LDAP Integration Issues/Group Mapping (554 Views)
Reply
Advisor
Simon_Bachmann
Posts: 30
Registered: ‎10-16-2012
Message 1 of 9 (554 Views)
Accepted Solution

LDAP Integration Issues/Group Mapping

Hi All,

 

I'm running in some strange issues while configuring their NNMi 9.11 p4 for multi-Userviews/Multi-Tenancy.

The whole Information is gathered through LDAP out of an AD Service.

The normal login works properly and fine. Now I want to map the User Groups and get stuck in there.

 

To describe what my thoughts are:

 

User X is memberOf Group X

Group X has info level2

 

User Y is memberOf Group Y

Group Y has info guest

 

Group X&Y are already created in the NNMi console and are mapped to Security Groups as well.

 

ldap.properties:

**********************************************

java.naming.provider.url=ldap://<hostname>:389/
#!java.naming.security.protocol=ssl
bindDN=DOMAIN\\Username
bindCredential=Password
baseCtxDN=DC=media,DC=int
baseFilter=CN={0}
#!defaultRole=guest
rolesCtxDN=DC=media,DC=int
roleFilter=member={1}
roleAttributeIsDN=true
roleAttributeID=memberOf
roleNameAttributeID=info
userRoleFilterList=admin;level2;level1;guest
uidAttributeID=member

 **********************************************

 


User authentication works fine, the user gets authenticated and gets the nnmi-user-role. But the User Groups were not assigned too.

 

I've tried a lot. If I comment the roleNameAttributeID=info line, the nnmldap.ovpl -diagnose output shows me, that the mapping with the User Groups works. But then, the role does not get assigned to the user.

If I try the same thing, but commented the roleAttributeID=memberOf line, then the role gets assigned, but no User Group.

 

I don't know what to do further on. The Deployment reference doesn't help that much.

 

If I do all the mappings without LDAP, everything is working fine, but the customer needs to have LDAP mapping of all these attributes.

 

Thank you all for your help in advance

 

Kind Regards,

Simon

Please use plain text.
HP Expert
Dave Young
Posts: 482
Registered: ‎09-27-2000
Message 2 of 9 (505 Views)

Re: LDAP Integration Issues/Group Mapping

Simon,

 

  Please check out KM00205168  

 

  Essentially you need to configure the group's DN into NNMi's group configuration so that it can look up the groups' members to see which groups the user login is a part of.  Beyond that all the security mapping should be the same within NNMi.

 

  Please note that in 9.1 the following entries in the ldap.properties file have been deprecated due to the need to configure the group DN into NNMis group config, and not have to determine the role level from the AD.

 

roleAttributeIsDN=true
roleAttributeID=memberOf
roleNameAttributeID=info

 

  If you still have problems then please open a case with us and we can investigate it in more detail.

 

  All the best

 

Dave Y

HP Support

The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP

If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
Please use plain text.
Advisor
Simon_Bachmann
Posts: 30
Registered: ‎10-16-2012
Message 3 of 9 (503 Views)

Re: LDAP Integration Issues/Group Mapping

[ Edited ]

Hello Dave,

 

many thanks to your response.

 

I've already read your provided document. What happens here is, that the User Group assignment is not handled through AD, but role assignment.

My need is to get the role AND user group assignment (separated; diff groups) through the AD service.

 

A case has been openend last week due to this problem.

 

Further I got a question:

You write about a max number of 40 characters for the usernames (even if they are DN's), but only for the incident assignment. As you can see from the ldap.properties, I'm using the DN as the members roleAttribute and uidAttributeID. I will not use Incident assignment or any features causing to it.

So my question is: Is the limitation of 40 characters for my case also a true statement, so that the member field should be exchanged to another one which is properly unused?

 

Kindest Regards,

Simon

Please use plain text.
HP Expert
Dave Young
Posts: 482
Registered: ‎09-27-2000
Message 4 of 9 (499 Views)

Re: LDAP Integration Issues/Group Mapping

Simon,

 

  If you would like to email me your case ID I can follow up with the engineer who owns it and see how things are going.

