• Security >
• Configure users and groups using LDAP with Ops Manager

Configure users and groups using LDAP with Ops Manager

Overview

You can configure Ops Manager to use a Lightweight Directory Access Protocol (LDAP) service to manage user authentication. Users log in through Ops Manager, then Ops Manager searches the LDAP directory for the user and synchronizes the user’s name and email addresses in the Ops Manager user records with the values in the LDAP user records.

LDAP is now configured within Ops Manager and not through a properties file. Go to Admin > General > Ops Manager Config > User Authentication to configure these settings.

Note

This page is about user authentication into the Ops Manager web interface. Separately, if your MongoDB deployment uses LDAP for external authentication of database users, see the related page for creating MongoDB database users for the Ops Manager agents. For more information, see Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.

This tutorial describes how to configure LDAP authentication for Ops Manager, map LDAP groups to global Ops Manager roles and to group-level Ops Manager roles.

User Authentication

When a user logs in, Ops Manager searches for a matching user using an LDAP query.

• Ops Manager logs into LDAP as the search user, using the credentials specified in the LDAP Bind Dn and LDAP Bind Password fields.
• Ops Manager searches only under the base distinguished name specified in the LDAP User Base Dn field and matches the user according to the LDAP attribute specified in the LDAP User Search Attribute field.
• If a matching user is found, Ops Manager authenticates the supplied password against the LDAP password for the provided user.

Access Control

LDAP groups let you control access to Ops Manager. You map LDAP groups to Ops Manager roles and assign the LDAP groups to the users who should have those roles.

LDAP entries map to Ops Manager records as follows:

LDAP	Ops Manager
User	User
Group	Role

To use LDAP groups effectively, create additional groups within Ops Manager to control access to specific deployments in your organization, such as creating separate Ops Manager groups for development and production environments. You can then map an LDAP group to a role in the Ops Manager group to provide access to a deployment.

Note

Changes made to LDAP groups can take up to an hour to appear in Ops Manager.

LDAP Over SSL

Use of LDAP over an SSL connection (LDAPS), is specified in the conf-mms.properties file in the fields LDAP SSL CA File, LDAP SSL PEM Key File, and LDAP SSL PEM Key File Password.

Using LDAP from the Fresh Install vs. Converting to LDAP

All prerequisites apply to either scenario. The additional requirements are:

Fresh LDAP Install	Conversion to LDAP
The Global Owner to be the first user created.	The Global Owner exist in both LDAP and Ops Manager and belong to the LDAP group that will map to the Ops Manager Global Owner role.

Important

Once Ops Manager is converted to LDAP Authentication, only the user with the Global Owner role changing the authentication method remains logged into Ops Manager. All other users are logged off and need to log back into Ops Manager using their LDAP username and password. Any users without an LDAP username and password can no longer log into Ops Manager.

Prerequisites

The LDAP server must:

• Be installed, configured and accessible to Ops Manager.

• Embed each user’s group memberships as an attribute of each user’s LDAP Entry.

• Include a user that can search the needed base distinguished name(s) that have the users and groups that use Ops Manager.

• Include a group that you can specify in the Ops Manager LDAP Global Role Owner field.

  • The first user to log into Ops Manager with LDAP authentication must belong to this LDAP group.
  • This user will also create the initial Ops Manager group.

  Example

  If LDAP has an admin group for use by Ops Manager administrators, enter admin in the LDAP Global Role Owner field.

Using LDAP from the Fresh Install vs. Converting to LDAP

All prerequisites apply to either scenario. The additional requirements are:

Fresh LDAP Install	Conversion to LDAP
The Global Owner to be the first user created.	The Global Owner exist in both LDAP and Ops Manager and belong to the LDAP group that will map to the Ops Manager Global Owner role.

Important

Once Ops Manager is converted to LDAP Authentication, only the user with the Global Owner role changing the authentication method remains logged into Ops Manager. All other users are logged off and need to log back into Ops Manager using their LDAP username and password. Any users without an LDAP username and password can no longer log into Ops Manager.

Procedure

To configure LDAP authentication:

1

Define your user records in the LDAP system of your choice.

2

Navigate to the User Authentication tab of the Ops Manager Config page.

