Network Node Manager (NNM) authetication using Active directory

07 Oct

HP monitoring software like Sitescope, BAC, SIM, NNM etc. are using build in authentication. This is fine but that means that you have to remember many different passwords and logins. The other thing is that many companies have password policies and these policies must apply to all systems. So the obvious thing to do, would be to use one login provider. For this reason many use  Active Directory. In HP SIM configuring authentication through Active Directory is very simple using GUI. Unfortunately in Network Node Manager (NNM) it is not that simple. The information is provided in Deployment Reference document but it is not very clear.

In this post I’ll show you what works for me.

1. You need to find file called ldap.properties
According to the HP Deployment Reference document it is located in %NNM_SHARED_CONF% which should be ‘C:\HP\HP BTO Software\data\shared\nnm\conf’ if you’ve installed the software in default location.

2.  In Active Directory Users container create a group called nnmadmin and add the members to the group. These members will get admin rights in NNM. In Notes attribute of that group write admin.
This is how it should look like:

NNM has 4 different user Roles(admin, level2, level1 and guest). I only use Guest and Admin. In my case any user that can be authenticated by Active directory but is not in nnmadmin group will get Guest rights by default. Also you need to know the DN path where all the users are located in Active directory. In my case they are located in OU=Company Staff,DC=domain,DC=com.

3. Open ldap.properties with text editor( Notepad will do) and you should see that it is not empty ant there are loads info in there.

Here is how I have configured it:

#Here you define domain controller that NNM will use to read LDAP
java.naming.provider.url=ldap://DC.domain.com:389/

#Here you define the location of the account and password of that account that NMM will use to connect to domain

bindDN=CN=nnmldap,CN=Users,DC=Domain,DC=com
bindCredential=nnmldappassword
allowEmptyPasswords=false

#Here is the location of the users on the domain and the attribute by which the users are filtered
baseCtxDN=OU=Company Staff,DC=domain,DC=com
baseFilter=sAMAccountName={0}

#This is the default role assigned to any user that does not have any roles assigned. This field can be commented
defaultRole=guest

#Here you define the path to the group where which has the users with roles assigned and also the atributes that NNM will look for

rolesCtxDN=CN=Users,DC=domain, DC=com
roleFilter=member={1}
uidAttributeID=member
roleAttributeIsDN=true
roleAttributeID=memberOf
roleNameAttributeID=info
userRoleFilterList=admin

4. After saving your file on NNM server open command prompt and issue the following command nnmldap.ovpl -reload this will reload modified ldap setting.

5. Open Internet Explorer and try to login and see if new roles apply. When loging in do not use domain name in front of username. Use your Active Directory login only. It is the same that you use to login to your computer every morning 🙂

P.S. There is a log file ldap.log that is located in D:\HP\HP BTO Software\data\log\nnm it can be usefull for troubleshooting.

Tags: , , , , ,

2 Responses

  1. cem says:

    Hi,

    I am trying to make LDAP integration.
    It is Microsoft Active Directory Ldap.
    I have to change the ldap.properties file.
    This file includes a line;

    baseFilter=CN={0}

    But in some configurations i see that this line is ;

    baseFilter=(sAMAccountName={0})

    or

    baseFilter=uid={0}

    Which one should we use ?

    • Andrius says:

      As you can see from the post above I’ve used SAM-Account-Name Attribute, I cannot remember why but this is what worked for me.

Leave a Reply

IT Blog

Just another blog on Kozeniauskas.com Network