Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/Consolidated Management 2/Network Node Manager i Setup Guide

10.4.4 User identification

User identification applies to the mixed mode and the external mode.

The distinguished name for user identification is the fully-qualified method of locating one user in the directory service. NNMi passes the user distinguished name in an LDAP request to the directory service.

In the ldap.properties file, the user distinguished name is the concatenation of the baseFilter value and the baseCtxDN value. If the password returned by the directory service matches the sign-in password the user entered into the NNMi console, user sign-in continues.

When configuring user identification for the mixed mode, the following information applies:

When configuring user identification for the external mode, the following information applies:

Active Directory user identification example

If baseFilter is set to CN={0}, and baseCtxDN is set to OU=Users,OU=Accounts,DC=example,DC=com, and a user signs in to NNMi as john.doe, the string passed to the directory service is: 

CN=john.doe,OU=Users,OU=Accounts,DC=example,DC=com
Other directory services user identification example

If baseFilter is set to uid={0}@example.com, and baseCtxDN is set to ou=People,o=example.com, and a user signs in to NNMi as john.doe, the string passed to the directory service is: 

uid=john.doe@example.com,ou=People,o=example.com
Organization of this subsection

(1) Configuring NNMi user access from the directory service (detailed approach)

If the simple approach described in 10.2.3 Task 3: Configure user access from the directory service in 10.2 Configuring NNMi to access a directory service did not work correctly, follow these steps:

  1. Obtain from the directory service administrator the information listed in Table 10-2 Information for retrieving user names and passwords from a directory service in 10.4.3 Information owned by the directory service administrator.

  2. Verify the format of user names in the directory service by completing the appropriate procedure:

  3. Open the ldap.properties file in any text editor.

    For details about the ldap.properties file, see 10.7 ldap.properties configuration file reference.

  4. Set the java.naming.provider.url parameter to the URL for accessing the directory service through LDAP.

    You can specify multiple directory service URLs by delimiting them with a single space character ( ).

  5. If you configured secure communications to the directory service, uncomment (or add) the following line:

    java.naming.security.protocol=ssl

  6. (Active Directory only) Set the bindDN and bindCredential parameters as follows:

    • Replace my-domain with the name of Active Directory domain.

    • Replace my-user-name and my-password with a user name and password for accessing the Active Directory server. Because passwords are saved in plain text, specify a user name with read-only access to the directory service.

  7. Set the baseCtxDN parameter to the elements of the distinguished user name that are the same for multiple users.

  8. Set the baseFilter parameter to correlate user names as they are entered for NNMi sign-in to the way user names are stored in the directory service.

    This value is the element of the distinguished user name that changes for each user. Replace the actual user name with the expression {0}.

  9. Test the configuration as described in 10.2.4 Task 4: Test the user name and password configuration in 10.2 Configuring NNMi to access a directory service.

To Page Top

(2) Determining how the directory service identifies a user (LDAP browser approach)

In a third-party LDAP browser, do the following:

  1. Navigate to the portion of the directory service domain that stores group information.

  2. Identify a group of users, and then examine the format of the distinguished names for the users associated with that group.

To Page Top

(3) Determining how the directory service identifies a user (Web browser approach)

  1. In a supported Web browser, enter the following URL:

    ldap://directory-service-host:port/user-search-string

    • directory-service-host is the fully-qualified name of the computer that hosts the directory service.

    • port is the port that the directory service uses for LDAP communication.

    • user-search-string is the distinguished name for one user name that is stored in the directory service.

  2. Evaluate the results of the directory service access test.

    • If the request times out or you see a message that the directory service could not be reached, verify the values of directory-service-host and port, and then repeat step 1.

    • If you see a message that the directory service does not contain the requested entry, verify the value of user-search-string, and then repeat step 1.

    • If you see the appropriate user record, the access information is correct. The value of user-search-string is the distinguished user name.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2012, 2014, Hitachi, Ltd.

Copyright (C) 2009 Hewlett-Packard Development Company, L.P.

This software and documentation are based in part on software and documentation under license from Hewlett-Packard Company.