[DOCS-8426] OpsManager LDAP support clarification Created: 26/Jul/16 Updated: 23/Sep/16 Resolved: 22/Sep/16 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | Ops Manager |
| Affects Version/s: | None |
| Fix Version/s: | 3.4.0, mongodb-3.4p1 |
| Type: | Improvement | Priority: | Critical - P2 |
| Reporter: | Ricardo Lorenzo | Assignee: | Anthony Sansone (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Participants: | |||||
| Days since reply: | 7 years, 20 weeks, 5 days ago | ||||
| Epic Link: | 3.4: LDAP Authorization | ||||
| Story Points: | 0.5 | ||||
| Description |
|
Due the current design for the LDAP membership, it is likely that OpsManager isn't able to support most of the directory implementations (ie. RedHat 389, Oracle Directory Server, IBM Tivoli Directory Server, etc). I believe we should state that we only support Active Directory (with some important restrictions). For example, if the groups in the directory are using a nested membership, OpsManager won't be able to detect the membership as per the Microsoft documentation in relation to the memberOf attribute
The support for memberOf like attributes in other directories is not compatible with the current implementation. For example, the memberOf overlay available for OpenLDAP, requires the attribute to be invoked from the JNDI query. I guess we should test if that overlay works with the current OpsManager version but I would say it won't work as I can't see any specific attribute specification in the LDAP search. The OpenLDAP behaviour is usually the same for the rest of directory implementations as you can see in the on-line documentation from other directories.
I suggest mentioning that the only supported directory is ActiveDirectory which is supported with limitations like the lack of nested groups support. |
| Comments |
| Comment by Githook User [ 23/Sep/16 ] |
|
Author: {u'username': u'atsansone', u'name': u'Tony Sansone', u'email': u'tony.sansone@mongodb.com'}Message: ( |
| Comment by Ricardo Lorenzo [ 16/Sep/16 ] |
|
Thanks cory.mintz!. I'm sorry for the delay in my answer. The workaround should work in my opinion. We can test it against OpenLDAP overlay, and it should be the same physics laws for the rest of the directories. Thanks again! |
| Comment by Cory Mintz [ 15/Sep/16 ] |
|
ricardo.lorenzo, this is the code path you were looking for, which includes the configured group attribute. |
| Comment by Cory Mintz [ 15/Sep/16 ] |
|
Ops Manager 3.4 QA is coming up soon, so I can tell you what we find in terms of the memberOf attribute being returned from OpenLDAP. |
| Comment by Cory Mintz [ 15/Sep/16 ] |
|
I do not have a comprehensive list as to what directory services are supported and which aren't. To be honest I haven't used them all. I can say that when this feature was built and during QA, OpenLDAP was used. I think the point about nested groups is definitely true and should be added to the docs. |
| Comment by Timothy Olsen (Inactive) [ 13/Sep/16 ] |
|
I honestly have no idea. cory.mintz Do you know or know someone who does? |