Configure Single Sign-On with LDAP
You can configure Moogsoft AIOps so users from an external directory can log in by Single Sign-On (SSO) using Lightweight Directory Access Protocol (LDAP).
See LDAP version 3 for more information.
Before you begin
Before you start to set up LDAP, ensure you have met the following requirements:
-
You have the URL for your LDAP server.
-
If you want to use a "lookup" DN (Distinguished Name) resolution method, you have the credentials for the LDAP user who has rights to look up other users and determine their roles.
-
If you want to use SSL encryption, you have a valid SSL certificate.
Configure LDAP for Moogsoft AIOps
Edit the configuration file to configure and enable LDAP for Moogsoft
AIOps. You can find the file at $MOOGSOFT_HOME/config/security.conf
.
See the Security Configuration Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.
-
Configure the properties for the LDAP connection:
-
url: URL of your LDAP server. This is required.
-
connectionTimeout: Connection timeout in milliseconds.
-
readTimeout: Read timeout in milliseconds.
-
predefinedUser: Determines if user must exist in the local database or not.
-
-
Configure the user resolution and attribute search section:
-
resolutionType: Type of DN resolution method. Valid options are "direct" and "lookup".
-
attributeSearchFilter: Defines an optional attribute filter to retrieve all user attributes.
-
attributeMap: Defines an attribute map between the LDAP user attributes and the user attributes in the Moogsoft AIOps database.
-
-
Configure the LDAP group search section:
-
systemUser: Username of the system user to bind and search for user group information.
-
systemPassword: Password of the system user to bind and search for user group information.
-
groupBaseDn: Defines a group base DN to search for LDAP groups.
-
memberAttribute: Attribute used look for group members. Defaults to "member".
-
groupNameAttribute: Attribute used to look for group name.
-
roleMap: Defines the role mappings between the user directory and Moogsoft AIOps.
-
assignTeams: Sychronizes team assignment between the user directory and the teams in Moogsoft AIOps.
-
-
Optionally configure SSL if you want to enable TLS authentication:
-
ssl_protocol: Defines the SSL protocol you want to use. Defaults to TLSv1.2.
-
server_cert_file: SSL server certificate.
-
client_cert_file: Client certificate file.
-
client_key _file: Client key file.
-
-
Restart Apache Tomcat to activate the changes:
service apache-tomcat restart
See Control Moogsoft AIOps Processes for further details.
Example
An example LDAP configuration that uses direct DN resolution and SSL without client authentication:
"example_ldap": { "realmType": "LDAP", "url": "ldap://mysaml:389", "userDnResolution": { "resolutionType": "direct", "direct":{ "usernameAttribute": "uid", "userDnPostfix": "ou=People,dc=moogsoft,dc=com" } }, "attributeMap":{ "fullname": "cn", "email": "mail" }, "groupBaseDn": "ou=Group,dc=moogsoft,dc=com", "memberAttribute": "member", "groupNameAttribute": "cn", "roleMap":{ "role-admin": "Super User", "OperatorRole": "Operator" }, assignTeams:{ teamMap:{ CloudDevOps: "Cloud DevOps team", DBDevOps: "Database DevOps team" }, useGroupName: true, createNewTeams: true }, "ssl": { "server_cert_file": "/usr/share/moogsoft/config/example.crt" } }