 

  The 40 character limit is seen when you try to use incident assignment and the error is normally seen when the integration is not configured so as NNM gets a list of login names, but instead gets a list of user DN strings.  Its important to get the user names because otherwise when viewing the incident views for incidents you own, the user DN strings won't match your login user name and so the whole thing won't work as expected.   There is a workaround in this document, but we have also developed some new code to avoid the work around and make the configuration of this feature more intuitive and using the standard configurations in the file.  Since you are not using this feature we can move on.... :)

 

  I see you are using baseFilter=CN={0}    which will requre your users to login with a name that matches the rest of the CN attribute string.  I am not sure what this is in your configuraiton, but normally I use  "baseFilter=SAMAccountName={0}  where this attribute is the user login name and is what Windows sets up automatically for you. 

 

  If the group assignment is not working correctly check the DN you entered for the group configuration - this must match exactly otherwise the lookup will fail.  Also check the "member" attribute of the group in the AD server and ensure it does contain the users DN string since it is this which will be matched - this is the meaning of the {1}.

 

  When I am troublshooting AD issues I tend to use wireshark and ADExplorer.  Wireshark is very good and providing expert comments on what is being searched for, but even without it the LDAP protocol is very simple and normally you can spot configuration or logic issues very easily.

 

  All the best

 

Dave Y

HP Support

The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP

If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
Please use plain text.
Advisor
Simon_Bachmann
Posts: 30
Registered: ‎10-16-2012
Message 5 of 9 (496 Views)

Re: LDAP Integration Issues/Group Mapping

Hi Dave,

 

I've sent you a personal Message to your inbox.

 

Thank you in advance for your investigation.

 

Kindest Regards,

Simon

Please use plain text.
Advisor
Simon_Bachmann
Posts: 30
Registered: ‎10-16-2012
Message 6 of 9 (463 Views)

Re: LDAP Integration Issues/Group Mapping

Hi all,

 

just want to inform you further on.

For my case, the problem was, that every guide or knowledge document says the info attribute in AD must be the User role like "guest" or "level2" etc.

That's just the half truth. The value of the info attribute in AD must exactly met the value of the group's Name attribute in the NNMi console. If this is not the case, NNMi would not be able to resolve the custom user groups. So the user would be able to log in, but he will never have any node to manage.

 

Hopefully, this will help anyone with the same case.

 

Regards,

Simon

Please use plain text.
Occasional Advisor
Kartheek
Posts: 6
Registered: ‎09-25-2012
Message 7 of 9 (206 Views)

Re: LDAP Integration Issues/Group Mapping

Hi All,

 

I have q question I see the Map User accounts to User groups option missing in security wizard after LDAP integration, is it the normal behaviour?

 

HP NNMi - Version 9.20,9.23.004

 

I know that as this is LDAP integration we cannot perform any changes to users or user groups, just want to confirm. Please let us know.

 

I am attaching the screen-shot for your reference.

 

 

Please use plain text.
HP Expert
Dave Young
Posts: 482
Registered: ‎09-27-2000
Message 8 of 9 (197 Views)

Re: LDAP Integration Issues/Group Mapping

Kartheek,

 

  Correct.  When LDAP integration is enabled if the group access information is configured ie  rolesCtxDN, uidaAttributeID etc are configured and valid then you will not see the Map User accounts to User groups as this is now done within LDAP.   If you configure the ldap.properties to only use user password authentication then you will see this link as the user to group mapping will need to be done in NNMi.

 

  All the best

 

Dave Y

HP Support

The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP

If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
Please use plain text.
Occasional Advisor
Kartheek
Posts: 6
Registered: ‎09-25-2012
Message 9 of 9 (181 Views)

Re: LDAP Integration Issues/Group Mapping

Thanks, Dave!

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation