Satellite hostname should be selected as
<neteye_addr>
After the first configuration parts has been executed, agent-based or agentless mode should be selected to start collecting assets.
Agent-based¶
The inventory can be performed on the node where the GLPI Agent software is installed with the following command:
Linux:
glpi-agent -f --logger=stderr \
-s https://<neteye_addr>/glpi/front/inventory.php \
--tasks inventory
Windows:
glpi-agent -f --logger=stderr ^
-s https://<neteye_addr>/glpi/front/inventory.php ^
--tasks inventory
Where <neteye_addr>
is the address of the endpoint, as previously described. Once the inventory has
been performed, the GLPI Agent will send it to the specified target hostname.
More information about the glpi-agent
command can be found in
glpi-agent.
Agentless¶
If no software can be installed on the devices from which assets are collected, agentless mode can be selected. A GLPI Agent server will perform the inventory on remote devices and subsequently send assets to the Master. Note that the software GLPI Agent should not be installed on remotes, but only on a separate node that will act as a server that performs the remote inventory.
Hint
We recommend to use agent-based asset collection method over agentless when applicable, since involving agents in the asset collection process proves to be a more secure solution.
Windows remote configuration In order to establish a secure connection with a Windows remote WinRM with transport HTTPS should be correctly configured for a SSL connection. Detailed information can be found in the official Microsoft guide.
GLPI Agent, used as a server between remotes and NetEye, should be configured as it follows:
Linux server configuration¶
Specify the target server: Using agentless mode, the target server should be declared before inserting the remotes. You should specify the previously defined parameters with the command:
glpi-agent \ --server=https://<neteye_addr>/glpi/front/inventory.php
Extract the ID of the specified target server with the command:
glpi-remote list targets
Add remote devices with the following command:
For a Linux remote machine:
glpi-remote \ add ssh://<remote_user>:<remote_pass>@<addr>/?mode=libssh2 \ --target <server_id>
Hint
Make sure to have the perl library
Net:SSH2
installed by executing the commandperl -e "use Net:SSH2
.libssh2
should also be installed on the server machine.For Windows remotes:
glpi-remote \ add winrm://<remote_user>:<remote_pass>@<addr>/?mode=ssl \ --target <server_id>
<remote_user>
and<remote_pass>
are the credentials that GLPI Agent should use on remotes to perform the inventory<addr>
is the IP address or hostname of the remote device<server_id>
is the ID of the previously inserted target server that can be shown with theglpi-remote list targets
command.
Warning
NetEye Security is granted only if
mode=libssh2
andmode=ssl
are used for Linux and Windows remotes respectively.Hint
By exchanging ssh keys,
<remote_pass>
is not needed when adding the remote device.Execute the remote inventory task of the GLPI Agent to collect assets and send them to the Master:
glpi-agent -f --logger=stderr --tasks remoteinventory \ -s https://<neteye_addr>/glpi/front/inventory.php
Where <neteye_addr>
is the address of the endpoint, as previously described in the
Asset collection methods Once the inventory has been performed, the GLPI Agent will send it
to the specified target hostname.
Windows server configuration¶
Specify the target server: Using agentless mode, the target server should be declared before inserting the remotes. You should specify the previously defined parameters with the command:
glpi-agent ^ --server=https://<neteye_addr>/glpi/front/inventory.php
Extract the ID of the specified target server with the command:
glpi-remote list targets
Add remote devices with the following command:
For a Linux remote machine:
glpi-remote ^ add ssh://<remote_user>:<remote_pass>@<addr>/?mode=libssh2 ^ --target <server_id>
Hint
Make sure to have the perl library
Net:SSH2
installed by executing the commandperl -e "use Net:SSH2
.libssh2
should also be installed on the server machine.For Windows remotes:
glpi-remote ^ add winrm://<remote_user>:<remote_pass>@<addr>/?mode=ssl ^ --target <server_id>
<remote_user>
and<remote_pass>
are the credentials that GLPI Agent should use on remotes to perform the inventory<addr>
is the IP address or hostname of the remote device<server_id>
is the ID of the previously inserted target server that can be shown with theglpi-remote list targets
command.
Warning
NetEye Security is granted only if
mode=libssh2
andmode=ssl
are used for Linux and Windows remotes respectively.Hint
By exchanging ssh keys,
<remote_pass>
is not needed when adding the remote device.Execute the remote inventory task of the GLPI Agent to collect assets and send them to the Master:
glpi-agent -f --logger=stderr --tasks remoteinventory ^ -s https://<neteye_addr>/glpi/front/inventory.php
Where <neteye_addr>
is the address of the endpoint, as previously described in the
Asset collection methods Once the inventory has been performed, the GLPI Agent will send it
to the specified target hostname.
More information about the glpi-remote
command can be found in
glpi-agent.