Navigation
  • Security >
  • Configure Ops Manager Users for LDAP Authentication and Authorization

Configure Ops Manager Users for LDAP Authentication and Authorization

Overview

You can use a Lightweight Directory Access Protocol (LDAP) service to manage Ops Manager user authentication and authorization. Users log in through Ops Manager, then Ops Manager searches the LDAP directory for the user and synchronizes the user’s name and email addresses in the Ops Manager user records with the values in the LDAP user records.

To configure Ops Manager to use LDAP, go to: Admin > General > Ops Manager Config > User Authentication.

Note

This tutorial describes authenticating users of the Ops Manager web interface.

If your MongoDB deployments also use LDAP, you must separately create MongoDB users for the Ops Manager agents, as described in Configure Monitoring Agent for LDAP and Configure Backup Agent for LDAP Authentication.

This tutorial describes how to:

  • Configure LDAP authentication for Ops Manager
  • Map LDAP groups to both global and group-level Ops Manager roles

User Authentication

When a user logs in, Ops Manager searches for a matching user using an LDAP query.

  • Ops Manager logs into LDAP as the search user, using the credentials specified in the LDAP Bind Dn and LDAP Bind Password fields.
  • Ops Manager searches only under the base distinguished name specified in the LDAP User Base Dn field and matches the user according to the LDAP attribute specified in the LDAP User Search Attribute field.
  • If a matching user is found, Ops Manager authenticates the supplied password against the LDAP password for the provided user.

Authorization/Access Control

LDAP groups let you control access to Ops Manager. You map LDAP groups to Ops Manager roles and assign the LDAP groups to the users who should have those roles.

LDAP entries map to Ops Manager records as follows:

LDAP Ops Manager
User User
Group Role

To use LDAP groups effectively, create additional groups within Ops Manager to control access to specific deployments in your organization, such as creating separate Ops Manager groups for development and production environments. You can then map an LDAP group to a role in the Ops Manager group to provide access to a deployment.

Note

Changes made to LDAP groups can take up to an hour to appear in Ops Manager.

LDAP Over SSL

If you use LDAP over an SSL connection (LDAPS), complete these fields:

Field Needed Value
LDAP SSL CA File The path to a PEM key file for a trusted certificate authority.
LDAP SSL PEM Key File The path to a PEM key file containing a client certificate and private key.
LDAP SSL PEM Key File Password The password to decrypt it if the LDAP SSL PEM Key File is encrypted.

Prerequisites

The LDAP server must:

  • Be installed, configured and accessible to Ops Manager.

  • Embed each user’s group memberships as an attribute of each user’s LDAP Entry.

    Important

    Ops Manager does not support nested groups.

    Example

    User jsmith belongs to group B. Group B belongs to group A. Ops Manager does not recognize jsmith as a member of group A.

  • Include a user that can search the needed base distinguished name(s) that have the users and groups that use Ops Manager.

  • Include a group that you can specify in the Ops Manager LDAP Global Role Owner field.

    • The first user to log into Ops Manager with LDAP authentication must belong to this LDAP group.
    • This user will also create the initial Ops Manager group.

    Example

    If LDAP has an admin group for use by Ops Manager administrators, enter admin in the LDAP Global Role Owner field.

Using LDAP from the Fresh Install vs. Converting to LDAP

All prerequisites apply to either scenario. The additional requirements are:

Fresh LDAP Install Conversion to LDAP
The Global Owner to be the first user created. The Global Owner exist in both LDAP and Ops Manager and belong to the LDAP group that will map to the Ops Manager Global Owner role.

Important

Once Ops Manager is converted to LDAP Authentication, only the user with the Global Owner role changing the authentication method remains logged into Ops Manager. All other users are logged off and need to log back into Ops Manager using their LDAP username and password. Any users without an LDAP username and password can no longer log into Ops Manager.

Procedure

To configure LDAP authentication:

1

Define your user records in the LDAP system of your choice.

2
3

Type LDAP configuration settings.

