Based on these Discussions Here for Tactical RMM
Considering the 2 tools Come in Handy and Help me alot, I Have been looking into Implementing an NS8 Module for Both TacticalRMM as well as Meshcentral, and Boy have i gotten myself into a Rabbit Hole, I need your Help
Anyone with the time to Join on the bandwagon of building the Module, you’re welcome to do so.
At the Moment, i require community Suggestions and Inputs on this Subject Matter
MeshCentral
We Currently Have a meshcentral Module for Ns7, and Since its been discussed a number of times already, i wont Dwell into what it is and what it does.
The current MeshCentral Module by @mrmarkuz Currently Makes use of MongoDB for its Database.
TActicalRMM
We currently Have the Installation Instruction for NS7
TActicalRMM makes Use of Mescentral to Achieve 3 Functionalities,
- TAke Remote Control
- Remote File Browser
- RealTime Shell
While a previous Deployment and Discussions for TacticalRMM pointed at it being Windows Only, the current Version Supports even Mac.
Looking at the Docker Compose File of Tactical RMM Here you will notice that the Meshcentral Integration makes use of PostreSQL as the datbase instead of MongoDB wit the followig ENV
Where the Challenge Arises
Tactical RMM has a full permission module, but because of how Tactical RMM integrates with MeshCentral currently there is a permissions bypass atm
This is How TActicalRMM integrates with MeshCentral
With that understanding, when you trigger any function in Tactical RMM that uses a MeshCentral function (Remote Control, or Remote background) the user gets the full admin login Auth token for logging into MeshCentral. If they then goto https://mesh.example.com they will see all agents and have full administrative permissions for everything in MeshCentral.
If you have multiple techs, and need to restrict their computer access permissions, right now you will need to disable auto login and manually manage your meshcentral users and computers. First you will need to:
- Check the
Disable Auto Login for Remote Control and Remote background:
option.- Manually login to MeshCentral, and manually create users and set their permissions/restrictions.
- All techs will then have to manually login to https://mesh.example.com daily so they can use Remote Control and the MeshCentral Remote Background features.
So Basically, for the TacticalRMM to Work, the SuperADMIn user created, that needs to be there, to work with Meshcentral, has all devices Permissions.
This is IF we are using the Intergated TActicalRMM with MeshCentral integrated Deployment
Alternative?
the Alternative would be, Running your own Seprate Instance:
Installation instructions for using your own MeshCentral server:
- Run standard installation.
- When asked for Mesh URL specify your existing Mesh server URL.
- After installation, you will need to run thru manually uploading installers and connecting token with this:
- Make sure DNS is pointing to your existing server (you must also remove
mesh.yourdomain.com
from/etc/hosts
on the trmm server).
Similarly, Reading at these Notes from Meshcentral Module for ns7 here:
MeshCentral uses internal authentication by default, you can enable AD/LDAP authentication but there’s no way to use both auth methods so you have to decide. It’s possible to create an internal user, enable AD/LDAP, login with AD/LDAP users, disable AD/LDAP and login with the created internal user. This way you always have an untouched backup admin.
config setprop meshcentral ldap enabled
Meshcentral checks if the used cert on the DC is valid. To use AD you need to either disable strong auth in smb.conf or add the nsdc host to the letsencrypt cert and copy it to the DC.
So Going By this, i am Not sure, its possible, Using the Integrated Deployment, We can Have Meshcentral Have a pre-configured super admin, and attach the Ldap USer, that way, TacticalRMM would continue to USe the Defined SuperAdmin it has, while the Normal User can login to Meshcentral Using the AD user Credentials, Maybe @mrmarkuz you can give more input and detail regarding this subject matter, or anyone who has had some experience with the Matter.
My Module Vision(s)/Plan - What would be best
- Build a Single Integrated TacticalRM and Meshcentral Module, and the Users can chose to Make use of Meshcentral, and Ignore TacticalRMM if they Don’t need it. as is the DOckr install of the Original Meshcentral
or
The First option Assumes the default TacticalRMM installation, which has Meshcentral with it, I am not sure if we could Modify that one and Implement Ldap
- Build a Separate Meshcentral Module Just Dedicated, then Build a Tactical RMM Module, without Meshcentral, then During Configure, a User can Chose the Meshcentral Installation to be used for TacticalRMM, similar to how LDap Selection Works.
The Second Option Looks like the Most Sane option, but if we need to Have Ldap and SSO, then there is need to figure out, if its possible to have both Ldap available, as wel as the Hidden SuperAdmin Credentials for TacticalRMM
IF we are unable to for whatever reason integrate Meshcentral and TacticalRMM for this Second Option, then the Integration will not be Automatic, and Good news, Ldap will be present since Meshcentral is Independent but, We might have to make use of the Manual Agnets Uploading to TActicalRMM, as was being done with the Initial Deployments, Before it became Automatically Integrated.
- Build a Seprate Meshcentral Module, Full Featured (w MongoDB & Ldap), and a Separate Full Featured TActicalRMM Module (w PgSQL)
the third Option for me, if Used by the Same Organization seems Wasteful, this is because,
youll Have a meshcentral Instance RUnning, that only Serves TacticalRMM, while it can do alot more. SImilalrly, the need for dedicated Meshcentral login, if you have Staff and COnsulting SSH login, would be better than giving Access to TacticalRMM with has alot of details they may not need to interact with
For MEshcentral with PgSQL
So far, All the Docker compose as well as ENV variables for Deploying Meshcentral with Docker, only Have MongoDB, and not one for PgSQL is available, if someone has come accross one, or has notes on how to implement Meshcentral with/for MongoDB, please let me know.
The PgSQL version used In TActicalRMM Docker, i am not sure what mods were made to work it wil PgSQL isntead of MongoDB, I also guess they chose that route because TacticalRMM uses PgSQL
As for the Versions where TacticalRMM would be integrated, the credentials for super suer could be system generated, then stored and retrived by the env, Making sure no one can have access to them.
Finally, since we have a grafana Module on NS8, we can have this grafana integration for TacticalRMM: dinger1986/TRMM-Grafana: Grafana Dashboards setup and preconfigured to work with Tactical RMM (github.com)
After Sharing, and again for me, Consolidating All the things i have been researching in the past few days on the best possible way to have this Module inplemented into NS8, i would like your feedback and suggestions, as well as Links and Notes to what i am missing and couldnt Find on my Own.
I am Sorry this Became a Long Post