Does Spectrum Server support LDAP Group level authentication?

book

Article ID: 206275

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Does Spectrum Server support LDAP Group level authentication?

 

 

 

 

 

 

 

Environment

Release : 10.4.x

Component : Spectrum Core / SpectroSERVER

Resolution

LDAP group authentication was added in Spectrum 10.4.2 and there are steps to be followed to configure this:

 
LDAP User Group Authentication
From 10.4.2, you can log in to 
DX NetOps Spectrum
 when it is integrated with LDAP even if the user is not present in 
DX NetOps Spectrum
. The user is automatically created in 
DX NetOps Spectrum
 during the first login. However, only those users who are part of the configured LDAP user groups in 
DX NetOps Spectrum
 can log in automatically. In 
DX NetOps Spectrum
, the administrator must manually create a user group in all the landscapes with the same group name and required privileges as present in LDAP.
Review the following points:
  • The user model is created in 
    DX NetOps Spectrum
     in all the available landscapes in which the user group is present.
  • If any landscape is down when the user logs in, then you must manually create the user in the landscape when the landscape is available.
  • If the user is removed from the LDAP server, then the user must be manually removed from the 
    DX NetOps Spectrum
     user group in every landscape.
  • If the user is moved from one user group to another in the LDAP server, then you must do it manually in the 
    DX NetOps Spectrum
     groups. However, login of the user is not affected for the user even if the user is not moved in 
    DX NetOps Spectrum
    .
  • If the user is part of the multiple groups in the LDAP server and matched with the multiple groups configured in 
    DX NetOps Spectrum
    , then the first matching group is considered for the user authentication. In this case, the order in which the LDAP server returns the user group names is random. Therefore, matching is not always the same.
Follow these steps:
  • Log in to OneClick Console.
  • Create a user group with the same name as present in the LDAP server.
  • Copy the 
    ldap-grps-mappings-config.xml
     file from the 
    $SPECROOT\tomcat\webapps\spectrum\WEB-INF\ldap\config
     directory to the 
    $SPECROOT\tomcat\custom\ldap\config
     directory.
  • Edit the 
    ldap-grps-mappings-config.xml
     file.
  • Set the property 
    LDAPGroups authEnabled
     to 
    true
     as shown in the following example:
    <LDAPGroups authEnabled="false"> To <LDAPGroups authEnabled="true">
    If the LDAP groups are configured and the 
    LDAP groups authEnabled
     property is not set to true, the LDAP user cannot be authenticated in 
    DX NetOps Spectrum
    .
  • Add the group search tag and the search string for each LDAP group.
    <Group searchTag="memberOf" searchString="CN=group_name,CN=Users,DC=company,DC=local"/>
    Ensure that 
    DX NetOps Spectrum
     contains the user group with the same name as in the LDAP server.
  • Save the file.
  • Restart the OneClick server.

Additional Information

LDAP User Group Authentication