Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/Consolidated Management 2/Network Node Manager i Setup Guide

10.4.5 User group identification

User group identification applies to configuring for the external mode.

NNMi determines the user groups for an NNMi user as follows:

  1. NNMi compares the values of the external names of all user groups configured in the NNMi console with the names of the directory service groups.

  2. For any user group match, NNMi then determines whether the NNMi user is a member of that group in the directory service.

In the NNMi console, short text strings identify the unique names of the predefined NNMi user groups that grant NNMi console access. These text strings are also required by the defaultRole and userRoleFilterList parameters in the ldap.properties file. The following table maps the unique names of these groups to their display names.

Table 10‒4: NNMi user group name mapping

NNMi role name in the NNMi console

User group unique name and text string in NNMi configuration files

Administrator

admin

Operator level 2

level2

Operator level 1

level1

Guest

guest

Web service client

client

The NNMi global operator user group (globalops) can access only all topology objects. A user is able to access the NNMi console only if that user is assigned to another user group (level2, level1, or guest).

Because the globalops user group is mapped to all security groups by default, the administrator must not map this user group to security groups.

Organization of this subsection

(1) Configuring user group retrieval from the directory service (detailed approach)

If the simple approach described in 10.2.5 Task 5: (Configuring for the external mode only) Configure group retrieval from the directory service in 10.2 Configuring NNMi to access a directory service did not work correctly, follow these steps:

  1. Obtain from the directory service administrator the information listed in Table 10-3 Information for retrieving group membership from a directory service in 10.4.3 Information owned by the directory service administrator.

  2. Verify the format of group names and group members in the directory service by completing the appropriate procedure:

  3. Open the ldap.properties file in any text editor.

    For details about the ldap.properties file, see 10.7 ldap.properties configuration file reference.

  4. Set the rolesCtxDN parameter to the elements of the distinguished group name that are the same for multiple groups.

  5. Set the roleFilter parameter to correlate user names to the way user names are stored for groups in the directory service. Replace the actual user name with one of the following expressions:

    • Use {0} to denote the user name entered for sign-in (for example, john.doe).

    • Use {1} to denote the distinguished name of the authenticated user as returned by the directory service (for example, uid=john.doe@example.com,ou=People, o=example.com).

  6. Set the uidAttributeID parameter to the name of the group attribute that stores the user ID.

  7. Test the configuration as described in 10.2.7 Task 7: (Configuring for the external mode only) Test the NNMi user group configuration in 10.2 Configuring NNMi to access a directory service.

To Page Top

(2) Determining how the directory service identifies a group and group membership (LDAP browser approach for Active Directory)

In a third-party LDAP browser, do the following:

  1. Navigate to the portion of the directory service domain that stores user information.

  2. Identify a user who requires access to NNMi, and then examine the format of the distinguished names for the groups associated with that user.

  3. Navigate to the portion of the directory service domain that stores group information.

  4. Identify the groups that correspond to NNMi user groups, and then examine the format of the names for the users associated with a group.

To Page Top

(3) Determining how the directory service identifies a group and group membership (LDAP browser approach for other directory services)

In a third-party LDAP browser, do the following:

  1. Navigate to the portion of the directory service domain that stores group information.

  2. Identify the groups that correspond to NNMi user groups, and then examine the format of the distinguished names for those groups.

  3. Also examine the format of the names for the users associated with a group.

To Page Top

(4) Determining how the directory service identifies a group (Web browser approach)

  1. In a supported Web browser, enter the following URL:

    ldap://directory-service-host:port/group-search-string

    • directory-service-host is the fully-qualified name of the computer that hosts the directory service.

    • port is the port that the directory service uses for LDAP communication.

    • group-search-string is the distinguished name for a group name that is stored in the directory service (for example: cn=USERS-NNMi-Admin,ou=Groups,o=example.com).

  2. Evaluate the results of the directory service access test.

    • If you see a message that the directory service does not contain the requested entry, verify the value of group-search-string, and then repeat step 1.

    • If you see the appropriate list of groups, the access information is correct.

  3. Examine the group properties to determine the format of the names for the users associated with that group.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2012, 2014, Hitachi, Ltd.

Copyright (C) 2009 Hewlett-Packard Development Company, L.P.

This software and documentation are based in part on software and documentation under license from Hewlett-Packard Company.