Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/Consolidated Management 2/Network Node Manager i Setup Guide

10.3 Changing the directory service access configuration to support the NNMi security model

This section describes how to revise an ldap.properties file from NNMi version 09-50 to support multiple NNMi user groups per user. This revision is necessary under both of the following conditions:

In NNMi version 09-50, NNMi users were assigned to one of the predefined NNMi roles. Each user had access to all objects in the NNMi topology.

In NNMi version 10, the predefined NNMi user groups replace NNMi roles. Each NNMi user must belong to at least one predefined NNMi user group, which defines what an NNMi user can do in the NNMi console. Additional user groups, if they exist, limit access to NNMi topology objects as follows:

NNMi version 09-50 required each directory service group definition to include a group attribute that named the NNMi role. In the ldap.properties file, the following parameters specified this group attribute:

NNMi version 10 deprecates these parameters. Each user group must be defined in the NNMi console.

The user group definition includes an external name, which is the distinguished name of the group in the directory service.

To change the directory service access configuration to support the NNMi security model, follow these steps:

  1. Back up the user information in the NNMi database:

    nnmconfigexport.ovpl -c account -u user \
-p password -f NNMi_database_accounts.xml

  2. Back up the ldap.properties file, and then open the file in any text editor.

    For details about the ldap.properties file, see 10.7 ldap.properties configuration file reference.

  3. Comment out or delete the following parameters (if they exist):

    • roleAttributeID

    • roleAttributeIsDN

    • roleNameAttributeID

  4. If you have edited the ldap.properties files, execute the following command to re-import the LDAP configuration to NNMi: 

    nnmldap.ovpl -reload

  5. In the NNMi console, map the predefined NNMi user groups to their counterparts in the directory service:

    a. Open the User Groups view.

    In the Configuration workspace, expand Security, and then click User Groups.

    b. Double-click the admin row.

    c. In the Directory Service Name field, enter the full distinguished name of the directory service group for NNMi administrators.

    [Figure]

    d. Click Save and Close.

    e. Repeat steps b through d for each of the guest, level1, and level2 rows.

    These mappings provide NNMi console access. Every user who will access the NNMi console must be in a directory service group that is mapped to one of the predefined NNMi user groups named in this step.

  6. In the directory service, identify additional groups of NNMi users. Define new groups as needed.

  7. For each new group added in step 6, create a new user group in the NNMi console:

    a. Open the User Groups view.

    In the Configuration workspace, expand Security, and then click User Groups.

    b. Click New, and then enter the information for the group:

    - Set Name to any unique value. Short names are recommended.

    - Set Display Name to the value users see.

    - Set Directory Service Name to the full distinguished name of the directory service group.

    - Set Description to text that describes the purpose of this NNMi user group.

    c. Click Save and Close.

    d. Repeat step b and step c for each new directory service group of NNMi users.

    These mappings provide topology object access in the NNMi console. Each directory service group can be mapped to multiple NNMi user groups.

  8. (Optional) Map the user groups to security groups.

    For details, see Configuring Security in NNMi Help.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2012, 2014, Hitachi, Ltd.

Copyright (C) 2009 Hewlett-Packard Development Company, L.P.

This software and documentation are based in part on software and documentation under license from Hewlett-Packard Company.