Skip navigation
Share:|

Trending this month: LDAP Authentication with BPPM

BPPM provides the ability to allow users to authenticate using LDAP. This is becoming a very popular method for configuring users and groups to access BPPM.

 

 

If you want to enable LDAP-authentication with BPPM, please go through the following steps:

In pw\pronto\conf\ias.properties:

#-----------------------------------------------------------------
# Enable/disable LDAP login module.
# When it is enabled, "ldap_configuration.xml" file has to be filled.
#-----------------------------------------------------------------

  1. com.bmc.sms.ixs.enable.ldap.login=true

#-----------------------------------------------------------------
# Allow local, file-based, user groups to apply to LDAP authenticated users.
# When it is enabled, groups defined for users in the user_definitions.xml file
# will apply to the user when authenticating through LDAP.
#-----------------------------------------------------------------

  1. com.bmc.sms.ixs.allow.local.groups.for.ldap=true

#search for this group only in Ldap

  1. com.bmc.sms.ixs.search.ldap.group=IX Users,BPPM Users

This is an example of an ldap_configuration.xml file:

<ldap alias="SAM.COM">
         <host>kratos.sam.com</host>
         <port>389</port>
         <version>3</version>
         <baseDN>dc=sam,dc=com</baseDN>
         <connectionUserName>struong@sam.com</connectionUserName>
        <connectionPassword encrypted="true">jgDY86jLiVcnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tQ==</connectionPassword>

         <userIdAttribute>sAMAccountName</userIdAttribute>
         <useSSL>false</useSSL>
         <groupMemberAttribute>member</groupMemberAttribute>

<memberOfAttribute>memberOf</memberOfAttribute>
         <userSearchFilter>(objectClass=organizationalPerson)</userSearchFilter>
         <groupSearchFilter/>
    </ldap>

In the  ldap_ppm_group_mapping.xml make the following changes:

<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<!--
     Each entry's key is the LDAP group name and the value is the PPM group assigned to it.     E.g.

          <entry key="ldap_group1">PPM Group1</entry>
-->

<properties>
    
<entry key="IX Users">Full Access</entry>
     <entry key="BPPM Users">Full Access</entry>
</properties>

Properties.png

BPPMProperties.png

Or via an LDAP browser:

Mapping.png

Voilà, you should be now able to log into BPPM using the LDAP users.

If you encounter any difficulty, please do not hesitate to contact Customer Support for assistance.

 

LDAP Q&A
Users have had several questions about LDAP recently, which shows us you are using the feature and want to know more about it, so here are some quick questions and answers.

Q: Can we have separate BPPM role/permissions for different users under one LDAP group?
A: Yes it is possible to map LDAP user to BPPM group/role/permission. The way to do is is to map the LDAP group to BPPM user group.

Open the pw/pronto/conf/ldap_ppm_group_mapping.xml file using a text editor and create a map between the Windows Active Directory domain group and BPPM Server.

Replace the default entry:
<entry key="Group1">Full Access</entry>
with the actual values. Please only remove this line and add actual entries. Don’t edit any other line in the file.

For example, for a Windows domain group called ITgroup,. to map "ITgroup" to a ProactiveNet group called "BPPM Administrators" add the following entry to the ldap_ppm_group_mappings.xml file:

<properties>
<entry key="ITgroup">BPPM Administrators</entry>
</properties>

Note:

a) Note that IT group is in double quotes and BPPM Administrators is not in quotes. Follow the same syntax.

b) If there are multiple Windows domain groups, than add a new line entry in the ldap_ppm_group_mapping.xml file for each domain group. For example to map "SecondITgroup" to a ProactiveNet group called "BPPM Viewers" the ldap_ppm_group_mappings.xml file will look like:

<properties>
<entry key="ITgroup">BPPM Administratorss</entry>
<entry key="SecondITgroup">BPPM Viewers</entry>
</properties>

 

 

Q: Do I have to restart the jserver every time I make changes to my LDAP configuration?
A: For versions prior to 9.0 you do, but with 9.0.2 we released Service Pack 2 (Version 9.0.22) which has a fix that does not require a restart of the jserver

https://docs.bmc.com/docs/pages/releaseview.action?pageId=349176102#ServicePack2(Version9.0.22)-ConfiguringtheLDAPserverdoesnotrequireaserverrestart

Instructions to download Service Pack 2 can be found here:
https://docs.bmc.com/docs/display/public/PN90/Downloading+Service+Pack+2

Q: With this new Service Pack 2 feature will the reset be available through a command line call?
A: The reset is done through the BPPM Operations console.  Options -> Administration -> Integrations (edit) -> Apply

Q: Is there any thought to enhancing BPPM LDAP to retry a command if it fails by going back to the server pool?
A: This idea is being tracked by RFE QM001651429.  BMC hasn't assigned a target BPPM version to this request at this time.

Q: When using LDAP is there logging of which specific server BPPM goes to for a request?
A: This is not logged presently. We have an enhancement request open for this QM001780455.  BMC is investigating whether it is feasible to get this into a future BPPM release.

Q: I have users who are not members of the BPPM Administrators groups are unable to access any event/device information under the “Devices” folder in the main accordion.  I have attempted to assign “all CI” permissions in their group definition, but when I do that, they ‘hang’ at login with the spinning “Loading Data” wheel in the main accordion and “application initializing” in the main window, what can I do?
A: This is identified as Defect QM001788242 which is corrected in BPPM Service Pack 2, please download and install the Service Pack at your convenience.
https://docs.bmc.com/docs/display/public/PN90/Downloading+Service+Pack+2

 

Didn’t answer your question? Let’s check our Knowledge Base for LDAP specific Knowledge Articles. http://www.bmc.com/support/knowledge-base/

KA395193  Change of Mechanism with 9.0.20 version of BPPM with respect to LDAP Refresh 

KA353587  ProactiveNet support for LDAP, AD or NIS users and group configuration

KA386757  How to perform LDAP authentication without mapping the LDAP group with BPPM.

KA354768  Unable to validate user. User doesn’t exist error when using LDAP user to login to BPPM Console

KA353902  LDAP authentication failing for BPPM. The ias0.log shows error 52e

KA396229  What is the correct syntax for the 'Group Search Filter' when configuring LDAP for BPPM?

KA367409  Configuring BPPM 8.6.02 server to authenticate to LDAP server. LDAP Group not being picked up as evidenced in the ias0.log file.

 

Computer.png

 

Popular Knowledge Articles:

KA359241  Both BPPM Admin and User console cannot login, "iadmin -lc" command cannot get reply

KA313851 ProactiveNet Agent supports failover but there doesn't appear to be any failover methodology for BMC PATROL Proxy - pproxysrv. Is there any failover methodology for pproxysrv?

KA347978  How can I ensure that a BPPM PATROL adapter has automatic workflow disabled? 

KA301274 Configuring SNMP Trap Receiver Monitor

KA313556 ProactiveNet to BEM Alarm Priority... Mappings between ProactiveNet and BEM - available slots.

 

 

Idea.png***** BMC Ideas *****Idea.png

Don't forget you can provide Ideas or enhancements you would like to see in our products. Tell us what you want!

Introducing Ideation
Accessing Ideas
Interacting with Ideas
Submitting Ideas

 

Feedback

Was this helpful?  Are there related topics I missed? Please add comments to share your experience.

Filter Blog

By date:
By tag: