Administer > Integrate NNMi with a Directory Service through LDAP > Configuring NNMi to Access a Directory Service

Configuring NNMi to Access a Directory Service

You can configure directory service access in one of the following files:

  • nms-auth-config.xml

    Note recommends that the nms-auth-config.xml file be used for new configurations.

    The file is located at:

    • Windows:%nnmdatadir%\nmsas\NNM\conf
    • Linux:$NnmDataDir/nmsas/NNM/conf

    By default, the nms-auth-config.xml file available in this location does not contain the XML elements required for LDAP configuration.

    You can manually add all the necessary XML elements to this file by following the instructions in this section.

    NNMi places a sample nms-auth-config.xml file in a different location, which can be used for reference.

    The sample nms-auth-config.xml file is available in the following location:

    • Windows:%nnminstalldir%\newconfig\HPOvNnmAS\nmsas\conf
    • Linux:$NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf

    You can also copy the entire <ldapLogin> element from the sample nms-auth-config.xml file, and then make necessary modifications.

  • ldap.properties

    Note The ldap.properties file is now deprecated. recommends that the nms-auth-config.xml file be used for new configurations. You cannot configure NNMi to work with multiple LDAP servers in different domains if you use the ldap.properties file.

    The file is located at:

    • Windows: %NNM_SHARED_CONF%\ldap.properties
    • Linux: $NNM_SHARED_CONF/ldap.properties

Note You cannot use both the nms-auth-config.xml and ldap.properties files at the same time.

For information about this file, see LDAP Configuration File Reference. Also see Examples.

For information about the general structure of a directory service, see Directory Service Queries.

For configuration with mixed mode, complete the following tasks:

For configuration with external mode, complete the following tasks:

Task 1 Back up the Current NNMi User Information

Back up the user information in the NNMi database:

nnmconfigexport.ovpl -c account -u <user> 
-p
<password> -f NNMi_database_accounts.xml

Task 2 Optional. Configure Secure Communications to the Directory Service

If the directory service requires the use of secure sockets layer (SSL), import your company’s certificate into the NNMi truststore as described in Configuring an SSL Connection to the Directory Service.

Task 3 Configure User Access from the Directory Service

Complete this task for mixed mode and external mode only. Follow the appropriate procedure for your directory service. This task includes the following sections:

Note Do one of the following depending on your environment or configuration choice.

(For detailed configuration instructions, see User Identification.)

Using nms-auth-config.xml

Use the nms-auth-config.xml file when you want to configure multiple LDAP servers (in a federated LDAP environment or when the LDAP servers are in an HA cluster).

  1. Go to the following directory:

    • Windows:%nnmdatadir%\nmsas\NNM\conf
    • Linux:$NnmDataDir/nmsas/NNM/conf
  2. Back up the nms-auth-config.xml file that was shipped with NNMi, and then open the file in any text editor.
  3. Specify values for the following elements:

    Tip

    NNMi places a sample nms-auth-config.xml file in a different location, which can be used for reference.

    The sample nms-auth-config.xml file is available in the following location:

    • Windows:%nnminstalldir%\newconfig\HPOvNnmAS\nmsas\conf
    • Linux:$NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf

    You can also copy the entire <ldapLogin> element from the sample nms-auth-config.xml file, and then make necessary modifications.

    Elements of the ldapLogin Section of nms-auth-config.xml
    <enabled> 
     </enabled> 

    Specify true to use the nms-auth-config.xml file. By default, this element is set to false.

    <userRoleFilterList>
    </userRoleFilterList>

    Specify the NNMi roles to which NNMi users can assign incidents.

    To assign incidents to all operators, administrators, and guests, add this:

    <userRoleFilterList>
    admin guest level2 level1
    </userRoleFilterList>
     
    <connectTimeLimit>
    </connectTimeLimit>

    Specify the connection timeout value in milliseconds. The default value is 10000 (10 seconds). If you are encountering timeouts during NNMi user sign in, increase this value. For example: <connectTimeLimit>10000</connectTimeLimit>

     
    <searchTimeLimit>
    </searchTimeLimit>

    Specify the search timeout value in milliseconds. The default value is 10000 (10 seconds). If you are encountering timeouts during NNMi user sign in, increase this value. For example: <searchTimeLimit>10000</searchTimeLimit>

    <server>

    Container element to contain all LDAP configuration information.

