IT Operations Management (ITOM)
Showing results for 
Search instead for 
Do you mean 

Effective configuration of LDAP for NNMi

MichaelProcopio ‎05-28-2015 09:29 PM - edited ‎06-02-2015 04:59 PM

Guest post by Nandini C

 

When it comes to network management, the creation of directory of services is key.

 

As the name suggests, Lightweight Directory Access Protocol or LDAP is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection-oriented transfer services.

 

A directory is similar to a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. Directories are tuned to give quick-response to high-volume lookup or search operations. There are many different ways to provide a directory service. These different methods:

 

  • Allow different kinds of information to be stored in the directory
  • Place different requirements on how that information can be referenced, queried and updated
  • Place different requirements on how it is protected from unauthorized access

How does LDAP work?

LDAP directory service is based on a client-server model. One or more LDAP servers contain the data that makes up the LDAP directory tree or the LDAP backend database. An LDAP client connects to an LDAP server and asks it a question. The server responds with the answer or with a pointer to where the client can get more information (typically, another LDAP server). No matter what LDAP server a client connects to, it sees the same view of the directory—a name presented to one LDAP server references the same entry at another LDAP server. This is an important feature of a global directory service, like LDAP.

 

To import and export directory information between LDAP-based directory servers, or to describe a set of changes which are to be applied to a directory, the file format known as LDIF, (or LDAP Data Interchange Format) is typically used. A LDIF file stores information in object-oriented hierarchies of entries.

 

This is what a common LDIF file looks like:

 

java.naming.provider.url=ldap://16.78.48.33:389/

bindDN=nnm-ftc-ad-test\\user0

bindCredential=user@2010

baseCtxDN=OU=US,OU=Users,OU=NNM-Accounts,dc=nnm-ftc-ad-test,dc=local

baseFilter=cn={0}

defaultRole=guest

 

java.naming.provider.url

The value of this property is a list of space-separated LDAP or LDAPS URL strings, each specifies the hostname and port number of the LDAP server, and the root distinguished name of the naming context to use. An LDAP URL specifies the use of a plain (i.e., unprotected) connection, while an LDAPS URL specifies the use of an SSL connection. If the list contains more than one URL, the provider should attempt to use each URL in turn until it is able to create a successful connection. After creation the provider should set the property to the successful URL. The default hostname is localhost; the default port is 389 for plain connections and 636 for SSL connections.

 

DN (Distinguished Name):

The distinguished name of a user will also include the Base DN.  You simply need to remove the beginning entry in the distinguished name to find the Base DN.  Below is an example:

 

Distinguished Name:

 

CN=Test User, OU=Non Admin Users, OU=Users, DC=corp, DC=yourdomain, DC=com

Base DN:

OU=Non Admin Users, OU=Users, DC=corp, DC=yourdomain, DC=com

 

(The Search Base DN tells the server which part of the external directory tree to search.)

 

The Administrator account may not be in the same location as the user accounts. Locate the distinguished name for the Administrator account to find your Bind DN.  The Bind DN is the distinguished name of the Administrator account.

 

Distinguished Name:

 

CN=Administrator, OU=Admins, OU=Users,DC=corp, DC=yourdomain, DC=com

Bind DN:

CN=Administrator, OU=Admins, OU=Users, DC=corp, DC=yourdomain, DC=com

 

The Bind Password is the password of the administrator account created in both LDAP and NNMi.

 

Each user is initially assigned a default role as “guest” and the user account mappings and roles will be assigned in NNMi for mixed mode and will be read from Active Directory for Full Mode.

 

NNMi supports two types of Access

 

Full Mode and Mixed Mode.

Mixed mode authentication enables users to sign in to HP Network Node Manager i (NNMi) using both Windows Active Directory authentication and standard authentication.

 

When a user logs in using Active Directory credentials for the first time, the system automatically creates a matching user account in the NNMi database and also imports the user's domain groups as roles. The imported roles do not authorize the users to perform any actions in NNMi by default. You need to configure permissions for the imported roles manually if you wish to use them.

 

Full Mode authentication enables users to sign into NNMi using only Windows Active Directory. The Users, passwords, User Group Mappings and Roles/Permissions are assigned in LDAP only.

 

Full Mode LDAP Properties:

java.naming.provider.url=ldap://16.78.48.33:389/

bindDN=nnm-ftc-ad-test\\user0

bindCredential=user@2010

baseCtxDN=OU=US,OU=Users,OU=NNM-Accounts,dc=nnm-ftc-ad-test,dc=local

baseFilter=cn={0}

defaultRole=guest

#Configuration to enable option 3- Full LDAP

rolesCtxDN=OU=Managed Groups,OU=NNM-Accounts,dc=nnm-ftc-ad-test,dc=local

roleFilter=member={1}

uidAttributeID=member

userRoleFilterList=admin;level2;level1

 

Mixed Mode Ldap properties:

java.naming.provider.url=ldap://16.78.48.33:389/

bindDN=nnm-ftc-ad-test\\user0

bindCredential=user@2010

baseCtxDN=OU=US,OU=Users,OU=NNM-Accounts,dc=nnm-ftc-ad-test,dc=local

baseFilter=cn={0}

defaultRole=guest

 

The whole BSM solution including network management will be on display at HP Discover June 2-4 in Las Vegas. Stop by booth 837 to get a demonstration, ask questions or just say hello. Uncover the unknown.

 

About the authorNandini C is a QA Software Automation Engineer in HP with a total of 9.5 years of experience in various aspects of development and automation testing. Joined HP in Sep 2013 and been part of NMC team working as an Automation Test Engineer. Worked on automating tests for NMC 10.00 and upcoming releases. Automated the Locale testing and Upgrade testing for NNMI Amazon. 

 

Nandini has a Bachelor Of Engineering (BE) degree in Information Sciences from Visveswaraya Technological University (VTU) , Karnataka , India

 

You can register for HP Discover here.

 

 

 

About the Author

MichaelProcopio

HPE Software Product Marketing. Over 20 years in network and systems management.

Comments
Johan Dahl
on ‎06-04-2015 05:58 AM

I use LDAP full mode towards an Active Directory server. My sniffer trace shows that the hold LDAP authentication process  works well when I login as a administrator, but when I finally get sign in to NNMi 10 Im only logged in with the NNMi role: Guest. It seems to be that NNMi use the information "defaultRole=guest" from the ldap.properties file  instead of the information provided with LDAP.

 

I think I have missed some final step to get this working.

Can you please clerify what you mean with the following statement in your text above.

"You need to configure permissions for the imported roles manually if you wish to use them."

 

 

Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event