Adding a role for an LDAP user
About this task
When an LDAP user has been assigned LDAP groups, at least one of those groups must map to a role in OpsCenter. Otherwise, the user cannot log in to OpsCenter.
Add a parallel role in OpsCenter that mirrors the name of one of the LDAP groups assigned to a user. OpsCenter grants the matching role to the user.
If the list of a user’s LDAP groups map to more than one role in OpsCenter, the user will be granted each of the listed roles, and their resulting OpsCenter permissions will be the merging of permissions for all of their OpsCenter roles.
The group_search_type property indicates which method is used to determine LDAP group membership:
-
If using
directory_search
, thegroup_search_filter_with_dn
must return a list of LDAP roles that matches at least one of the OpsCenter roles. -
If using
memberof_search
, the list of LDAP roles from the user’smemberof
attribute must match at least one of the OpsCenter roles.
When LDAP is enabled, only role editing is supported in OpsCenter role-based security. Creating or editing users is disabled when LDAP is enabled because the users originate from LDAP and are managed therein. When creating or editing user roles, OpsCenter LDAP supports non-ASCII character sets for the role name. Because LDAP supports non-ASCII character sets for users, OpsCenter also supports non-ASCII character sets for users logging in to OpsCenter.
Only an OpsCenter admin can add roles. |
Prerequisites
Locate the opscenterd.conf configuration file. The location of this file depends on the type of installation:
-
Package installations: /etc/opscenter/opscenterd.conf
-
Tarball installations: install_location/conf/opscenterd.conf
Configure the admin role in the opscenterd.conf by setting the admin_group_name configuration option. Then, log in to OpsCenter with a user mapped to that role so you can add any needed roles.
Procedure
-
Click Settings > Roles.
The Manage Roles dialog appears.
-
Click Add Role.
-
Select the cluster.
-
Enter a role name.
-
Select the appropriate permissions and click Save.