Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide

12.3.5 User group identification

User group identification applies to configuring for the external mode.

NNMi determines the user groups for an NNMi user as follows:

  1. NNMi compares the values of the external names of all user groups configured in the NNMi console with the names of the directory service groups.

  2. For any user group match, NNMi then determines whether the NNMi user is a member of that group in the directory service.

In the NNMi console, short text strings identify the unique names of the predefined NNMi user groups that grant NNMi console access. These text strings are also required by the defaultRole and userRoleFilterList parameters in the LDAP configuration file. The following table maps the unique names of these groups to their display names.

Table 12‒6: NNMi user group name mapping

NNMi role name in the NNMi console

User group unique name and text string in NNMi configuration files

Administrator

admin

Global operators

globalops

Operator level 2

level2

Operator level 1

level1

Guest

guest

Web service client

client

The NNMi global operator user group (globalops) can access only all topology objects. A user is able to access the NNMi console only if that user is assigned to another user group (admin, level2, level1, or guest).

Because the globalops user group is mapped to all security groups by default, the administrator must not map this user group to security groups.

Organization of this subsection

(1) Configuring user group retrieval from the directory service (detailed approach)

If the simple approach described in 12.2.5 Task 5: (Configuring for the external mode only) Configure group retrieval from the directory service in 12.2 Configuring NNMi to access a directory service did not work correctly, follow these steps:

  1. Obtain the required user information from the directory service administrator.

  2. Verify the format of group names and group members in the directory service by completing the appropriate procedure:

  3. Configure the LDAP configuration file.
    1. Open the nms-auth-config.xml file in any text editor.
    2. Set the role element to correlate user names to the way user names are stored for groups in the directory service. Replace the actual user name with one of the following expressions:
      • Use {0} to denote the user name entered for sign-in (for example, john.doe).
      • Use {1} to denote the distinguished name of the authenticated user as returned by the directory service (for example, uid=john.doe@example.com,ou=People,o=example.com).
    3. Set the roleContextDN element to the portion of the directory service domain that stores group records.

      The format is a comma-separated list of directory service attribute names and values.

      For example:
      • For Active Directory:

        CN=Users,DC=ldapserver,DC=mycompany,DC=com

      • For other LDAP technologies:

        ou=Groups,o=example.com

  4. Test the configuration as described in 12.2 Configuring NNMi to access a directory service.

To Page Top

(2) Determining how the directory service identifies a group and group membership (LDAP browser approach for Active Directory)

In a third-party LDAP browser, do the following:

  1. Navigate to the portion of the directory service domain that stores user information.

  2. Identify a user who requires access to NNMi, and then examine the format of the distinguished names for the groups associated with that user.

  3. Navigate to the portion of the directory service domain that stores group information.

  4. Identify the groups that correspond to NNMi user groups, and then examine the format of the names for the users associated with a group.

To Page Top

(3) Determining how the directory service identifies a group and group membership (LDAP browser approach for other directory services)

In a third-party LDAP browser, do the following:

  1. Navigate to the portion of the directory service domain that stores group information.

  2. Identify the groups that correspond to NNMi user groups, and then examine the format of the distinguished names for those groups.

  3. Also examine the format of the names for the users associated with a group.

To Page Top

(4) Determining how the directory service identifies a group (Web browser approach)

  1. In a supported Web browser, enter the following URL:

    ldap://directory-service-host:port/group-search-string

    • directory-service-host is the fully-qualified name of the computer that hosts the directory service.

    • port is the port that the directory service uses for LDAP communication.

    • group-search-string is the distinguished name for a group name that is stored in the directory service (for example: cn=USERS-NNMi-Admin,ou=Groups,o=example.com).

  2. Evaluate the results of the directory service access test.

    • If you see a message that the directory service does not contain the requested entry, verify the value of group-search-string, and then repeat step 1.

    • If you see the appropriate list of groups, the access information is correct.

  3. Examine the group properties to determine the format of the names for the users associated with that group.

To Page Top

© Copyright 2009-2021 Micro Focus or one of its affiliates.

All Rights Reserved. Copyright (C) 2019, 2021, Hitachi, Ltd.

This software and documentation are based in part on software and documentation under license from Micro Focus or one of its affiliates.