Does Spectrum Server support LDAP Group level authentication?
Article ID: 206275
Updated On:
Products
Issue/Introduction
Does Spectrum Server support LDAP Group level authentication?
Environment
Release : 10.4.2 - Present
Component : SPCOCK - Spectrum OneClick
Resolution
From 10.4.2, you can log in to DX NetOps Spectrum when it is integrated with LDAP even if the user is not present in DX NetOps Spectrum. The user is automatically created in DX NetOps Spectrum during the first login. However, only those users who are part of the configured LDAP user groups in DX NetOps Spectrum can log in automatically. In DX NetOps Spectrum, the administrator must manually create a user group in all the landscapes with the same group name and required privileges as present in LDAP.
Review the following points:
- The user model is created in DX NetOps Spectrum in all the available landscapes in which the user group is present.
- If any landscape is down when the user logs in, then you must manually create the user in the landscape when the landscape is available.
- If the user is removed from the LDAP server, then the user must be manually removed from the DX NetOps Spectrum user group in every landscape.
- If the user is moved from one user group to another in the LDAP server, then you must do it manually in the DX NetOps Spectrum groups. However, login of the user is not affected for the user even if the user is not moved in DX NetOps Spectrum.
- If the user is part of the multiple groups in the LDAP server and matched with the multiple groups configured in DX NetOps Spectrum, then the first matching group is considered for the user authentication. In this case, the order in which the LDAP server returns the user group names is random. Therefore, matching is not always the same.
Follow these steps:
- Log in to OneClick Console.
- Create a user group with the same name as present in the LDAP server.
- Copy the ldap-grps-mappings-config.xml file from the $SPECROOT\tomcat\webapps\spectrum\WEB-INF\ldap\config directory to the $SPECROOT\tomcat\custom\ldap\config directory.
- Edit the ldap-grps-mappings-config.xml file.
- Set the property LDAPGroups authEnabled to true as shown in the following example:<LDAPGroups authEnabled="false"> To <LDAPGroups authEnabled="true">If the LDAP groups are configured and the LDAP groups authEnabled property is not set to true, the LDAP user cannot be authenticated in DX NetOps Spectrum.
- Add the group search tag and the search string for each LDAP group.<Group searchTag="memberOf" searchString="CN=group_name,CN=Users,DC=company,DC=local"/>Ensure that DX NetOps Spectrum contains the user group with the same name as in the LDAP server.
- Save the file.
- Restart the OneClick server.
Additional Information
Feedback
