The NetIQ Cloud Manager administrator can choose to authenticate users through a supported Lightweight Directory Access Protocol (LDAP) directory service, either Microsoft Active Directory or Novell eDirectory. Cloud Manager users must have an account in the LDAP directory and must be members of the Cloud Manager user group. In addition, the LDAP user you specify as the read-only user must have All Attribute access to the area of the directory to be used by Cloud Manager.
You can also choose to add the Secure Sockets Layer (SSL) protocol to manage the security of authentication data being passed between Cloud Manager and LDAP. Adding SSL to the authentication process adds encryption and verification the process.
This section helps you to prepare the information you need to configure LDAP for Cloud Manager authentication. If you want to use another authentication service, see Section 4.2, Configuring Authentication through an NCSS Director, Section 4.3, Configuring LDAP Plus NCSS Authentication, or Section 4.4, Configuring Authentication to Novell Access Manager.
Make sure you know the information you are prompted to provide during the LDAP configuration:
|
Information Needed for LDAP Configuration |
Description |
|---|---|
|
Do you want to use SSL with LDAP? |
If you respond with “yes” to this question, you are asked for an SSL certificate later in the configuration. |
|
LDAP Source |
You need to select the LDAP source for use with Cloud Manager, either Novell eDirectory or Microsoft Active Directory. |
|
LDAP host address |
This is the address (DNS name or IP address) of the LDAP host that Cloud Manager can connect to for authentication. If you chose to use SSL with LDAP, this address should match the subject of the certificate issued for the LDAP host. The configuration tool immediately validates this address when you specify it. |
|
LDAP port |
Designate the port where you want the LDAP server to listen for communication from Cloud Manager. If you are using SSL, the default port is 636. If you chose not to use SSL, the default port is 389. |
|
Path to SSL certificate on LDAP server |
This is the file system path to the SSL certificate you previously copied to the LDAP server. The certificate must be in DER format.1 You need to use this setting only if you want to use SSL with the LDAP authentication. |
|
LDAP read-only user DN |
Specify the distinguished name (DN) of an existing LDAP read-only user who has read access to the LDAP directory. This user must have All Attribute read rights to the area of the directory that is to be used for Cloud Manager. |
|
LDAP read-only user’s password |
Specify the password for the LDAP read-only user. When you specify the user password, the configuration tool immediately attempts an SSL authentication to validate the existence of this user and password. |
|
Cloud Manager LDAP user DN |
Specify the DN of an existing LDAP user whom you want to designate as the Cloud Manager administrator. When you specify this LDAP user, the configuration tool immediately attempts to locate the user in LDAP, then asks you to verify that this is the user you want to designate as the Cloud Manager administrator. Make sure that the mail attribute is set for this user in LDAP. |
|
LDAP DN of NCM Users |
Specify the DN of the LDAP container where the users whom you want to log in to Cloud Manager already exist. This is the parent context of users that will be allowed to log in to the Cloud Manager Application Console. All subdirectories and users are included by default. Make sure that all users, regardless of their context in this container, have their email domain configured prior to logging into the Application Console. NOTE:You can use the Cloud Manager Application Console later to import users who do not currently exist in this DN. |
1 Use the following command on a Linux machine to fetch the certificate and then copy it to another machine if needed.
echo 'GET / 1.0' | openssl s_client -connect <server_ip_addr_or_dns>:<port>| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >ldap.pem
The following command converts the certificate to DER format (required by Cloud Manager):
openssl x509 -in ldap.pem -inform PEM -out ldap.cer -outform DER
Continue running the configuration tool (/opt/netiq/cloudmanager/configurator/config). In the configuration segment following the configuration of the Postgres database, the tool displays the following text:
Authentication Type 1) LDAP 2) NCSS 3) LDAP plus NCSS 4) NAM Selection:
Specify 1 (LDAP) as the authentication type you want to configure.
Follow the prompts and use the information you gathered in Step 1 to complete this segment of the configuration.
After the LDAP authentication configuration, continue with Section 5.0, Installing and Configuring Other Cloud Manager Feature Settings.