Navigation
  • Security >
  • Configure Ops Manager Users for LDAP Authentication and Authorization

Configure Ops Manager Users for LDAP Authentication and Authorization

Overview

You can use a Lightweight Directory Access Protocol (LDAP) service to manage Ops Manager user authentication and authorization. Users log in through Ops Manager, then Ops Manager searches the LDAP directory for the user and synchronizes the user’s name and email addresses in the Ops Manager user records with the values in the LDAP user records.

To configure Ops Manager to use LDAP, go to: Admin > General > Ops Manager Config > User Authentication.

Note

This tutorial describes authenticating users of the Ops Manager web interface.

If your MongoDB deployments also use LDAP, you must separately create MongoDB users for the Ops Manager agents, as described in Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.

This tutorial describes how to:

User Authentication

When a user logs in, Ops Manager searches for a matching user using an LDAP query.

  • Ops Manager logs into LDAP as the search user, using the credentials specified in the LDAP Bind Dn and LDAP Bind Password fields.
  • Ops Manager searches only under the base distinguished name specified in the LDAP User Base Dn field and matches the user according to the LDAP attribute specified in the LDAP User Search Attribute field.
  • If a matching user is found, Ops Manager authenticates the supplied password against the LDAP password for the provided user.

Authorization/Access Control

LDAP groups let you control access to Ops Manager. You associate LDAP groups with organization and project Ops Manager roles and assign the LDAP groups to the users who should have those roles.

LDAP entries map to Ops Manager records as follows:

LDAP Ops Manager
User User
Group Organization/Project Role

To use LDAP groups effectively, create additional projects within Ops Manager to control access to specific deployments in your organization, such as creating separate Ops Manager projects for development and production environments. You can then map an LDAP group to a role in the Ops Manager project to provide access to a deployment.

Note

  • Changes made to LDAP groups can take up to an hour to appear in Ops Manager.
  • If an LDAP user does not belong to any LDAP group, Ops Manager does not assign any roles, organization or project, to the user.
  • If an LDAP user is assigned a project role but no organization role, Ops Manager automatically assigns the user the Organization Member Role.

If you have multiple departments with their own billing needs, alert settings, and project members, create a new organization for each department.

LDAP Over SSL

If you use LDAP over an SSL connection (LDAPS), complete these fields:

Field Needed Value
LDAP SSL CA File The path to a PEM key file for a trusted certificate authority.
LDAP SSL PEM Key File The path to a PEM key file containing a client certificate and private key.
LDAP SSL PEM Key File Password The password to decrypt it if the LDAP SSL PEM Key File is encrypted.

Prerequisites

The LDAP server must:

  • Be installed, configured and accessible to Ops Manager.

  • Embed each user’s group memberships as an attribute of each user’s LDAP Entry.

    Important

    Use the member LDAP user attribute if you want to include LDAP nested groups in Ops Manager group memberships.

    Example

    LDAP user jsmith belongs to LDAP group B. LDAP Group B belongs to LDAP group A. Ops Manager recognizes jsmith as a member of groups A and B.

  • Include a user that can search the needed base distinguished name(s) that have the users and groups that use Ops Manager.

  • Include a group that you can specify in the Ops Manager LDAP Global Role Owner field.

    • The first user to log into Ops Manager with LDAP authentication must belong to this LDAP group.
    • This user will also create the initial Ops Manager project.

    Example

    If LDAP has an admin group for use by Ops Manager administrators, enter admin in the LDAP Global Role Owner field.

Using LDAP from the Fresh Install vs. Converting to LDAP

All prerequisites apply to either scenario. The additional requirements are:

Fresh LDAP Install Conversion to LDAP
The Global Owner to be the first user created. The Global Owner exist in both LDAP and Ops Manager and belong to the LDAP group that will map to the Ops Manager Global Owner role.

Important

Once Ops Manager is converted to LDAP Authentication, only the user with the Global Owner role changing the authentication method remains logged into Ops Manager. All other users are logged off and need to log back into Ops Manager using their LDAP username and password. Any users without an LDAP username and password can no longer log into Ops Manager.

Procedure

To configure LDAP authentication:

1

Define your user records in the LDAP system of your choice.

See Lightweight Directory Access Protocol Schema for User Applications for a description of standard LDAP object classes and attribute types.

2
3

Type LDAP configuration settings.

