Prevent automated LDAP based user creation in Performance Management

book

Article ID: 206805

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Today when I logged in to create a new userid, I noticed a few user ids with the description "User account created automatically on <DATE>".  How can I find out what process is creating these userids automatically?

Some of the ids created automatically should not have access to Performance Center.

How can we prevent automated user creation via the LDAP integration for SSO in DX NetOps Performance Management Performance Center.

Cause

Without knowledge of the specific LDAP Groups users belong to, with an LDAP configuration allowing ANY user to gain access, we require a method to limit user access to Performance Center.

Environment

All supported DX NetOps Performance Management releases

Resolution

In this scenario the LDAP integration is configured to allow any LDAP user access to Performance Center. The specific LDAP Directories or Groups the users exist in, in order to limit the user access to those Directories or Groups, are not known.

To address this we set the 'Account User Default Clone' value (DB value LdapAccountUserDefaultClone) to '{SAMAccountname}'. When doing so the configuration expects a user already created in the system whose name matches the LDAP users user name.

If it finds no matching user name, the access will be rejected.

In this way any user seeking access would need to first engage the Performance Management admins. The admins would create the user for access if approved. The next time the user logs in they'll be successful using their LDAP based user name and password.

The change is made using the SsoConfig tool on the Performance Center in a CLI via a terminal. To do so:

  1. Go to the (default path) /opt/CA/PerformanceCenter directory.
  2. Run the command:
    • ./SsoConfig
  3. Choose option 1 for "Performance Center" or "DX NetOps" (which ever is presented depending on release running)
  4. Choose option 1 for 'LDAP Authentication'.
  5. Choose option 1 for 'Remote Value'.
  6. Choose property 9 for 'Account User Default Clone'.
  7. Enter u and to update to a new value.
  8. Enter the new value:
    • {SAMAccountname}
  9. Confirm the new value is set when the updated configuration list is returned.
  10. Restart the SSO (caperfcenter_sso) and Performance Center console (caperfcenter_console) services for the new value to be read in to the system.

NOTE: Ensure there isn't a different value set in option 2 Local Override. If one is present remove it (reset 'r' option) or set it (update 'u' option) to the same value set in Remote Value.

Additional Information

Stop Services:

  • Console first:
    • systemctl stop caperfcenter_console
  • SSO service next:
    • systemctl stop caperfcenter_sso

Start Services:

  • SSO first:
    • systemctl start caperfcenter_sso
  • Console service next:
    • systemctl start caperfcenter_console