Configure LDAP Properties

You configure ui-Admin.HQServer.LDAP Server for your LDAP server in the "LDAP Configuration Properties" section of the Administration > HQ Server Settings page.

Available only in vFabric Hyperic

LDAP Authentication in vFabric Hyperic

This page describes vFabric Hyperic's features for accessing user authentication and group membership data from an external LDAP or Active Directory system.

You can configure vFabric Hyperic to use data from an external authentication directory system to authenticate a Hyperic user at first logon, and to automatically assign Hyperic roles to the new user. This enables an LDAP user to log onto Hyperic with an LDAP username and password. The first time a user logs on to Hyperic with LDAP credentials, Hyperic prompts the user to supply his or her name, email address, and other information required to set up the user's Hyperic account.

As with any vFabric user, a user authenticated via LDAP must be assigned one or more Hyperic roles, which define the user's permission matrix and access to inventory resources.

In Hyperic 4.6, when you configure LDAP authentication, you can also configure Hyperic to assign the user to each Hyperic role whose name matches the name of an LDAP group to which the user is assigned. Otherwise, you must manually assign roles to the new user, as described in Create and Manage Roles in vFabric Hyperic.

Configure LDAP Authentication and Role Assignment

To configure Hyperic Server to use LDAP authentication for new users and to assign user roles based on LDAP group membership:

  1. Click HQ Server Settings on the Administration tab.

  2. Scroll down to the "LDAP Configuration Properties* section of the page

    images/download/attachments/79037064/LdapConfigProperties.png

  3. In the enter the properties described below:

    Property

    Description

    Use LDAP Authentication

    Checkmark this option to enable LDAP authentication.

    URL

    Enter the location of your LDAP or Active Directory server. If other than the standard LDAP port is used, specify it the URL. Add the port to the end of the URL, after a colon (:) character. For example:

    ldap://YourLDAPHost:44389

    SSL

    Place a checkmark in the box if your LDAP directory requires SSL connections.

    Username

    Supply an LDAP username with sufficient privileges to view the sections of the directory that contain the information for LDAP users who will access Hyperic. (Not necessary if the LDAP directory allows anonymous searching, rare insecure environments.

    Password

    Supply the password for the LDAP user specified in "Username" above.

    Search Base

    (Required) The "Search Base" property, sometimes referred to as the suffix, defines the location in the LDAP directory from which the LDAP user search begins. Supply the full path to the branch for example:

    ou=people,dc=example,dc=com

    Consult your LDAP administrator if necessary.

    Search Filter

    If desired, enter a filter to limits the LDAP user search to a subset of the object identified by the "Search Base" property. For example,

    (!(location=SFO*))

    Login Property

    (Required) The LDAP property (for an LDAP user) that Hyperic will use as the username for the user's Hyperic account. The default value is "cn". Depending on your LDAP environment, a different property, for instance, "uid", may be appropriate.

    Group Search Base

    Analogous to "Search Base", this property defines the location in the LDAP directory from which the LDAP group search begins. If you want Hyperic to automatically assign Hyperic roles to new users, supply a value for this property.

    Search Subtree

    If you have configured the "Group Search Base", described above, you can checkmark this box, to enable search of the entire subtree of the object identified by "Group Search Base"

    Group Search Filter

    If you have configured the "Group Search Base", described above, you can enter a filter to limit the LDAP group search to a subset of the objects found in the group search. The default value "Member={0}", results in filtering by the full distinguished name of a user. To filter by user login name, set "Member={1}" to filter on the login name.

  4. Click OK.