[DOCS-13199] Suggestions for additional notes on Ops Manager LDAP Created: 05/Nov/19  Updated: 14/Nov/23

Status: Backlog
Project: Documentation
Component/s: Ops Manager
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Charles Merrill Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: request
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 4 years, 14 weeks, 2 days ago

 Description   

Suggestions for additional notes on https://docs.opsmanager.mongodb.com/current/tutorial/configure-for-ldap-authentication/#associate-ldap-groups-with-project-roles and https://docs.opsmanager.mongodb.com/current/reference/api/groups/map-ldap-groups-to-manager-roles/

Customers have been unclear about how to add a user to a group/project with certain roles using the Ops Manager API.

We might want to include notes mentioning that:
1. Once Ops Manager has been configured to use LDAP for access to the web UI no other authentication mechanisms will be used. This means that no users will be added or modified in the backing databases, which is what the API provides access to. To add new users to Ops Manager, you would need to add them to the LDAP directory used by your organization and ensure they are members of LDAP groups that map to roles in your Ops Manager deployment.
Again - no user management happens in Ops Manager, all such activity is delegated to the LDAP server.

2. For security reasons, it is not possible to add users to your LDAP server using Ops Manager.

3. All user management (which user participates in which group(s)) is done in LDAP.
LDAP in Ops Manger will require Group DN assignments.

4. You can use the API to manage the relationship in Ops Manager. eg: Which LDAP group(s) correspond to which Ops Manager roles in a particular OM project

5. If using LDAP, you would create one or many LDAP groups containing Users. Example `OM_RO_MyProject`
You would then use the API (or the UI) to Map LDAP Groups to Ops Manager Roles giving the Users in that LDAP Group the desired Project Role.

6. If the requirement is to have a single read-only group across multiple projects - you would use API calls to associate that LDAP group with the Role (example: GROUP_READ_ONLY) for the required Ops Manager projects.
If the requirement is to have a different read-only group assigned to individual projects - you would use API calls to associate that LDAP group with the Role (example: GROUP_READ_ONLY) to the specific project.


Generated at Thu Feb 08 08:07:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.