Security >
Configure Users and Groups with LDAP for Ops Manager

Configure Users and Groups with LDAP for Ops Manager¶

On this page

Overview
Prerequisites
Procedure

Important

You must start with a fresh installation of the latest version of Ops Manager. There is no method for converting an existing Ops Manager deployment to use LDAP user management.

Overview¶

You can configure Ops Manager to use a Lightweight Directory Access Protocol (LDAP) service to manage user authentication. Users log in using the standard Ops Manager interface. Ops Manager synchronizes user name and email addresses in Ops Manager user records with the values in LDAP user records.

Note

If your MongoDB deployment uses LDAP, you must also create MongoDB users for the Ops Manager agents. For more information, see Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.

Additionally, and independently, the Ops Manager Application can also use LDAP to authenticate to its backing instances. To use LDAP with backing instances, set the mongo.mongoUri in addition to the LDAP settings described in the procedure below.

User Authentication¶

When a user logs in, Ops Manager searches LDAP for a matching user. To perform the search, Ops Manager logs into LDAP as the “search” user, using the credentials specified in the mms.ldap.bindDn and mms.ldap.bindPassword settings in the Ops Manager configuration file.

Ops Manager searches LDAP within the base distinguished name defined in the mms.ldap.user.baseDn setting of the Ops Manager configuration file and matches the user according to the LDAP attribute defined in the mms.ldap.user.searchAttribute setting. If a matching user is found, Ops Manager authenticates the supplied password against the LDAP password.

Access Control¶

LDAP groups let you control access to Ops Manager. You map LDAP groups to Ops Manager roles and assign the LDAP groups to the users who should have those roles.

To use LDAP groups effectively, create additional groups within Ops Manager to control access to specific deployments in your organization. For example, create separate Ops Manager groups for development environments and for production environments. Provide access to a deployment by mapping an LDAP group to a role in the Ops Manager group.

This tutorial describes how to map LDAP groups to global Ops Manager roles and to group-level Ops Manager roles. You do the former through the Ops Manager configuration file and the latter through the Ops Manager interface.

Note

Changes made to LDAP groups can take up to an hour to appear in Ops Manager.

Global Owner Access¶

Your LDAP installation must include a group that you can assign to the Ops Manager mms.ldap.global.role.owner setting. The first user to log into Ops Manager with LDAP authentication must belong to this LDAP group. This user will also create the initial Ops Manager group.

For example, if LDAP has an admin group for use by Ops Manager administrators, set the mms.ldap.global.role.owner property to admin during the appropriate step in the procedure below.

Prerequisites¶

The Ops Manager Application must be installed and configured. You must either start with a new Ops Manager installation or reset your installation to a clean state. For assistance, contact your MongoDB account manager.

The LDAP server must be installed, configured, and accessible to Ops Manager.

Procedure¶

To configure LDAP authentication, define user records in LDAP, configure LDAP settings in Ops Manager, and then associate LDAP groups with Ops Manager group-level roles, as described here:

1

Define LDAP user records.¶

2

Update the service class setting in `conf-mms.properties`.¶

Set the mms.userSvcClass setting in the Ops Manager conf-mms.properties configuration file to the value of the LDAP service class. For example:

copy

mms.userSvcClass=com.xgen.svc.mms.svc.user.UserSvcLdap

3

Enter LDAP user settings in `conf-mms.properties`.¶

Enter values for the following settings. The LDAP group you specify for the mms.ldap.global.role.owner setting must have a user assigned to it. You will sign in as this user later in this procedure. For more information on setting or an example value, click the setting or see LDAP User Settings:

Optional settings:

4

Associate LDAP groups with global Ops Manager roles in `conf-mms.properties`.¶

In addition to the mms.ldap.global.role.owner setting that you assigned in the previous step, assign the remaining global-role settings. Each provides the members of the specified LDAP group or groups with an Ops Manager global role. Global roles provide access to all the Ops Manager groups in the Ops Manager deployment.

You can specify an LDAP group using any format, including Common Name (cn) or Distinguished Name (dn). The format you choose must be consistent across settings and consistent with the format used in the LDAP user records in the attribute specified in the mms.ldap.user.group setting.

For more information and example values, click the settings or see LDAP Global Role Settings:

Optional:

mms.ldap.group.separator

5

Log in as a global owner and create the first Ops Manager group.¶

Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the Ops Manager mms.ldap.global.role.owner setting.

Upon successful login, Ops Manager displays your groups page.

6

Associate LDAP groups with group-level roles.¶

On the Ops Manager My Groups page (in the Administration tab), click the Add Group button.

Enter a name for the new Ops Manager group and enter the LDAP groups that should provide the permissions for each group-level role.

Select the checkbox to agree to the terms of service.

Click Add Group.

7

Add your MongoDB deployments.¶

Specify the LDAP authentication settings when adding a MongoDB deployment.

← Configure SSL for MongoDB Configure MongoDB Authentication and Authorization →