Adding a role for an LDAP user

An LDAP user group must also exist in tandem within OpsCenter. Add a parallel role in OpsCenter that mirrors the permissions of one of the user's LDAP groups.

When an LDAP user has been assigned LDAP groups, at least one of those groups must map to a role in OpsCenter. Otherwise, the user cannot log in to OpsCenter.

Add a parallel role in OpsCenter that mirrors the name of one of the LDAP groups assigned to a user. OpsCenter grants the matching role to the user.

If the list of a user's LDAP groups map to more than one role in OpsCenter, the user will be granted each of the listed roles, and their resulting OpsCenter permissions will be the merging of permissions for all of their OpsCenter roles.

The group_search_type property indicates which method is used to determine LDAP group membership:
  • If using directory_search, the group_search_filter_with_dn must return a list of LDAP roles that matches at least one of the OpsCenter roles.
  • If using memberof_search, the list of LDAP roles from the user's memberof attribute must match at least one of the OpsCenter roles.

When LDAP is enabled, only role editing is supported in OpsCenter role-based security. Creating or editing users is disabled when LDAP is enabled because the users originate from LDAP and are managed therein. When creating or editing user roles, OpsCenter LDAP supports non-ASCII character sets for the role name. Because LDAP supports non-ASCII character sets for users, OpsCenter also supports non-ASCII character sets for users logging in to OpsCenter.

Note: Only an OpsCenter admin can add roles.

Prerequisites

Configure the admin role in the opscenterd.conf by setting the admin_group_name configuration option. Then, log in to OpsCenter with a user mapped to that role so you can add any needed roles.

Procedure

  1. Click Settings > Roles.
    The Manage Roles dialog appears.
  2. Click Add Role.
  3. Select the cluster.
  4. Enter a role name.
  5. Select the appropriate permissions and click Save.