Hitachi

JP1 Version 11 JP1/Network Node Manager i Setup Guide

12.2.3 Task 3: Configure user access from the directory service

Complete this task for mixed mode and external mode only. Follow the appropriate procedure for your directory service. This task includes the following sections:

Important

Do one of the following depending on your environment or configuration choice.

For details about configuration instructions, see 12.4.4 User identification.

Organization of this subsection

(1) Using nms-auth-config.xml

  1. Go to the following directory:
    • Windows: %NnmDataDir%nmsas\NNM\conf
    • Linux: $NnmDataDir/nmsas/NNM/conf
  2. Back up the nms-auth-config.xml file that was shipped with NNMi, and then open the file in any text editor.
  3. Specify values for the following elements:
    Tip

    NNMi places a sample nms-auth-config.xml file in a different location, which can be used for reference.

    The sample nms-auth-config.xml file is available in the following location:

    • Windows: %NnmInstallDir%newconfig\HPOvNnmAS\nmsas\conf
    • Linux: $NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf

    You can also copy the entire <ldapLogin> element from the sample nms-auth-config.xml file, and then make necessary modifications.

    Table 12‒2: Elements of the ldapLogin Section of nms-auth-config.xml

    <enabled>

    </enabled>

    Specify true to use the nms-auth-config.xml file. By default, this element is set to false.

    <userRoleFilterList>

    </userRoleFilterList>

    Specify the NNMi roles to which NNMi users can assign incidents.

    To assign incidents to all operators, administrators, and guests, add this: 
    <userRoleFilterList>
admin guest level2 level1
</userRoleFilterList>

    <connectTimeLimit>

    </connectTimeLimit>

    Specify the connection timeout value in milliseconds. The default value is 10000 (10 seconds). If you are encountering timeouts during NNMi user sign in, increase this value.

    For example: <connectTimeLimit>10000</connectTimeLimit>

    <searchTimeLimit>

    </searchTimeLimit>

    Specify the search timeout value in milliseconds. The default value is 30000 (30 seconds). If you are encountering timeouts during NNMi user sign in, increase this value.

    For example: <searchTimeLimit>30000</searchTimeLimit>

    <server>

    Container element to contain all LDAP configuration information.
     

    <host>

    </host>

    URL of the LDAP server with port.

    For example:

    • To use HTTP:

      ldap://hostname.domain.com:389

    • To use HTTPS:

      ldaps://hostname.domain.com:636

    Note: To use HTTP, specify ldap://. To use HTTPS, specify ldap:// or ldaps://.

    <secure>

    </secure>

    Specify true if you want to use HTTPS. Otherwise, specify false.

    </server>

    		  

    Note: Specify the <server></server> setting only once. Specifying this setting more than once is not supported.

    <bindCredential>

    Container element to include bind credentials (mandatory for directory services that do not support anonymous logon).
     

    <bindDN>

    </bindDN>

    Specify the bind DN.
     

    <bindCredential>

    </bindCredential>

    Specify the bind DN password in the encrypted format.

    Run the "nnmldap.ovpl -encrypt <mypassword>" command to encrypt the password.

    </bindCredential>

    		  

    <users>

    Container element to include all user configuration details.
     

    <userSearch>

    Container element to include the configuration information for searching users.

    Specify the <userSearch></userSearch> setting only once. Specifying this setting more than once is not supported.

    <base>

    </base>

    For example:

    • For Active Directory:

      <base> CN={0} </base>

    • For other LDAP technologies:

      <base> SAMAccountName={0} </base>

    <baseContextDN>

    </baseContextDN>

    For Active Directory, specify the portion of the directory service domain that stores user records.

    For example:

    • For Active Directory:

      OU=Users,OU=Accounts,DC=mycompany,DC=com

    • For other LDAP technologies:

      ou=People,o=example.com

    </userSearch>

    		  

    </users>

    		  

    Note: In mixed mode, specify the <roleSearch></roleSearch> setting only once, as follows, and then perform step 4 below.

    <roleSearch>
   <roleBase></roleBase>
   <roleContextDN></roleContextDN>
</roleSearch>
  4. After editing the nms-auth-config.xml file (%NnmDataDir%nmsas\NNM\conf (Windows) or $NnmDataDir/nmsas/NNM/conf (Linux)), run the following command:
    • Windows: 
      %NnmInstallDir%bin\nnmldap.ovpl -reload
    • Linux: 
      $NnmInstallDir/bin/nnmldap.ovpl -reload

To Page Top

(2) Using ldap.properties

  1. Back up the ldap.properties file that was shipped with NNMi, and then open the file in any text editor.
  2. Specify the URL for accessing the directory service.
    1. Uncomment the following line:

      java.naming.provider.url

    2. Set the property to ldap://<myldapserver>:<port>/.

      In this instance, <myldapserver> is the fully-qualified hostname of the directory server and <port> is the communication port of the directory server.

      Example: java.naming.provider.url=ldap://testsystem.example.com:636

  3. Specify the security mode.
    1. Uncomment the following line:

      java.naming.security.provider

    2. Set the property to SSL if you want NNMi to communicate with the directory server securely.

      Example: java.naming.security.provider=SSL

  4. If you directory service installation does not support anonymous access, specify credentials for a valid directory service user.
    1. Uncomment the following lines:

      bindDN

      bindCredential

    2. Set these properties to the following values:

      bindDN=<mydomain>\\<myusername>

      bindCredential=<mypassword>

      In this instance, <mydomain> with the name of the directory server domain; <myusername> and <mypassword> are the user name and password for accessing the directory server.

      Note

      If you plan to add the password in plain text, specify a user name with read-only access to the directory service. If you plan to specify an encrypted password, use the following command to encrypt the plain text password before adding it to the ldap.properties file:

      nnmldap.ovpl -encrypt <mypassword>

      This encrypted password only works for the NNMi instance you create it for. Do not attempt to use it for a different NNMi instance.

      For more information see the nnmldap.ovpl reference page, or the Linux man page.

  5. Specify the portion of the directory service domain that stores user records.
    1. Uncomment the following line:

      baseCtxDN

    2. Set this properties to the portion of the directory service domain that stores user records.
      Examples:
      • For Active Directory:

        baseCtxDN=CN=Users,DC=hostname,DC=example,DC=com

      • For other LDAP:

        baseCtxDN=ou=People,o=example.com

  6. Modify the userRoleFilterList parameter value to specify the NNMi roles to which NNMi operators can assign incidents.

To Page Top

All Rights Reserved. Copyright (C) 2016, 2018, Hitachi, Ltd.

Copyright (C) 2010 Hewlett-Packard Development Company, L.P.

This software and documentation are based in part on software and documentation under license from Hewlett-Packard Company.