Operations Manager roles from LDAP

michaelproact · ‎2010-03-18

Hi!

I'm trying to make Operations Manager 4.0 to work with Active Directory over LDAP. (this is a Operations Manager 4.0 running on Linux box) to read group memberships and assign roles to those specific memberships. I can't quite get it to work.

My user 'adam' is a member of the group 'acme'. I want 'adam' to gain 'GlobalRead' automatically through an Active Directory group membership.

Authentication works:

dfm ldap test adam <password>

Authentication succeeded.
Username: CN=adam,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL
Name:     memberOf=CN=acme,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL
Name:     CN=adam,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL
Name:     CN=acme,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL

LDAP settings as follows:

ldapBaseDN                            OU=DS,DC=MIFFO,DC=LOCAL
ldapBindDN                            CN=ldapquery,OU=Users,OU=Service,OU=DS,DC=MIFFO,DC=LOCAL
ldapBindPass                          ********
ldapEnabled                           Yes
ldapGID                               memberOf
ldapMember                            member
ldapUGID                              cn
ldapUID                               cn
ldapVersion                           3

I have GlobalRead assigned to:

571     memberOf=CN=acme,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL
572     acme
573     CN=acme,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL

I'm starting to suspect that Operations Manager expects the 'cn' to be assigned to users 'memberOf' attribute and the groups 'member' attribute to be assigned to the members 'cn'.

How is this suppose to work? The NOW manual is thin on the subject and so is the included manual as well as the man page.

I have the Posix schema in the AD if that will help.

TIA

hiyer · ‎2010-03-18

>> Operations Manager expects the 'cn' to be assigned to users 'memberOf' attribute and the groups 'member' attribute to be assigned to the members 'cn'.

It's either of the two or both, actually:

1. If the 'ldapGID' option is specified, OM will retrieve groups based on the attribute value specified therein. This is like your first case.

2. If the 'ldapUGID' option is specified, OM will retrieve groups with a query along the lines of '(&(<ldapugid>=<user dn>)(objectClass=*))'. This is equivalent to your second case.

If both 'ldapGID' and 'ldapUGID' are specified, groups will be retrieved by both means.

Coming back to your problem, can you provide some more details on what the problem is that you are observing - whether it's in OM or NMC, for example. We have observed some bugs when using LDAP groups, and I'd like to check if you are hitting one of them. Otherwise, your settings seem to be fine to the best of my limited knowledge.

michaelproact · ‎2010-03-18

My local SE helped me crack this. The problem is that I was blinded by adding the LDAP groups to DFM as "Roles" when for a fact the LDAP group should be added as a user.

$ dfm user add acme
Added administrator acme.

$ dfm user list
Id Administrator Email Pager
----- ---------------------- ------------------------ ------------------------
612 CN=acme,OU=Users,OU=Admin,OU=DS,DC=MIFFO,DC=LOCAL

The administrator is an LDAP group and my user adam get the roles I assigned to acme.

My problem/question is solved, but I think you guys need to clarify this somewhere in this section of the NOW documentation: http://now.netapp.com/NOW/knowledge/docs/DFM_win/rel40/html/software/opsmgr/GUID-AC515821-9BC6-4CDA-99BE-BAA80A53FC3F.html It could've saved me a great deal of time. At least I can explain how LDAP in DFM works in flying colors if a customer has any questions.