User Guide

Configuration

To install the Asset Management module, perform neteye-asset additional component installation by means of following steps in additional modules guide; the Asset menu item will then appear in the left side navigation menu. The module can be configured for:

Permissions

Access to GLPI from the NetEye GUI is granted by permissions of a particular user role. In order to create a role with mentioned permissions, go to the Assetmanagement module in Configuration > Authentication > Roles, where you can set suitable permissions and restrictions. It is recommended to inherit role properties from the default role neteye_tenant_master. This existing role should never be modified since it has all the GLPI Entity configurations.

The profile and entities in GLPI of users must be mapped correctly in the NetEye (Configuration > Authentication > Roles) to persist across login/logout otherwise the GLPI profile and entity will be lost as soon as the user logged out from NetEye.

Each NetEye role corresponds to a unique combination of GLPI recursive profile/entity. For example, if a user belongs to more than one entity, or has different profile inside GLPI, he should belong to multiple NetEye roles.

Note that, if the GLPI user role will inherit the neteye_tenant_master role properties, the already configured GLPI Entity Root entity > master will be used without additional configuration steps.

All entities and profiles must be created before users login for having a success permission synchronization. The only exceptions to this are the Root entity and the default GLPI profiles. If the profile/entities does not exist for the users in GLPI, then the mapping between NetEye and GLPI will not be successful.

Note that if you need to investigate on what happens during the permissions synchronization (e.g. for debugging purposes), you can have a look at the following logfile, in which are logged all the actions performed during the permissions synchronization:

/neteye/shared/glpi/data/_log/php-error.log

All the log messages printed during the SSO will be prefixed with GLPI-Plugin-Icingaweb2SSO.

Special Cases

There exist two special cases, with pre-defined triple recursive-profile-entity:

  • NetEye users with Administrative Access

  • NetEye users with Full Module Access for the Assetmanagement

Both cases correspond to users with Super-Admin recursive profile in the Root entity.

Note that for any reason you must not rename the GLPI Super-Admin profile and the Root entity.

Single Tenancy

As described in the concept section, for correctly performing an inventory the system should have the following configuration:

  • the Master Entity configured in the GLPI server

  • a NetEye user and role for the GLPI Agent that ensure that the inventory is sent to the correct Entity

  • GLPI Agents installed on the desired device and configured as described in Asset collection methods

NetEye is preconfigured with a default user and role named neteye_glpi_agent_master for the Agent related to the Master Entity. By default the Agent can act on the Root entity > Master entity, that is automatically created during Assetmanagement Module configuration.

In order to send assets directly to the GLPI Root entity, you can modify the GLPI entity of the parent role neteye_tenant_master with the following command:

neteye tenant config modify master \
--custom-override-glpi-entity "Root entity"

It is also possible to specify other GLPI Entities as main entity for the tenant master role. If you’re planning to utilize multple tenants in future, it is not recommended to override the default GLPI Entity. In any case the role neteye_tenant_master should never be modified by hand. More information can be found in neteye tenant config create.

Note

The Root entity > Master entity can be deleted in case you want to directly use the Root entity or another custom entity for inventory.

To start collecting assets, you can choose to run in agent-based or agentless configuration. All the configuration details can be found in the Asset collection methods section.

Multi Tenancy

Asset Management features in a Multi-tenancy environment can only be used if enabled for a specific Tenant. Execute the following command to enable it:

neteye teneant config modify <tenant_name> \
--enable-module "neteye-asset"

If the Tenant still doesn’t exist, follow neteye tenant to configure it properly.

If Multitenancy is used in GLPI, when creating a new NetEye Tenant as described in Configuration of Tenants, a dedicated GLPI Entity Root entity > 'New Tenant' will be created. All the users belonging to that Tenant should then be associated to the automatically created role neteye_tenant_<tenant_name> in order to have access to the Tenant’s entity in GLPI. For every new tenant created, there will be a connected user named neteye_glpi_agent_<tenant_name> that can be used for assets collection.

Warning

NetEye Roles, Users and GLPI Entities automatically created with the neteye tenant config create should never be modified to avoid permission issues or profile/entity mismatch between NetEye and GLPI.

Once the Tenant is configured to receive assets, agent-based or agentless mode can be selected as asset collection methods. All the configuration details can be found in the Asset collection methods section.

Asset collection methods

Asset collection can be performed with the help of GLPI Agent software that can be used in two different ways: agentless or agent-based. To correctly install and configure the GLPI Agent software, the following steps should be executed:

  1. Install GLPI Agent on the desired device following the official GLPI documentation. GLPI Agent can be installed on both Linux and Windows nodes that are external to the NetEye environment. For Windows installation we recommend to use the .msi package.

    Hint

    In order to execute glpi-agent and glpi-remote commands on Windows machines, be sure to operate as administrator from the GLPI-Agent folder.

  2. Find credentials for the agent: GLPI Agent has a dedicated NetEye user called neteye_glpi_agent_<tenant_name> authorized to send assets to the Master. User’s password can be found in /root/.pwd_neteye_glpi_agent_<tenant_name> and should be used for authentication when sending inventories.