  1. Enter values for the following required LDAP configuration fields:

    Field Action Example
    User Authentication Method Select LDAP. LDAP
    LDAP URI Type the hostname and port of the LDAP server. ldap://ldap.example.com:389
    LDAP SSL CA File Type the path to a PEM key file containing the certificate for the CA who signed the certificate used by the LDAPS server. This optional field is used by the Ops Manager application to verify the identify of the LDAPS server and prevent man-in- the-middle Attacks. If this configuration is not provided, Ops Manager uses the default root CA certificate bundle that comes with the Java Runtime Environment (JRE). If your LDAPS server certificate cannot be verified by a root CA (i.e. if it is self-signed), requests to the LDAPS server fail. /opt/cert/ca.pem
    LDAP SSL PEM Key File Type the path to a PEM key file containing a client certificate and private key. This field is optional and should be used only if your LDAPS server requires client certificates be passed by client applications. This is used to sign requests sent from the Ops Manager application server to the LDAPS server. This allows the LDAPS server to verify the identify of Ops Manager application server. /opt/cert/ldap.pem
    LDAP SSL PEM Key File Password Type the password that decrypts the LDAP SSL PEM Key File. If your client certificates specified in the LDAP SSL PEM Key File field are required by the LDAPS server and if the client certificate specified in LDAP SSL PEM Key File is stored encrypted on the file system, this field is required. <encrypted-password>
    LDAP Bind Dn Type a credentialed user on the LDAP server that can conduct searches for users. cn=admin, dc=example, dc=com
    LDAP Bind Password Type the password for the Bind Dn user on the LDAP server. <password>
    LDAP User Base Dn Type the Distinguished Name that Ops Manager uses to search for users on the LDAP server. dc=example, dc=com
    LDAP User Search Attribute Type the LDAP field in the LDAP server that specifies the username. uid
    LDAP User Group The LDAP user attribute that contains the groups to which that user belongs. The LDAP attribute can use any format to list the groups, including Common Name (cn) or Distinguished Name (dn). All Ops Manager settings that specify groups must match the chosen format. memberof
    LDAP Global Role Owner Type the LDAP group to which Ops Manager Global Owners belong. cn=global-owner, ou=groups, dc=example, dc=com

    Note

    Each Global Role group provides the members of its associated LDAP group or groups with an Ops Manager global role. Global roles provide access to all the Ops Manager groups in the Ops Manager deployment.

  2. Type values for the following Optional LDAP Configuration fields if needed.

    Important

    Multiple LDAP Groups Can Map to One Role

    Ops Manager roles can include more than one LDAP group. Type multiple LDAP group names in the relevant role fields separated by two semicolons (;;).

    Field Action
    LDAP User First Name Type the attribute of LDAP users that specifies the user’s first name.
    LDAP User Last Name Type the attribute of LDAP users that specifies the user’s last name.
    LDAP User Email Type the attribute of LDAP users that specifies the user’s email address.
    LDAP Global Role Automation Admin Type the LDAP group(s) to which Ops Manager Global Automation Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Backup Admin Type the LDAP group(s) to which Ops Manager Global Backup Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Monitoring Admin Type the LDAP group(s) to which Ops Manager Global Monitoring Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role User Admin Type the LDAP group(s) to which Ops Manager Global User Administrators belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
    LDAP Global Role Read Only Type the LDAP group(s) to which Ops Manager Global Read Only Users belong. You can type multiple LDAP groups into this field if they are separated by two semicolons (;;).
4

Click Save.

5

Log in as a global owner and create the first Ops Manager group.

Log into Ops Manager as an LDAP user that is part of the LDAP group specified in the Ops Manager LDAP Global Role Owner field.

Upon successful login, Ops Manager displays your groups page.

6

Associate LDAP groups with group-level roles.

  1. Click Settings.
  2. Click the My Groups page.
  3. Click the Add Group button.
  4. Type a name for the new Ops Manager group and enter the LDAP groups that should provide the permissions for each group-level role.
  5. Check the checkbox to agree to the terms of service.
  6. Click Add Group.
7

Add your MongoDB deployments.

Specify the LDAP authentication settings when adding a MongoDB deployment.