       <host>
       </host>

    URL of the LDAP server with port. For example: ldap://hostname.domain.com

       <secure>
       </secure>

    Specify true if you want to use HTTPS. Otherwise, specify false.

    </server>

     

    Note Repeat the server element when you want to use multiple LDAP servers. Use one server element for each LDAP server.

    <bindCredential>

    Container element to include bind credentials (mandatory for directory services that do not support anonymous logon).

       <bindDN>
       </bindDN>

    Specify the bind DN.

      <bindCredential>
      </bindCredential>

    Specify the bind DN password in the encrypted format.

    Run the "nnmldap.ovpl -encrypt <mypassword>" command to encrypt the password.

    <users>
    
                   
    
                    

    Container element to include all user configuration details.

      <userSearch>

    Container element to include the configuration information for searching users.

       <base>
       </base>

    For example:

    <base> SAMAccountName={0} </base>.

    <base> uid={0} </base>

    <baseContextDN>

    </baseContextDN>

    For Active Directory, specify the portion of the directory service domain that stores user records.

    For example:

    For Active Directory

    CN=user,OU=Users,OU=Accounts,DC=mycompany,DC=com

    For other LDAP technologies

    ou=People,o=example.com

      </userSearch>
     </users>
     

    Note You can repeat the configuration element when you want to use multiple LDAP servers with different LDAP configurations.

    For example, if one unit in your organization uses Windows and Active Directory, and another unit uses Linux with OpenLDAP, you could specify two different <configuration> elements, one for Active Diectory and the other for OpenLDAP.

    . Use one set of base-baseContextDN elements for each LDAP server.

    In an HA cluster of LDAP servers, the identity information is identical across servers and you should use multiple server elements in a single configuration element, instead of using multiple configuration elements.

    However, in other environments, it is possible to specify different base formats for different LDAP servers (for example, SAMAccountName for one and uid for the other).

  4. After editing the nms-auth-config.xml file (in the <NnmInstallDir>/nmsas/NNM/conf directory), run the following command:

    • Windows: %nnminstalldir%\bin\nnmldap.ovpl -reload
    • Linux: $NnmInstallDir/bin/nnmldap.ovpl -reload

Using ldap.properties

  1. Back up the ldap.properties file that was shipped with NNMi, and then open the file in any text editor.
  2. Specify the URL for accessing the directory service.

    1. Uncomment the following line:

      java.naming.provider.url
    2. Set the property to ldap://<myldapserver>:<port>/.

      In this instance, <myldapserver> is the fully-qualified hostname of the directory server and <port > is the communication port of the directory server.

    Example:

    java.naming.provider.url=ldap://testsystem.example.com:636
  3. Specify the security mode.

    1. Uncomment the following line:

      java.naming.security.provider
    2. Set the property to SSL if you want NNMi to communicate with the directory server securely.

    Example:

    java.naming.security.provider=SSL
  4. If you directory service installation does not support anonymous access, specify credentials for a valid directory service user.

    1. Uncomment the following lines:

      bindDN
      bindCredential
    2. Set these properties to the following values:

      bindDN=<mydomain>\\<myusername>
      bindCredential=<mypassword>

      In this instance, <mydomain> with the name of the directory server domain; <myusername> and <mypassword> are the user name and password for accessing the directory server.

      Note If you plan to add the password in plain text, specify a user name with read-only access to the directory service. If you plan to specify an encrypted password, use the following command to encrypt the plain text password before adding it to the ldap.properties file:

      nnmldap.ovpl -encrypt <mypassword>    

      This encrypted password only works for the NNMi instance you create it for. Do not attempt to use it for a different NNMi instance.

      For more information see the nnmldap.ovpl reference page, or the Linux manpage.

  5. Specify the portion of the directory service domain that stores user records.

    1. Uncomment the following line:

      baseCtxDN

    2. Set this properties to the portion of the directory service domain that stores user records.

      Examples:

      • Microsoft Active Directory

        baseCtxDN=CN=Users,DC=hostname,DC=example,
          DC=com

      • Other LDAP

        baseCtxDN=ou=People,o=example.com
  6. Modify the userRoleFilterList parameter value to specify the NNMi roles to which NNMi operators can assign incidents.

