User authentication with multiple LDAP Groups in DX NetOps CA Performance Management (CAPM)
search cancel

User authentication with multiple LDAP Groups in DX NetOps CA Performance Management (CAPM)

book

Article ID: 103251

calendar_today

Updated On: 02-16-2024

Products

CA Performance Management Network Observability

Issue/Introduction

The Single Sign-On authentication feature in DX NetOps CAPM provides Lightweight Directory Access Protocol (LDAP) integration, which allows users to authenticate to an LDAP server. Once authenticated, these users are mapped to a predefined or a custom user account specified by the administrator.

Lets assume in an environment there are multiple LDAP Groups created - for example: NetworkAdmin, SysAdmins and OperatorAdmin.
And those groups have different roles:

NetworkAdmin  = admin
SysAdmins     = engineer
OperatorAdmin = operator

If a user is member of two of these groups, e.g. NetworkAdmin and SysAdmins, what role will it get - admin or engineer?
Will the search get the profile on the first group found in the LDAP Group configuration, and if found there, stop searching for other groups?

For example, if LDAP configuration have the following parameters set for option "10. Group" when running the './SsoConfig' command:
.... 
<LDAPGroups>
<Group searchTag="memberOf" searchString=" CN=NetworkAdmin,OU=Groups,OU=North America,DC=abcd,DC=com" user="{sAMAccountName}" passwd="" userClone="nadmin"/>
<Group searchTag="memberOf" searchString=" CN=SysAdmins,OU=Groups,OU=North America,DC=abcd,DC=com" user="{sAMAccountName}" passwd="" userClone="sysadmin"/>

</LDAPGroups>
....

and a user is member of both 'NetworkAdmin' and 'SysAdmins' groups, when this user logs in to NetOps Portal, from which of these groups will it get its profile?   

Environment

DX NetOps CAPM all currently supported releases

Resolution

For LDAP Groups authentication, when a user is member of more than one group, the search is made on a first one found wins basis.
It will get the profile from the first group found in the LDAP Group configuration, and stop searching for other groups in the list.
So, we will need to put the groups in the order we want them to be processed and users get their roles. 

In the given example, the user will get it's profile from the 'NetworkAdmin' group, which is the first found in the LDAP configuration.

Additional Information

NOTE: When using this procedure option "9 in the SooConfig  "Account User Default Clone:" must be blank. 

Example:

9. Account User Default Clone:

 

More details on LDAP configuration are available in the CA Performance Management documentation:

TechDocs : DX NetOps 23.3 : Enable LDAP/LDAPS Authentication

Powered by Wolken Software