1. Click Admin link at the upper right corner of the page.
2. Click the General tab.
3. Click the Ops Manager Config page.
4. Click User Authentication tab.

3

Enter LDAP configuration settings.

1. Enter values for the following required LDAP configuration fields:

   Field	Needed Value	Example Value
   User Authentication Method	Change to LDAP.	LDAP
   LDAP URI	The hostname and port of the LDAP server.	ldap://ldap.example.com:389
   LDAP SSL CA File	The path to a PEM key file containing the certificate for the CA who signed the certificate used by the LDAPS server. This optional field is used by the Ops Manager application to verify the identify of the LDAPS server and prevent man-in- the-middle Attacks. If this configuration is not provided, Ops Manager uses the default root CA certificate bundle that comes with the Java Runtime Environment (JRE). If your LDAPS server certificate cannot be verified by a root CA (i.e. if it is self-signed), requests to the LDAPS server fail.	/opt/cert/ca.pem
   LDAP SSL PEM Key File	The path to a PEM key file containing a client certificate and private key. This field is optional and should be used only if your LDAPS server requires client certificates be passed by client applications. This is used to sign requests sent from the Ops Manager application server to the LDAPS server. This allows the LDAPS server to verify the identify of Ops Manager application server.	/opt/cert/ldap.pem
   LDAP SSL PEM Key File Password	This password decrypts the LDAP SSL PEM Key File. If your client certificates specified in the LDAP SSL PEM Key File field are required by the LDAPS server and if the client certificate specified in LDAP SSL PEM Key File is stored encrypted on the file system, this field is required.	<encrypted-password>
   LDAP Bind Dn	A credentialed user on the LDAP server to conduct searches for users.	cn=admin, dc=example, dc=com
   LDAP Bind Password	Password for the Bind Dn user on the LDAP server.	<password>
   LDAP User Base Dn	The Distinguished Name that Ops Manager uses to search for users on the LDAP server.	dc=example, dc=com
   LDAP User Search Attribute	The field in the LDAP server that specifies the username.	uid
   LDAP User Group	The attribute of LDAP users that specifies the groups of which the user is a member. Important You can specify an LDAP group using any format, including Common Name (cn) or Distinguished Name (dn). The format you choose must be consistent across settings and consistent with the format used in the LDAP user records in the attribute specified in the LDAP User Group field. See Authentication through LDAP for more information and examples.	memberof
   LDAP Global Role Owner	The LDAP group to which Ops Manager Global Owners belong.	cn=global-owner, ou=groups, dc=example, dc=com

   Note

   Each Global Role group provides the members of its associated LDAP group or groups with an Ops Manager global role. Global roles provide access to all the Ops Manager groups in the Ops Manager deployment.

2. Enter values for the following Optional LDAP Configuration fields if needed:

   Field	Needed Value
   LDAP User First Name	The attribute of LDAP users that specifies the user’s first name.
   LDAP User Last Name	The attribute of LDAP users that specifies the user’s last name.
   LDAP User Email	The attribute of LDAP users that specifies the user’s email address.
   LDAP Global Role Automation Admin	Type the LDAP group(s) to which Ops Manager Global Automation Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
   LDAP Global Role Backup Admin	The LDAP group to which Ops Manager Global Backup Administrators belong.
   LDAP Global Role Monitoring Admin	The LDAP group to which Ops Manager Global Monitoring Administrators belong.
   LDAP Global Role User Admin	The LDAP group to which Ops Manager Global User Administrators belong.
   LDAP Global Role Read Only	The LDAP group to which Ops Manager Global Read Only Users belong.

4

Click Save.

5

Log in as a global owner and create the first Ops Manager group.

Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the Ops Manager LDAP Global Role Owner field.

Upon successful login, Ops Manager displays your groups page.

6

Associate LDAP groups with group-level roles.

1. Click the Settings tab.
2. Click the My Groups page.
3. Click the Add Group button.
4. Enter a name for the new Ops Manager group and enter the LDAP groups that should provide the permissions for each group-level role.
5. Check the checkbox to agree to the terms of service.
6. Click Add Group.

7

Add your MongoDB deployments.

Specify the LDAP authentication settings when adding a MongoDB deployment.

←   Enable SSL for a Deployment Enable Authentication for an Ops Manager Group  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.