Task 4: Test the User Name and Password Configuration

  1. In the LDAP configuration file, set defaultRole to guest for testing purposes. (You can change this value at any time.)

    • In nms-auth-config.xml, add the following content before the usersearch element:

      <defaultRoles>
      <role>guest</role>
      </defaultRoles>
    • In ldap.properties, add defaultRole=guest.
  2. Save the LDAP configuration file.
  3. Force NNMi to re-read the file by running the following command:

    nnmldap.ovpl -reload

  4. Log on to the NNMi console with a user name and password that are defined in the directory service.

    Tip Run this test with a user name that is not already defined in the NNMi database.

  5. Verify the user name and NNMi role (Guest) in the title bar of the NNMi console.

    • If user sign in works correctly, continue with step 8 of this task.
    • If user sign in does not work correctly, continue with step 6, next.

      Tip After each test, sign out of the NNMi console to clear the session credentials.

  6. Test the configuration for one user by running the following command:

    nnmldap.ovpl -diagnose <NNMi_user>

    Replace <NNMi_user> with the sign-in name of an NNMi user as defined in the directory service.

    Examine the command output and respond appropriately. Suggestions include:

  7. Repeat step 1 through step 5 until you see the expected result when signing in to the NNMi console.
  8. After you can log on, choose your strategy:

    • If you plan to store NNMi user group membership in the NNMi database (configuration using mixed mode), continue with Task 9.
    • If you plan to store NNMi user group membership in the directory service (configuration using external mode), continue with Task 5, next.

Task 5: (External Mode only) Configure Group Retrieval from the Directory Service

Complete this task for configuration option 3. Follow the appropriate procedure for your directory service. This task includes the following sections:

Note Do one of the following depending on your environment or configuration choice.

(For detailed configuration instructions, see User Group Identification.)

Using the nms-auth-config.xml File

  1. Go to the following directory:

    • Windows:%nnmdatadir%\nmsas\NNM\conf
    • Linux:$NnmDataDir/nmsas/NNM/conf
  2. Take a backup of the nms-auth-config.xml file, and then open the file with a text editor.
  3. Modify the following elements:

    Tip

    NNMi places a sample nms-auth-config.xml file in a different location, which can be used for reference.

    The sample nms-auth-config.xml file is available in the following location:

    • Windows:%nnminstalldir%\newconfig\HPOvNnmAS\nmsas\conf
    • Linux:$NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf

    You can also copy the entire <ldapLogin> element from the sample nms-auth-config.xml file, and then make necessary modifications.

    Elements of the ldapLogin Section of nms-auth-config.xml

    <roleSearch>

    Placeholder element to include the user role information.

    <roleBase>member={1}</roleBase>

    Replace member with the name of the group attribute that stores the directory service user ID in the directory service domain..

    <roleContextDN>
    </roleContextDN>

    Specify the portion of the directory service domain that stores group records.

    The format is a comma-separated list of directory service attribute names and values. For example:

    • For Microsoft Active Directory
      CN=Users,DC=ldapserver,DC=mycompany,DC=com
    • For other LDAP technologies
      ou=Groups,o=example.com

    </roleSearch>

     

  4. Save the file.
  5. Run the following command:

    nnmldap.ovpl -reload

Using ldap.properties

  1. Back up the ldap.properties file, and then open the file in any text editor.
  2. Uncomment the rolesCtxDN property.
  3. Set the property to the portion of the directory service domain that stores group records.

    Examples:

    • Microsoft Active Directory

      rolesCtxDN=CN=Users,DC=hostname,DC=example,
        DC=com

    • Other LDAP

      rolesCtxDN=ou=Groups,o=example.com

  4. Save the file.
  5. Run the following command:

    nnmldap.ovpl -reload

Task 6: (External Mode only) Map the Directory Service Groups to NNMi User Groups

  1. In the NNMi console, map the predefined NNMi user groups to their counterparts in the directory service:

    1. Open the User Groups view.

      In the Configuration workspace, expand Security, and then click User Groups.

