Configuring Active Directory as a directory service for Ops Center

Ops Center Installation and Configuration Guide
Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-25
You can add a directory service and configure authentication for the Ops Center portal so that AD groups can access portal functions and products with a single sign-in.

About using multiple Active Directory servers

  • You can configure a maximum of four Active Directory servers.
  • The Users screen of the Ops Center portal is designed to display up to 1100 users. If the total number of local users and Active Directory users exceeds 1100, the additional users will be able to log in to Ops Center, but will not be displayed on the Users screen.
  • User names and email addresses must be unique and not duplicated across multiple Active Directory servers.
  • If the BIND password is invalid on one of several Active Directory servers registered with Common Services, or if a connection cannot be made to an Active Directory server, the following operations are not possible:
    • Create new local user
    • Display local user list
    • Update user profile

Note: Whenever you make changes to existing Active Directory settings, you must do the following:
  • Click Sync groups to apply the changes to Active Directory groups configured in Ops Center.
  • Click Test connection and Test authentication.
If any errors are reported, confirm the changes are valid.
  1. Log in to the Ops Center portal as sysadmin or a user with opscenter-administrators membership.
  2. From the navigation bar, click Manage users and select User directories from the Asset type list.
  3. Click the + (plus) icon.
    The Add user directory service window opens.
  4. Enter a name for the service.
  5. Select Active directory for the Directory service type.
  6. Select the Authentication protocol.
    LDAP is the default protocol. If you choose Kerberos, select the Realm name from the displayed list.
  7. Enter the Connection URL (for example: ldaps://ldaps.example.com) and then click Test connection.
    Note: Specify the same host name as the CN or SANs in the Active Directory server certificate.
  8. Enter the BIND user DN (for example: CN=bind-user,OU=foo,OU=bar,DC=example,DC=com) and the password and then click Test authentication.
    Note: The BIND User DN only requires read permissions (not admin or modify).
  9. Enter the User base DN (for example: OU=foo,OU=bar,DC=example,DC=com).
    Note: To have portal access, users must be included in the subtree of the DN specified in the User base DN.
  10. You can import a maximum of 1000 AD users. Click Pre-check the number of imported users. If you exceed this limit, you can decrease the number of users to be imported by using a Custom user LDAP filter. For best results, use a filter to specify a user or group. Here are some examples:
    Note: The following search conditions are set automatically and cannot be changed:
    objectclass="person,organizationalPerson,user"
scope=2(subtree)
    To select the sAMAccountName t_brady:
    (sAMAccountName=t_brady)
    To select multiple sAMAccountName instances:
    (|(sAMAccountName=t_brady)(sAMAccountName=p_manning)(sAMAccountName=a_rodgers))
    To select users belonging to group1:
    (memberOf=cn=group1,ou=example)
    To select users belonging to group1 or group2:
    (|(memberOf=cn=group1,ou=example)(memberOf=cn=group2,ou=example))
    For information on how to query a user or group DN from Active Directory, see Using dsquery to obtain user or group DN.
  11. By default, the Add all users under User base DN to opscenter-users group option is not available. This means that only members of groups (next step) are permitted to log in to the portal. If you enable this option, all users under the User base DN are assigned to the opscenter-users group and can also log in.
  12. Provide entries for the Group entry list. For example, if you created AD groups named sanadmin and sanoperator, you can eventually assign roles and permissions appropriate to each group, as in this example: 
    "CN=sanadmin,CN=Users,DC=home,DC=us"
"CN=sanoperator,CN=Users,DC=home,DC=us"
    Click +Add Group DN to add entries.
    Note: The group DN must be included in the subtree of the DN specified in the Group base DN.
  13. Click Submit when the settings are complete. If the "Number of users outside of range" error is still displayed, change the Custom user LDAP filter to reduce the number of users to be added. You can use the Pre-check the number of users (filter) to confirm the results before resubmitting.
    Note: If a group name collides with an existing group name, a KAOP20008-E error is displayed, possibly including "Failed to sync groups" along with name of the directory service. If this occurs, change the name of the existing user group on the Groups screen.
  • The Active Directory entries are added to Manage users > Groups and are displayed with the DN designation.
  • AD users cannot be added to local (non-AD) groups.
  • By default, AD group users are assigned the opscenter-user role, which permits them to log in to the Ops Center portal and access the Inventory tab, but not start Ops Center products. To assign a role to an AD group that permits users access to administrative functions outside the Inventory tab and log in to all Ops Center products with full admin privileges, you can assign the opscenter-system-administrator role. See Assigning portal-level roles to Ops Center groups for more information.
  • To assign product-level roles to an AD group that permit members to access individual Ops Center products, see Assigning product-level roles from the Ops Center portal for more information.
  • Confirm the Active Directory entries appear in Manage users > Groups.
  • Verify Active Directory users can log in. AD users must log in using the sAMAccoutName (no domain).

Using dsquery to obtain user or group DN

You can use the following PowerShell commands to obtain the DN for a user or group.

To get the user DN:

dsquery user

To retrieve the user details (all attributes):

dsquery * user_DN -scope base -attr *

To get the group DN:

dsquery group

To retrieve the group details (all attributes):

dsquery * group_DN -scope base -attr *