- Security >
- Configure Users and Groups with LDAP for Ops Manager
Configure Users and Groups with LDAP for Ops Manager¶
On this page
Important
You must start with a fresh installation of the latest version of Ops Manager. There is no method for converting an existing Ops Manager deployment to use LDAP user management.
Overview¶
You can configure Ops Manager to use a Lightweight Directory Access Protocol (LDAP) service to manage user authentication. Users log in using the standard Ops Manager interface. Ops Manager synchronizes user name and email addresses in Ops Manager user records with the values in LDAP user records.
Note
If your MongoDB deployment uses LDAP, you must also create MongoDB users for the Ops Manager agents. For more information, see Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.
Additionally, and independently, the Ops Manager Application can also use LDAP to
authenticate to its backing instances. To use LDAP with
backing instances, set the mongo.mongoUri
in addition to the
LDAP settings described in the procedure below.
User Authentication¶
When a user logs in, Ops Manager searches LDAP for a matching user. To perform the
search, Ops Manager logs into LDAP as the “search” user, using the credentials
specified in the mms.ldap.bindDn
and
mms.ldap.bindPassword
settings in the Ops Manager configuration file.
Ops Manager searches LDAP within the base distinguished name defined in the
mms.ldap.user.baseDn
setting of the Ops Manager configuration file and
matches the user according to the LDAP attribute defined in the
mms.ldap.user.searchAttribute
setting. If a matching user is found,
Ops Manager authenticates the supplied password against the LDAP password.
Access Control¶
LDAP groups let you control access to Ops Manager. You map LDAP groups to Ops Manager roles and assign the LDAP groups to the users who should have those roles.
To use LDAP groups effectively, create additional groups within Ops Manager to control access to specific deployments in your organization. For example, create separate Ops Manager groups for development environments and for production environments. Provide access to a deployment by mapping an LDAP group to a role in the Ops Manager group.
This tutorial describes how to map LDAP groups to global Ops Manager roles and to group-level Ops Manager roles. You do the former through the Ops Manager configuration file and the latter through the Ops Manager interface.
Note
Changes made to LDAP groups can take up to an hour to appear in Ops Manager.
Global Owner Access¶
Your LDAP installation must include a group that you can assign to the
Ops Manager mms.ldap.global.role.owner
setting. The first user to log into Ops Manager
with LDAP authentication must belong to this LDAP group. This user will also create
the initial Ops Manager group.
For example, if LDAP has an admin
group for use by Ops Manager administrators, set
the mms.ldap.global.role.owner
property to admin
during the
appropriate step in the procedure below.
Prerequisites¶
The Ops Manager Application must be installed and configured. You must either start with a new Ops Manager installation or reset your installation to a clean state. For assistance, contact your MongoDB account manager.
The LDAP server must be installed, configured, and accessible to Ops Manager.
Procedure¶
To configure LDAP authentication, define user records in LDAP, configure LDAP settings in Ops Manager, and then associate LDAP groups with Ops Manager group-level roles, as described here:
Define LDAP user records.¶
Update the service class setting in conf-mms.properties
.¶
Set the mms.userSvcClass
setting in the Ops Manager
conf-mms.properties configuration file
to the value of the LDAP service class. For example:
Enter LDAP user settings in conf-mms.properties
.¶
Enter values for the following settings. The LDAP group you specify for the
mms.ldap.global.role.owner
setting must have a user assigned to
it. You will sign in as this user later in this procedure. For more
information on setting or an example value, click the setting or see
LDAP User Settings:
mms.ldap.url
.mms.ldap.bindDn
.mms.ldap.bindPassword
.mms.ldap.user.baseDn
.mms.ldap.user.searchAttribute
.mms.ldap.user.group
.mms.ldap.global.role.owner
Optional settings:
Associate LDAP groups with global Ops Manager roles in conf-mms.properties
.¶
In addition to the mms.ldap.global.role.owner
setting that you
assigned in the previous step, assign the remaining global-role settings.
Each provides the members of the
specified LDAP group or groups with an Ops Manager global role. Global roles provide access to all the Ops Manager groups in the Ops Manager deployment.
You can specify an LDAP group using any format, including Common Name
(cn
) or Distinguished Name (dn
). The format you choose must be
consistent across settings and consistent with the format used in the LDAP
user records in the attribute specified in the
mms.ldap.user.group
setting.
For more information and example values, click the settings or see LDAP Global Role Settings:
mms.ldap.global.role.automationAdmin
mms.ldap.global.role.backupAdmin
mms.ldap.global.role.monitoringAdmin
mms.ldap.global.role.userAdmin
mms.ldap.global.role.readOnly
Optional:
Log in as a global owner and create the first Ops Manager group.¶
Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the
Ops Manager mms.ldap.global.role.owner
setting.
Upon successful login, Ops Manager displays your groups page.
Associate LDAP groups with group-level roles.¶
On the Ops Manager My Groups page (in the Administration tab), click the Add Group button.
Enter a name for the new Ops Manager group and enter the LDAP groups that should provide the permissions for each group-level role.
Select the checkbox to agree to the terms of service.
Click Add Group.
Add your MongoDB deployments.¶
Specify the LDAP authentication settings when adding a MongoDB deployment.