12.6.1 nms-auth-config.xml
The nms-auth-config.xml file contains the settings for communicating with and building LDAP queries to the directory service in the XML format. This section prov ides a reference of only the elements that are relevant for LDAP configuration.
This file is located as follows:
- Windows: %NnmDataDir%nmsas\NNM\conf
- Linux: $NnmDataDir/nmsas/NNM/conf
By default, the nms-auth-config.xml file available in this location does not contain the XML elements required for LDAP configuration.
You can manually add all the necessary XML elements to this file by following the instructions in this section.
NNMi places a sample nms-auth-config.xml file in a different location, which can be used for reference.
The sample nms-auth-config.xml file is available in the following location:
- Windows: %NnmInstallDir%newconfig\HPOvNnmAS\nmsas\conf
- Linux: $NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf
- Tip
-
You can also copy the entire <ldapLogin> element from the sample nms-auth-config.xml file, and then make necessary modifications.
After editing the nms-auth-config.xml file (%NnmDataDir%nmsas\NNM\conf (Windows) or $NnmDataDir/nmsas/NNM/conf (Linux)), force NNMi to read the LDAP configuration again by running the following command:
- Windows:
%NnmInstallDir%bin\nnmldap.ovpl -reload
- Linux:
$NnmInstallDir/bin/nnmldap.ovpl -reload
<ldapLogin>
<!-- This is the on/off switch for LDAP authentication. Set to true to use LDAP-based authentication-->
<enabled>true</enabled>
<!-- This element enables you to specify which users can assign incidents.-->
<userRoleFilterList>admin guest level2 level1</userRoleFilterList>
<!-- If <enabled> is set to true, define one or more <configuration> elements to specify LDAP parameters -->
<configuration>
<!-- The filter (optional) is matched against the user, that tries to log on, to determine if this is the right configuration to use. This is useful when multiple configurations are specified, to skip non-applicable LDAP servers to reduce log-on time. -->
<filter>
<usernamePattern>.*@hpe\.com</usernamePattern>
</filter>
<!-- Time limit for performing searches against the LDAP server -->
<searchTimeLimit>30000</searchTimeLimit>
<connectTimeLimit>10000</connectTimeLimit>
<!-- Define at least one server URL -->
<server>
<hostname>ldaps://ldap.domain1.com</hostname>
<secure>true</secure>
</server>
<!---Optional. Bind credential and encrypted password for connecting to LDAP servers that do not support anonymous access. Use "nnmldap.ovpl -encrypt" to create the encrypted password.--->
<bindCredential>
<bindDN>someUser@some.com</bindDN>
<bindCredential>someEncryptedPassword</bindCredential>
</bindCredential>
<!-- This element defines the rules to search for users in this LDAP configuration -->
<users>
<!-- Optional. Filter that is matched against the user that attempts to log on. The intention is to skip nonapplicable LDAP configurations to reduce the log-on time. Note that this is a Java regular expression.-->
<filter>
<usernamePattern>.*some\.com</usernamePattern>
</filter>
<!-- Optional. The display name expression to show in the NNMi console.-->
<displayName>${sn},${givenName} (HPE)</displayName>
<!-- Optional. Default roles that are given to all users that are authenticated against this configuration -->
<defaultRoles>
<role>guest</role>
</defaultRoles>
<!-- One or more search configuration for locating user accounts. The pattern "{0}" in the string will be replaced with the log-on name entered by the user in the log-on screen. -->
<userSearch>
<base>uid={0}</base>
<baseContextDN>ou=People,o=domain.com</baseContextDN>
</userSearch>
</users>
<!-- Defines the rules to search for user roles or groups in this LDAP configuration -->
<roles>
<!-- Optional. Filter that defines which users should be attempted for role lookup against this configuration. Note that this is a Java regular expression. -->
<filter><usernamePattern>x</usernamePattern></filter>
<!-- One or more search configuration for locating LDAP groups that contain the authenticated user DN. Use the string "{1}" where the user's DN would appear. -->
<roleSearch>
<roleBase>member={1}</roleBase>
<roleContextDN>ou=Groups,o=some.com</roleContextDN>
</roleSearch>
<roleSearch>
<roleBase>GroupMember={1}</roleBase>
<roleContextDN>CN=Groups,DC=mycompany,DC=com</roleContextDN>
</roleSearch>
</roles>
</configuration>
</ldapLogin>