10.4.4 User identification
User identification applies to the mixed mode and the external mode.
The distinguished name for user identification is the fully-qualified method of locating one user in the directory service. NNMi passes the user distinguished name in an LDAP request to the directory service.
In the ldap.properties file, the user distinguished name is the concatenation of the baseFilter value and the baseCtxDN value. If the password returned by the directory service matches the sign-in password the user entered into the NNMi console, user sign-in continues.
When configuring user identification for the mixed mode, the following information applies:
-
For NNMi console access, NNMi examines the following information and grants the user the highest possible privileges:
- The value of the defaultRole parameter in the ldap.properties file
- This user's membership in the predefined NNMi user groups in the NNMi console
-
For NNMi topology object access, NNMi grants access according to the security group mappings for the NNMi user groups in the NNMi console to which this user belongs.
When configuring user identification for the external mode, the following information applies:
-
For NNMi console access, NNMi examines the following information and grants the user the highest possible privileges:
- The value of the defaultRole parameter in the ldap.properties file
- This user's membership in the directory service groups that are mapped (with the Directory Service Name field) to the predefined NNMi user groups in the NNMi console
-
For NNMi topology object access, NNMi grants access according to the security group mappings for the groups in the directory service to which this user belongs (as mapped to NNMi user groups in the NNMi console).
- Active Directory user identification example
-
If baseFilter is set to CN={0}, and baseCtxDN is set to OU=Users,OU=Accounts,DC=example,DC=com, and a user signs in to NNMi as john.doe, the string passed to the directory service is:
CN=john.doe,OU=Users,OU=Accounts,DC=example,DC=com
- Other directory services user identification example
-
If baseFilter is set to uid={0}@example.com, and baseCtxDN is set to ou=People,o=example.com, and a user signs in to NNMi as john.doe, the string passed to the directory service is:
uid=john.doe@example.com,ou=People,o=example.com
- Organization of this subsection
(1) Configuring NNMi user access from the directory service (detailed approach)
If the simple approach described in 10.2.3 Task 3: Configure user access from the directory service in 10.2 Configuring NNMi to access a directory service did not work correctly, follow these steps:
-
Obtain from the directory service administrator the information listed in Table 10-2 Information for retrieving user names and passwords from a directory service in 10.4.3 Information owned by the directory service administrator.
-
Verify the format of user names in the directory service by completing the appropriate procedure:
-
LDAP browser approach for Active Directory and other directory services: See (2) Determining how the directory service identifies a user (LDAP browser approach), below.
-
Web browser approach for other directory services: See (3) Determining how the directory service identifies a user (Web browser approach), below.
-
-
Open the ldap.properties file in any text editor.
For details about the ldap.properties file, see 10.7 ldap.properties configuration file reference.
-
Set the java.naming.provider.url parameter to the URL for accessing the directory service through LDAP.
-
LDAP browser approach: Obtain this information from the LDAP browser configuration.
-
Web browser approach: Include the values of directory-service-host and port from (3) Determining how the directory service identifies a user (Web browser approach), below.
You can specify multiple directory service URLs by delimiting them with a single space character ( ).
-
-
If you configured secure communications to the directory service, uncomment (or add) the following line:
java.naming.security.protocol=ssl
-
(Active Directory only) Set the bindDN and bindCredential parameters as follows:
-
Replace my-domain with the name of Active Directory domain.
-
Replace my-user-name and my-password with a user name and password for accessing the Active Directory server. Because passwords are saved in plain text, specify a user name with read-only access to the directory service.
-
-
Set the baseCtxDN parameter to the elements of the distinguished user name that are the same for multiple users.
-
Set the baseFilter parameter to correlate user names as they are entered for NNMi sign-in to the way user names are stored in the directory service.
This value is the element of the distinguished user name that changes for each user. Replace the actual user name with the expression {0}.
-
Test the configuration as described in 10.2.4 Task 4: Test the user name and password configuration in 10.2 Configuring NNMi to access a directory service.
(2) Determining how the directory service identifies a user (LDAP browser approach)
In a third-party LDAP browser, do the following:
-
Navigate to the portion of the directory service domain that stores group information.
-
Identify a group of users, and then examine the format of the distinguished names for the users associated with that group.
(3) Determining how the directory service identifies a user (Web browser approach)
-
In a supported Web browser, enter the following URL:
ldap://directory-service-host:port/user-search-string
-
directory-service-host is the fully-qualified name of the computer that hosts the directory service.
-
port is the port that the directory service uses for LDAP communication.
-
user-search-string is the distinguished name for one user name that is stored in the directory service.
-
-
Evaluate the results of the directory service access test.
-
If the request times out or you see a message that the directory service could not be reached, verify the values of directory-service-host and port, and then repeat step 1.
-
If you see a message that the directory service does not contain the requested entry, verify the value of user-search-string, and then repeat step 1.
-
If you see the appropriate user record, the access information is correct. The value of user-search-string is the distinguished user name.
-