Selecting this option, the hub probe can be configured to forward login requests to an LDAP server. This makes it possible to log on to the Nimsoft consoles as an LDAP user. Using ACLs (Access Control Lists), defined in the Infrastructure Manager, users belonging to different groups in LDAP can be assigned different permissions in Nimsoft.
Hub LDAP parameters
The HUB can be configured to point to a specific LDAP server, using IP address or hostname. A Lookup button lets you test the communication.
· Select the LDAP server type. Currently, two LDAP server types are supported; Active Directory and eDirectory.
· Use SSL
Tick this option if you want to use SSL during LDAP communication. Most LDAP servers are configured to use SSL.
· You must also specify a username and a password to be used by the HUB when accessing the LDAP server to retrieve information.
In Active Directory, the user can be specified as an ordinary username.
In eDirectory, the user must be specified as a path to the user in LDAP on the format CN=yyy,O=xxx, where CN is the username and O is the organization.
· Specify a group container in LDAP to define where in the LDAP structure to search for groups. Clicking the Test button lets you check if the container is valid.
Finally, specify a user container in LDAP to define more specifically where in the LDAP structure to search for users.
So essentially you need to:
Open the hub probe-> Select the General Tab->Click on the Settings button
1. Select LDAP Authentication
2. Enter a Server Name
3. Select the Server Type. In this case AD 4. Change the Group Container to:
Where XXXX is your domain
5. Add the user in the form of domain\user
6. Add the password
LDAP Authentication prerequisites
In Active Directory create a single flat group in the AD for your Nimsoft users (create an OU that is dedicated for NMS groups), e.g., Nimsoft-Admins, You also need to add this group to each user you want to have Nimsoft access.
Then using the Infrastructure Manager, create an ACL and specify the LDAP Group you just created as your Nimsoft group.
LDAP/Active Directory authentication configuration tips
Note that CA UIM (Nimsoft) supports Active Directory and eDirectory LDAP interfaces.
Add an Active Directory Group (Task for the Active Directory Admin)
Make sure that the group you add to the AD is truly a FLAT AD group. Nested groups are currently NOT supported. 'Groups within groups' or AD referrals are not supported in any manner. A nested group in this context means:
- LDAP Group A Exists
- Individual User is a direct member of LDAP Group A
- LDAP Group B Also Exists
- LDAP Group A is added to LDAP Group B's membership so that users who are members of A are now also 'indirectly' members of B.
IMPORTANT: Currently you cannot use nested groups/users within an AD group otherwise it will not work correctly. You MUST use just one 'FLAT' group with your Nimsoft 'admin' users in it - don't 'nest' sub-groups with users in it as it will not work.
When nested groups are used, associating the ACL with a given login user will not work since the hub doesn't see/treat the user as a direct member of the group. The user must be a direct member of a single flat group meaning that the group would be listed in the Active Directory "MemberOf" attribute.
Other hub settings:
Open the hub in Raw Configure mode and select the ldap->templates section.
By default the hub probe is configured with the default setting:
member_lookup_reverse = yes
Open the hub probe in Raw Configure and set:
member_lookup_reverse = no
Do this above IF the DN contains a comma. Then the hub will use the 'old' lookup method, which still works even if the DN contains a , character.
Also using hub Raw Configure, you can try changing the default setting of:
format = $username@$domain
format = $username
Please also set:
lookup = no
Then click ok to restart the hub.
When you try to login, use a simple username from AD such as jsmith.
After you have configured a flat group in LDAP for Nimsoft administrators such as "Nimsoft-Admins", and the user(s) are a direct member of that group in the AD, when you are logged in to the Infrastructure Manager, in the IM Menu:
Select Security->Manage Access Control List...
Select or define a new ACL, e.g., NMS_ADMINS
Then Click the "Set LDAP Group" button to set the LDAP group for that ACL. As a result of clicking on the button "Set LDAP Group" you should see a list of LDAP groups populated in the window INCLUDING the one you created in the AD, e.g., Nimsoft-Admins.
Once you associate the ACL you created with the flat AD group in the Infrastructure Manager, e.g., Nimsoft-Admins LDAP group associated with your defined ACL, e.g., 'NMS_ADMINS,' then authenticating as the user(s) belonging to that LDAP group that is associated with the ACL should work as expected.
Once the AD (LDAP) user is logged in you will see their active login id displayed on the bottom left-hand side of the IM client window.