Configuring a non-AD directory service for Ops Center (LDAP server)

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23

You can configure any directory service that supports the LDAP authentication protocol (such as Tivoli) for the Ops Center portal and import users from the server. This permits the users to access portal functions and products with a single sign-in. (Only LDAP is supported for non-AD directory services.)

Note: Whenever you make changes to LDAP server settings, you must do the following:
  • Click Sync users to apply the changes to the users configured in Ops Center.
  • Click Test connection and Test authentication.
  • Click Pre-check the number of imported users.
If any errors are reported, confirm the changes are valid.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.
  2. From the navigation bar, click Manage users and select User directories from the Asset type list.
  3. Click the + (plus) icon.
    The Add user directory service window opens.
  4. Enter a name for the service.
  5. Select Other for the Directory service type.
    The LDAP Authentication protocol is automatically selected.
  6. Enter the Connection URL (for example: ldaps://ldaps.example.com) and then click Test connection.
    Note: Specify the same host name as the CN or SANs in the LDAP server certificate.
  7. Enter the BIND user DN (for example: CN=bind-user,OU=foo,OU=bar,DC=example,DC=com) and the password and then click Test authentication.
    Note: The BIND User DN only needs read permissions (not admin or modify).
  8. Enter the Base DN (for example: OU=foo,OU=bar,DC=example,DC=com).
    Note: To have portal access, users must be included in the subtree of the DN specified in the Base DN.
  9. Configure the following LDAP settings:

    Item

    Description Default value
    User object classes Object class of the imported user Examples:

    inetOrgPerson, organizationalPerson

    Note: Use commas to separate entries.

    Search scope One level (flat), or Subtree. Subtree
    Custom user LDAP filter (optional) Search filter to narrow results. (Must be specified in rfc2254 format.) The filter only applies to user entry attributes (not DN objects). Examples:

    (|(cn=t_brady)(cn=j_smith)(cn=orion_admin))

    (ou=Storage management)

    LDAP attribute for username Attribute that uniquely identifies the imported user. uid
  10. You can import a maximum of 100 users. Click Pre-check the number of imported users. If you exceed the limit, you can decrease the number of users by using the Custom user LDAP filter.
  11. Configure the following attributes to be used when importing the users:

    Item

    Description Default value
    LDAP attribute for first name Imported user's first name. Select Full name or First name. For Full name, cn is the default value.

    For First name, givenName is the default value.

    LDAP attribute for last name Imported user's last name sn
    LDAP attribute for email Imported user's email address mail
    LDAP attribute for RDN Attribute used as RDN (top attribute) of typical user DN (usually the same as Username LDAP attribute). uid
    LDAP attribute for UUID Attribute used for UUID entryUUID
  12. By default, the Add all users under Base DN to opscenter-users group option is not available. If you enable this option, all users under the Base DN are automatically assigned to the opscenter-users group and can also log in. If the option is not available, you have to add the imported users to a local group manually and assign the opscenter-user role to permit them to log in.
  13. Click Submit when the settings are complete.
  14. When you are returned to the User directories window, click Sync users. The LDAP server users are then imported into the Ops Center portal.

The imported LDAP server users are added to Manage users > Users and are displayed with the DN designation.

  • If you enabled the Add all users under Base DN to opscenter-users group option, the imported LDAP server users can log in to the Ops Center portal and access the Inventory tab. To assign a role to a group that permits access to administrative functions outside the Inventory tab and log in to all Ops Center products with full admin privileges, you can assign the opscenter-system-administrator role. See Assigning portal-level roles to Ops Center groups for more information.
  • To assign product-level roles to a group that permits members to access individual Ops Center products, refer to Assigning product-level roles from the Ops Center portal for more information.
  • Confirm the LDAP server entries appear in Manage users > Users.
  • Verify the LDAP server users can log in.