  1. Enter values for the following required LDAP configuration fields:

    Field Action Example
    User Authentication Method Select LDAP. LDAP
    LDAP URI Type the hostname and port of the LDAP server. ldap://ldap.example.com:389
    LDAP SSL CA File Type the path to a PEM key file containing the certificate for the CA who signed the certificate used by the LDAPS server. This optional field is used by the Ops Manager application to verify the identify of the LDAPS server and prevent man-in- the-middle Attacks. If this configuration is not provided, Ops Manager uses the default root CA certificate bundle that comes with the Java Runtime Environment (JRE). If your LDAPS server certificate cannot be verified by a root CA (i.e. if it is self-signed), requests to the LDAPS server fail. /opt/cert/ca.pem
    LDAP SSL PEM Key File Type the path to a PEM key file containing a client certificate and private key. This field is optional and should be used only if your LDAPS server requires client certificates be passed by client applications. This is used to sign requests sent from the Ops Manager application server to the LDAPS server. This allows the LDAPS server to verify the identify of Ops Manager application server. /opt/cert/ldap.pem
    LDAP SSL PEM Key File Password Type the password that decrypts the LDAP SSL PEM Key File. If your client certificates specified in the LDAP SSL PEM Key File field are required by the LDAPS server and if the client certificate specified in LDAP SSL PEM Key File is stored encrypted on the file system, this field is required. <encrypted-password>
    LDAP Bind Dn Type a credentialed user on the LDAP server that can conduct searches for users. cn=admin, dc=example, dc=com
    LDAP Bind Password Type the password for the Bind Dn user on the LDAP server. <password>
    LDAP User Base Dn Type the Distinguished Name that Ops Manager uses to search for users on the LDAP server. dc=example, dc=com
    LDAP User Search Attribute Type the LDAP field in the LDAP server that specifies the username. uid
    LDAP User Group

    Type the LDAP user attribute that specifies the LDAP groups to which the user belongs. The LDAP attribute can use any format to list the groups, including Common Name (cn) or Distinguished Name (dn). All Ops Manager settings that specify groups must match the chosen format.

    Important

    Changed in version 3.6.

    The memberOf LDAP user attribute is deprecated in favor of the member LDAP user attribute.

    If you specify both user attributes in the LDAP User Group field, Ops Manager uses member and ignores memberOf. If you specify only memberOf, Ops Manager will not recognize the user’s membership in nested LDAP groups.

    member
    LDAP Global Role Owner Type the LDAP group to which Ops Manager Global Owners belong. cn=global-owner, ou=groups, dc=example, dc=com

    Note

    Each Global Role group provides the members of its associated LDAP group or groups with an Ops Manager global role. Global roles provide access to all the Ops Manager projects in the Ops Manager deployment.

  2. Type values for the following Optional LDAP Configuration fields if needed.

    Important

    Multiple LDAP Groups Can Map to One Role

    Ops Manager roles can include more than one LDAP group. Type multiple LDAP group names in the relevant role fields separated by two semicolons (;;).

    Field Action
    LDAP User First Name Type the attribute of LDAP users that specifies the user’s first name.
    LDAP User Last Name Type the attribute of LDAP users that specifies the user’s last name.
    LDAP User Email Type the attribute of LDAP users that specifies the user’s email address.
    LDAP Global Role Automation Admin Type the LDAP group(s) to which Ops Manager Global Automation Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Backup Admin Type the LDAP group(s) to which Ops Manager Global Backup Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Monitoring Admin Type the LDAP group(s) to which Ops Manager Global Monitoring Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role User Admin Type the LDAP group(s) to which the Ops Manager Global User Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Read Only Type the LDAP group(s) to which Ops Manager Global Read Only Users belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
4

Click Save.

5

Log in as a global owner and create the first Ops Manager project.

Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the Ops Manager LDAP Global Role Owner field.

Upon successful login, Ops Manager displays your projects page.

6

Associate LDAP groups with project roles.

To associate LDAP groups with roles in a new project:

Note

You must have any global role to create a new project.

  1. Click Admin > General > Projects.
  2. Click Create a New Project.
  3. In Project Name, type a name for the new Ops Manager project.
  4. Enter the LDAP groups that should provide the permissions for each project role.
  5. Click Add Project.

To update the association of LDAP groups with roles in an existing project:

  1. Click Admin > General > Projects.
  2. Click on the pencil button to the right of the group to edit.
  3. Enter the LDAP groups that should provide the permissions for each project role.
    • If LDAP groups exist in the text box, append additional LDAP groups. Use two semicolons to separate LDAP groups.
    • To remove LDAP groups, delete them from the list.
  4. Click Save Changes.
7

(Optional) Associate LDAP groups with organization roles.

To associate LDAP groups with roles for a new organization:

Note

You must have any global role to create a new organization.

  1. Click Admin > General > Organizations.
  2. Click Create a New Organization.
  3. In Organization Name, type a name for the new Ops Manager organization.
  4. Enter the LDAP groups that should provide the permissions for each organization role.
  5. Click Add Organization.

To update the association of LDAP groups with roles for an existing organization:

  1. Click Admin > General > Organizations.
  2. Click the Edit Org button.
  3. Enter the LDAP groups that should provide the permissions for each organization role.
    • If LDAP groups exist in the text box, append additional LDAP groups. Use two semicolons to separate LDAP groups.
    • To remove LDAP groups, delete them from the list.
  4. Click Save Changes.
8

Add your MongoDB deployments.

Specify the LDAP authentication settings when adding a MongoDB deployment.