Today I was tasked with making my ManageIQ instance available for all of our AD users provided they were in a group… I saw no clear documentation on how this was done (much to my dismay). The problem for us was, although you can go to Configure->Configuration->Server->Authentication and then click on the Mode drop down menu and select LDAP. There is no place for our username and password for our read only LDAP account… (see below)
The two items you see blocked out there are my ldap server address and also my trailing domain for the end users. But as you can see there is no place for me to add in my read only user to get access to the ldap server…
(Please take note that ManageIQ will give you doom and gloom about manually editing the configuration files…)
So this is how we configure it to work:
1. On the third row of options down (where Authentication is currently highlighted) go to the “Advanced” tab.
2. In the “File” drop down menu make sure that “EVM Server Main Configuration” is selected
*NOTE* If you setup your ldap host on the Authentication Page previously the LDAP host stuff will already be in there for you along with your port.
3. Edit the following lines to reflect your environment’s situation
base o=<base DN>
binddn uid=<bind username>
bindpw <bind password>
*NOTE* For troubleshooting issues please login to the appliance via command line and run a tail on /var/www/miq/vmdb/log/evm.log it would serve you well to grep for “ERROR”
# tail -f /var/www/miq/vmdb/log/evm.log |grep ERROR
4. Now I wanted to setup roles based off of groups… But first I had to tell MIQ where to look.. So go back to the Authentication page (Confgiure->Configuration->Server->Authentication) scroll down to the bottom of the page and under neath “Role Settings” check the “Get Users Groups from LDAP” and “Get Roles from Home Forest” check boxes. Then fill in the “Base DN” (where you want it to look for said groups), Bind DN (User account used to query for groups) , and finally “Bind Password” which is obviously your Bind DN’s account password. Should look like :
5. Click validate. It should come back with a little success message at the top of the page
(I swear we are almost there)
6. On the lower left hand corner of the screen click on “Access Control” And click on “Groups”
7. You will notice a “Configuration” button at the top. Click on that and “Add a new Group”
8. At the top give the group a Description (keep it the same as the group in AD). Then check the box to the right “Look Up LDAP Groups” and just below that choose a default Role for that group (These are the equivalent to ACL’s and control access so choose wisely)
9. Below This section you have “LDAP Group to Look Up” give it a user to look up that is in the group of interest and the enter in the ldap username and password and click “Retrieve” Once this is done it will give you a drop down at the top “LDAP Groups for User”.. Select the Appropriate group and at this point you can click ADD (in the bottom right hand corner of the screen).. If you want to narrow down their access so they can only view certain things, you can go to the “Assign Filters” section at the very bottom of the page and assign hosts, clusters ,VM’s or tags that the group is allowed to view.
Now at this point any one who is in that group can login to ManageIQ and will automatically have the permissions from the role “approver”. You should be all set!