- Security >
- Configure Ops Manager Users for LDAP Authentication and Authorization
Configure Ops Manager Users for LDAP Authentication and Authorization¶
You can use a Lightweight Directory Access Protocol (LDAP) service to manage Ops Manager user authentication and authorization. Users log in through Ops Manager, then Ops Manager searches the LDAP directory for the user and synchronizes the user’s name and email addresses in the Ops Manager user records with the values in the LDAP user records.
To configure Ops Manager to use LDAP, go to: Admin > General > Ops Manager Config > User Authentication.
This tutorial describes authenticating users of the Ops Manager web interface.
If your MongoDB deployments also use LDAP, you must separately create MongoDB users for the Ops Manager agents, as described in Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.
This tutorial describes how to:
- Configure LDAP authentication for Ops Manager
- Map LDAP groups to both global and group-level Ops Manager roles
When a user logs in, Ops Manager searches for a matching user using an LDAP query.
- Ops Manager logs into LDAP as the
searchuser, using the credentials specified in the LDAP Bind Dn and LDAP Bind Password fields.
- Ops Manager searches only under the base distinguished name specified in the LDAP User Base Dn field and matches the user according to the LDAP attribute specified in the LDAP User Search Attribute field.
- If a matching user is found, Ops Manager authenticates the supplied password against the LDAP password for the provided user.
LDAP groups let you control access to Ops Manager. You map LDAP groups to Ops Manager roles and assign the LDAP groups to the users who should have those roles.
LDAP entries map to Ops Manager records as follows:
To use LDAP groups effectively, create additional groups within Ops Manager to control access to specific deployments in your organization, such as creating separate Ops Manager groups for development and production environments. You can then map an LDAP group to a role in the Ops Manager group to provide access to a deployment.
Changes made to LDAP groups can take up to an hour to appear in Ops Manager.
LDAP Over SSL¶
If you use LDAP over an SSL connection (LDAPS), complete these fields:
|LDAP SSL CA File||The path to a PEM key file for a trusted certificate authority.|
|LDAP SSL PEM Key File||The path to a PEM key file containing a client certificate and private key.|
|LDAP SSL PEM Key File Password||The password to decrypt it if the LDAP SSL PEM Key File is encrypted.|
The LDAP server must:
Be installed, configured and accessible to Ops Manager.
Embed each user’s group memberships as an attribute of each user’s LDAP Entry.
Ops Manager does not support nested groups.
jsmithbelongs to group
Bbelongs to group
A. Ops Manager does not recognize
jsmithas a member of group
Include a user that can search the needed base distinguished name(s) that have the users and groups that use Ops Manager.
Include a group that you can specify in the Ops Manager LDAP Global Role Owner field.
- The first user to log into Ops Manager with LDAP authentication must belong to this LDAP group.
- This user will also create the initial Ops Manager group.
If LDAP has an
admingroup for use by Ops Manager administrators, enter
adminin the LDAP Global Role Owner field.
Using LDAP from the Fresh Install vs. Converting to LDAP¶
All prerequisites apply to either scenario. The additional requirements are:
|Fresh LDAP Install||Conversion to LDAP|
|The Global Owner to be the first user created.||The Global Owner exist in both LDAP and Ops Manager and belong to the LDAP group that will map to the Ops Manager Global Owner role.|
Once Ops Manager is converted to LDAP Authentication, only the user with the Global Owner role changing the authentication method remains logged into Ops Manager. All other users are logged off and need to log back into Ops Manager using their LDAP username and password. Any users without an LDAP username and password can no longer log into Ops Manager.
To configure LDAP authentication:
Define your user records in the LDAP system of your choice.¶
Navigate to the User Authentication tab of the Ops Manager Config page.¶
- Click Admin link at the upper right corner of the page.
- Click the General tab.
- Click the Ops Manager Config page.
- Click User Authentication tab.
Type LDAP configuration settings.¶
Enter values for the following required LDAP configuration fields:
Field Action Example User Authentication Method Select LDAP.
LDAP URI Type the hostname and port of the LDAP server.
LDAP SSL CA File Type the path to a PEM key file containing the certificate for the CA who signed the certificate used by the LDAPS server. This optional field is used by the Ops Manager application to verify the identify of the LDAPS server and prevent man-in- the-middle Attacks. If this configuration is not provided, Ops Manager uses the default root CA certificate bundle that comes with the Java Runtime Environment (JRE). If your LDAPS server certificate cannot be verified by a root CA (i.e. if it is self-signed), requests to the LDAPS server fail.
LDAP SSL PEM Key File Type the path to a PEM key file containing a client certificate and private key. This field is optional and should be used only if your LDAPS server requires client certificates be passed by client applications. This is used to sign requests sent from the Ops Manager application server to the LDAPS server. This allows the LDAPS server to verify the identify of Ops Manager application server.
LDAP SSL PEM Key File Password Type the password that decrypts the LDAP SSL PEM Key File. If your client certificates specified in the LDAP SSL PEM Key File field are required by the LDAPS server and if the client certificate specified in LDAP SSL PEM Key File is stored encrypted on the file system, this field is required.
LDAP Bind Dn Type a credentialed user on the LDAP server that can conduct searches for users.
cn=admin, dc=example, dc=com
LDAP Bind Password Type the password for the Bind Dn user on the LDAP server.
LDAP User Base Dn Type the Distinguished Name that Ops Manager uses to search for users on the LDAP server.
LDAP User Search Attribute Type the LDAP field in the LDAP server that specifies the username.
LDAP User Group The LDAP user attribute that contains the groups to which that user belongs. The LDAP attribute can use any format to list the groups, including Common Name (
cn) or Distinguished Name (
dn). All Ops Manager settings that specify groups must match the chosen format.
LDAP Global Role Owner Type the LDAP group to which Ops Manager Global Owners belong.
cn=global-owner, ou=groups, dc=example, dc=com
Type values for the following Optional LDAP Configuration fields if needed.
Multiple LDAP Groups Can Map to One Role
Ops Manager roles can include more than one LDAP group. Type multiple LDAP group names in the relevant role fields separated by two semicolons (
Field Action LDAP User First Name Type the attribute of LDAP users that specifies the user’s first name. LDAP User Last Name Type the attribute of LDAP users that specifies the user’s last name. LDAP User Email Type the attribute of LDAP users that specifies the user’s email address. LDAP Global Role Automation Admin Type the LDAP group(s) to which Ops Manager Global Automation Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (
LDAP Global Role Backup Admin Type the LDAP group(s) to which Ops Manager Global Backup Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (
LDAP Global Role Monitoring Admin Type the LDAP group(s) to which Ops Manager Global Monitoring Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (
LDAP Global Role User Admin Type the LDAP group(s) to which Ops Manager Global User Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (
LDAP Global Role Read Only Type the LDAP group(s) to which Ops Manager Global Read Only Users belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (
Log in as a global owner and create the first Ops Manager group.¶
Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the Ops Manager LDAP Global Role Owner field.
Upon successful login, Ops Manager displays your groups page.
Associate LDAP groups with group-level roles.¶
- Click Settings.
- Click the My Groups page.
- Click the Add Group button.
- Type a name for the new Ops Manager group and enter the LDAP groups that should provide the permissions for each group-level role.
- Check the checkbox to agree to the terms of service.
- Click Add Group.
© MongoDB, Inc 2008-2017. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.