    2. Double-click the admin row.
    3. In the Directory Service Name field, enter the full distinguished name of the directory service group for NNMi administrators.
    4. Click the  Save and Close icon.
    5. Repeat step b through step d for each of the guest, level1, and level2 rows.

    Tip These mappings provide NNMi console access. Every user who will access the NNMi console must be in a directory service group that is mapped to one of the predefined NNMi user groups named in this step.

  2. For other groups containing one or more NNMi users in the directory service, create a new user group in the NNMi console:

    1. Open the User Groups view.

      In the Configuration workspace, expand Security, and then click User Groups.

    2. Click the  New icon, and then enter the information for the group:

      • Set Unique Name to any unique value. Short names are recommended.
      • Set Display Name to the value users should see.
      • Set Directory Service Name to the full distinguished name of the directory service group.
      • Set Description to text that describes the purpose of this NNMi user group.
    3. Click  Save and Close.
    4. Repeat step b and step c for each additional directory service group of NNMi users.

    Tip These mappings provide topology object access in the NNMi console. Each directory service group can be mapped to multiple NNMi user groups.

Task 7: (External Mode only) Test the NNMi User Group Configuration

  1. Save NNMi's LDAP configuration file (ldap.properties or nms-auth-config.xml).
  2. Force NNMi to re-read the LDAP configuration file by running the following command:

    nnmldap.ovpl -reload

  3. Log on to the NNMi console with a user name and password that are defined in the directory service.

    Note Run this test with a user name that is not already defined in the NNMi database and is a member of a directory service group that is mapped to the admin, level1, or level2 NNMi user group.

  4. Verify the user name and NNMi role (as configured in the Display Name field in the User Group view) in the title bar of the NNMi console.

    • If user signin works correctly, continue with Task 8.
    • If user signin does not work correctly, continue with step 5, next.

    Tip After each test, sign out of the NNMi console to clear the session credentials.

  5. Test the configuration for one user by running the following command:

    nnmldap.ovpl -diagnose <NNMi_user>

    Replace <NNMi_user> with the sign-in name of an NNMi user as defined in the directory service.

    Examine the command output and respond appropriately. Suggestions include:

    • Verify that you completed Task 5 correctly.
    • Verify that you completed Task 6 correctly for each of the predefined NNMi user groups.
    • Follow the detailed configuration process in User Group Identification.
  6. Repeat step 1 through step 4 until you see the expected result when signing in to the NNMi console.

Task 8: (External Mode only) Verify NNMi User Groups for Incident Assignment

  1. Log on to the NNMi console with a user name and password that are defined in the directory service.
  2. In any incident view, select an incident, and then click Actions > Assign > Assign Incident. Verify that you can assign the incident to a user in each of the NNMi roles specified by the userRoleFilterList parameter.

Task 9: Clean up to Prevent Unexpected Access to NNMi

  1. Optional. Change the value of, or comment out, the defaultRole element or parameter in the LDAP configuration file.
  2. (Mixed Mode only) To store user group membership in the NNMidatabase, reset the user access information in the NNMidatabase as follows:

    1. Remove any pre-existing user access information. (Delete all rows in the User Accounts view.)

      For instructions, see Delete a User Account in the NNMi help.

    2. For each NNMi user, create a new object in the User Accounts view for the user name.

      • For the Name field, enter the user name as defined in the directory service.
      • Select the Directory Service Account check box.
      • Do not specify a password.

      For more information, see User Account Tasks in the NNMi help.

    3. For each NNMi user, map the user account to one or more NNMi user groups.

      For instructions, see User Account Mapping Tasks in the NNMi help.

    4. Update incident ownership so that each assigned incident is associated with a valid user name.

      For instructions, see Manage Incident Assignments in the NNMi help.

  3. (External Mode only) To rely on the user group membership in the directory service, reset the user access information in the NNMi database as follows:

    1. Remove any pre-existing user access information. (Delete all rows in the User Accounts view.)

      For instructions, see Delete a User Account in the NNMi help.

    2. Update incident ownership so that each assigned incident is associated with a valid user name.

      For instructions, see Manage Incident Assignments in the NNMi help.

Task 10: Optional. Map the User Groups to Security Groups

For instructions, see Security Group Mapping Tasks in the NNMi help.