ViPR Controller and User Group Attributes

Hi,

Can you check the following configuration,

1) Check to see if there is 'Group Whitelist' configured in the authentication provider configuration. If Empty or '*', it implies that all the domain groups are whitelisted. If any domain group is defined, then we would have to add the new group to the whitelist as well.

2) Also, please verify if the search scope and search base of the authentication provider configuration is wide enough to cover the location of the domain group. May be the search scope and base only covers the location of domain users and not the domain group.

3) Also, check to see if there is a ViPR Local User Group defined with the same name as the Domain Group name, if so then the local User Groups take precedence over the Domain Group. Then, you can try to delete the local group in ViPR and then try with only domain group.

Also, Are you able to successfully assign VDC role to the domain group in ViPR? If so that would imply that the search scope and base are correct and we would have to check on other configurations.

Let me know if the issue still persists.

I finally got it working yesterday and I am still not sure why it is working now. It is pretty much setup as I had it before.  I did delete the authentication provider and add it back.

I pretty much have all the defaults from an AD authentication provider except search scope is subtree as opposed to one level and search base is at domain level.   After I did that I was able to create a new role for VDC with group@domain.com and grant it administrator.  I can now login with AD credentials that reside in that AD group successfully.

I still don't know under Use Groups (even though it is not used with AD) where you determine the attribute options to use. The same thing for Tenant, User Mapping Rules.  Where do you find the attribute options you can use in those values?

Thanks

Jeff

Hi Jeff,

Glad that it is working now. So it was the point (2) search base and scope of the authentication provider configuration that was modified and had to include the location of the domain group as well.

On the Local User Groups in ViPR, User groups are used to group a set Active Directory (AD) or LDAP user attributes into a named entity that can be used as a group in tenant user mappings, role, and ACL assignments. For Example, if the AD Users have Attribute set as 'Department' = 'ViPR Admin', where Department is a AD attribute that can be set for AD Users. Then although there is no explicit group in AD that has all the user members with this Attribute 'ViPR Admin', we can create a local user group within ViPR called ViPR-Admin and set the attribute field as 'Department' = 'ViPR Admin'. Which implies that there is a local group in ViPR which groups all the users in AD that have attribute set as 'Department' = 'ViPR Admin'.

So although there is no real group in AD, we can create local group in ViPR that will help group AD/LDAP users within ViPR based on the different attributes set in AD/LDAP server for the users. And hence by assigning roles/ACL/tenant mapping to the local user group, all the members with the specified attributes obtain the role/ACL/Tenant mapping.

Let me known if this clarifies your question on ViPR local user groups.

Thanks,

Davidson

Davidson,

That makes much more sense now on the User groups.  I have read and reread the docs but it did not click until you wrote that.

Thanks again.

Jeff

Hi Jeff,

Glad that the information shared was helpful. Please feel free to reach out, in case you run into any other issues with LDAP/AD integration with ViPR Controller. I will also create a documentation defect to have the ViPR documents updated with a real life example of the User Groups in ViPR, so that it will be more useful.

Thanks,

Davidson

Hi Davidson, et al:

I'm having an issue with mapping users into tenants and making them see the correct projects.  Specifically, Service Catalog / End Users are able to see a Project A created under the Provider Tenant created at deployment, and only then when I add AD userID to the Project List.   I don't want them to user the Provider Tenant/Project A.

I have created other Tenants and Projects, but the End Users do not see those at all even if I add them to the Project ACL using VIPR User Groups, AD userID, or  AD AdminsID.  If I add AD AdminsID to VDC roles, then they can see all the projects, but these are supposed to be service catalog end users

There is an authentication provider for this domain that is allowing us to login with our NW PINS, so AD authentication is working.  The AD group "Admins*" is added to the Authentication whitelist, but even when it's "*" it still doesn't find the members.  The AD group is Admins at Domain,  but in the whitelist I input Admins*.

Would also like to know the difference between ViPR User Group and AD User Groups, seems like I shouldn't *have* to user the VIPR User Group if the AD group is implemented correctly in VIPR, right?  It seems like the VIPR User Group is not picking up the AD attribute and value.

My VDC roles are System Admin, Security Admin, System Monitor, and System Auditor.

I am the owner of Projects I created.

I have gone through your checklist above, authentication user has read all inet and search permissions in the search base.

While  logged w my AD pin, when adding the AD adminsgroup.domain to a Tenant B (not Provider) -

Error:  1013 (http: 400):  Bad request body.  Invalid User-Mapping change, which will cause SecurityAdmin  myADpin@ get mapped out of Provider Tenant, and lose its SecurityAdmin roles.

Logged out and logged on as Root, edit Tenant B, add  ADadminsgroup to Tenant B - so the good news is that everyone in ADadminsgroup can now see Tenant B, the bad news is that I am also a member of that group so now I too can only see the Service Catalog

Now I can only see *everything* when I am logged on as Root...  will see if I can get myPIN back to correct VDC roles,  maybe  w/ VIPR user groups and attributes...or another AD group for VIPRadmins@ domain.

Is anyone creating separate AD groups for Service Catalog End Users and another AD group for VIPR admins?