Moogsoft Docs

Configure Single Sign-On with LDAP

You can configure Moogsoft AIOps so users from an external directory can log in by Single Sign-On (SSO) using Lightweight Directory Access Protocol (LDAP).

See LDAP version 3 for more information.

Before You Begin

Before you start to set up LDAP, ensure you have met the following requirements:

  • You have the URL for your LDAP server.

  • If you want to use a "lookup" DN (Distinguished Name) resolution method, you have the credentials for the LDAP user who has rights to look up other users and determine their roles.

  • If you want to use SSL encryption, you have a valid SSL certificate.

Configure LDAP for Moogsoft AIOps

Edit the configuration file to configure and enable LDAP for Moogsoft AIOps. You can find the file at $MOOGSOFT_HOME/config/security.conf.

See the Security Configuration Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.

  1. Configure the properties for the LDAP connection:

    • url: URL of your LDAP server. This is required.

    • connectionTimeout: Connection timeout in milliseconds.

    • readTimeout: Read timeout in milliseconds.

    • predefinedUser: Determines if user must exist in the local database or not.

  2. Configure the user resolution and attribute search section:

    • resolutionType: Type of DN resolution method. Valid options are "direct" and "lookup".

    • attributeSearchFilter: Defines an optional attribute filter to retrieve all user attributes.

    • attributeMap: Defines an attribute map between the LDAP user attributes and the user attributes in the Moogsoft AIOps database.

  3. Configure the LDAP group search section:

    • systemUser: Username of the system user to bind and search for user group information.

    • systemPassword: Password of the system user to bind and search for user group information.

    • groupBaseDn: Defines a group base DN to search for LDAP groups.

    • memberAttribute: Attribute used look for group members. Defaults to "member".

    • groupNameAttribute: Attribute used to look for group name.

    • roleMap: Defines the role mappings between the user directory and Moogsoft AIOps.

    • assignTeams: Sychronizes team assignment between the user directory and the teams in Moogsoft AIOps.

  4. Optionally configure SSL if you want to enable TLS authentication:

    • ssl_protocol: Defines the SSL protocol you want to use. Defaults to TLSv1.2.

    • server_cert_file: SSL server certificate.

    • client_cert_file: Client certificate file.

    • client_key _file: Client key file.

When you have finished your configuration, restart Apache Tomcat to activate any changes you made to the configuration file:

service apache-tomcat restart

See Control Moogsoft AIOps Processes for further details.

Configuration Example

An example of an LDAP configuration that uses direct DN resolution and SSL without client authentication:

"Example_Ldap" : {
    "realmType": "LDAP",
    "url": "ldap://moogsaml:389",
    "userDnResolution":
    {
    "resolutionType" : "direct",
    "direct" : {
         "usernameAttribute": "uid",
         "userDnPostfix": "ou=People,dc=moogsoft,dc=com"
    }
    },
    "attributeMap": {
         "fullname": "cn",
         "email": "mail"
    },
    "groupBaseDn": "ou=Group,dc=moogsoft,dc=com",
    "memberAttribute": "member",
    "groupNameAttribute": "cn",
    "roleMap": {
         "role-admin": "Super User",
         "OperatorRole": "Operator"
    },
    assignTeams :{
        teamMap: {
          CloudDevOps: "Cloud DevOps team",
          DBDevOps: "Database DevOps team"
        },
        useGroupName : true,
        createNewTeams: true
    }
    ,"ssl":
    {
        "server_cert_file" : "/usr/share/moogsoft/config/example.crt"
    }
},