Add a role for an LDAP user
When an LDAP user has been assigned LDAP groups, at least one of those groups must map to a role in OpsCenter. Otherwise, the user cannot log in to OpsCenter.
Add a parallel role in OpsCenter that mirrors the name of one of the LDAP groups assigned to a user. OpsCenter grants the matching role to the user.
If the list of a user’s LDAP groups map to more than one role in OpsCenter, the user will be granted each of the listed roles, and their resulting OpsCenter permissions will be the merging of permissions for all of their OpsCenter roles.
The group_search_type property indicates which method is used to determine LDAP group membership:
-
If using
directory_search, thegroup_search_filter_with_dnmust return a list of LDAP roles that matches at least one of the OpsCenter roles. -
If using
memberof_search, the list of LDAP roles from the user’smemberofattribute must match at least one of the OpsCenter roles.
When LDAP is enabled, only role editing is supported in OpsCenter role-based security. Creating or editing users is disabled when LDAP is enabled because the users originate from LDAP and are managed therein. When creating or editing user roles, OpsCenter LDAP supports non-ASCII character sets for the role name. Because LDAP supports non-ASCII character sets for users, OpsCenter also supports non-ASCII character sets for users logging in to OpsCenter.
Only an OpsCenter admin can add roles.
-
Configure the admin role in the
opscenterd.conffile by setting theadmin_group_nameconfiguration option.For package installations,
opscenterd.confis located at/etc/opscenter/opscenterd.conf, and for tarball installations, it is located atINSTALL_DIRECTORY/conf/opscenterd.conf. -
Log in to OpsCenter with a user mapped to the admin role so you can add any needed roles.
-
Click Settings > Roles.
The Manage Roles dialog appears.
-
Click Add Role.
-
Select the cluster.
-
Enter a role name.
-
Select the appropriate permissions.
-
Click Save.