    For installations with a Single Tenant the default credentials are:

    • user: neteye_glpi_agent_master

    • password can be found in /root/.pwd_neteye_glpi_agent_master.

  3. Choose the node where to send assets:

    • Master: GLPI Agent can send inventories directly to the Master. In that case, the Master hostname should be used as <neteye_addr>.

    • Satellite: In order to use a Satellite as a proxy to forward assets to the Master, the Satellite hostname should be selected as <neteye_addr>

After the first configuration parts has been executed, agent-based or agentless mode should be selected to start collecting assets.

Agent-based

The inventory can be performed on the node where the GLPI Agent software is installed with the following command:

Linux:

glpi-agent -f --logger=stderr \
-s https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php

Windows:

glpi-agent -f --logger=stderr ^
-s https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php

Where <user>, <pass> and <neteye_addr> are previously defined parameters. Once the inventory has been performed, the GLPI Agent will send it to the specified target hostname.

More information about the glpi-agent command can be found in glpi-agent.

Agentless

If no software can be installed on the devices from which assets are collected, agentless mode can be selected. A GLPI Agent server will perform the inventory on remote devices and subsequently send assets to the Master. Note that the software GLPI Agent should not be installed on remotes, but only on a separate node that will act as a server that performs the remote inventory.

Hint

We recommend to use agent-based asset collection method over agentless when applicable, since involving agents in the asset collection process proves to be a more secure solution.

../../_images/agentless-diagram.svg

Fig. 253 GLPI Agent performs inventories to the remote devices.

Windows remote configuration In order to establish a secure connection with a Windows remote WinRM with transport HTTPS should be correctly configured for a SSL connection. Detailed information can be found in the official Microsoft guide.

GLPI Agent, used as a server between remotes and NetEye, should be configured as it follows:

Linux server configuration

  1. Specify the target server: Using agentless mode, the target server should be declared before inserting the remotes. You should specify the previously defined parameters with the command:

    glpi-agent \
    --server=https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php
    
  2. Extract the ID of the specified target server with the command:

    glpi-remote list targets
    
  3. Add remote devices with the following command:

    For a Linux remote machine:

    glpi-remote \
    add ssh://<remote_user>:<remote_pass>@<addr>/?mode=libssh2 \
    --target <server_id>
    

    Hint

    Make sure to have the perl library Net:SSH2 installed by executing the command perl -e "use Net:SSH2. libssh2 should also be installed on the server machine.

    For Windows remotes:

    glpi-remote \
    add winrm://<remote_user>:<remote_pass>@<addr>/?mode=ssl \
    --target <server_id>
    
    • <remote_user> and <remote_pass> are the credentials that GLPI Agent should use on remotes to perform the inventory

    • <addr> is the IP address or hostname of the remote device

    • <server_id> is the ID of the previously inserted target server that can be shown with the glpi-remote list targets command.

    Warning

    NetEye Security is granted only if mode=libssh2 and mode=ssl are used for Linux and Windows remotes respectively.

    Hint

    By exchanging ssh keys, <remote_pass> is not needed when adding the remote device.

  4. Execute the remote inventory task of the GLPI Agent to collect assets and send them to the Master:

    glpi-agent -f --logger=stderr --tasks remoteinventory \
    -s https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php
    

    Where <user>, <pass> and <neteye_addr> are parameters defined in the Asset collection methods section. Once the inventory has been performed, the GLPI Agent will send it to the specified target hostname.

Windows server configuration

  1. Specify the target server: Using agentless mode, the target server should be declared before inserting the remotes. You should specify the previously defined parameters with the command:

    glpi-agent ^
    --server=https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php
    
  2. Extract the ID of the specified target server with the command:

    glpi-remote list targets
    
  3. Add remote devices with the following command:

    For a Linux remote machine:

    glpi-remote ^
    add ssh://<remote_user>:<remote_pass>@<addr>/?mode=libssh2 ^
    --target <server_id>
    

    Hint

    Make sure to have the perl library Net:SSH2 installed by executing the command perl -e "use Net:SSH2. libssh2 should also be installed on the server machine.

    For Windows remotes:

    glpi-remote ^
    add winrm://<remote_user>:<remote_pass>@<addr>/?mode=ssl ^
    --target <server_id>
    
    • <remote_user> and <remote_pass> are the credentials that GLPI Agent should use on remotes to perform the inventory

    • <addr> is the IP address or hostname of the remote device

    • <server_id> is the ID of the previously inserted target server that can be shown with the glpi-remote list targets command.

    Warning

    NetEye Security is granted only if mode=libssh2 and mode=ssl are used for Linux and Windows remotes respectively.

    Hint

    By exchanging ssh keys, <remote_pass> is not needed when adding the remote device.

  4. Execute the remote inventory task of the GLPI Agent to collect assets and send them to the Master:

    glpi-agent -f --logger=stderr --tasks remoteinventory ^
    -s https://<user>:<pass>@<neteye_addr>/glpi/front/inventory.php
    

    Where <user>, <pass> and <neteye_addr> are parameters defined in the Asset collection methods section. Once the inventory has been performed, the GLPI Agent will send it to the specified target hostname.

More information about the glpi-remote command can be found in glpi-agent.