vRealize Network Insight supports the following two types of users:

  • User created on vRealize Network Insight Platform VM

  • LDAP users

To allow the LDAP users log into vRealize Network Insight, configure the LDAP service in the vRealize Network Insight Platform as follows:

To Enable LDAP-Based User Authentication

  1. On the Settings page, click LDAP.

  2. Click Configure.

  3. On the Configure LDAP page, type the appropriate domain, LDAP Host URL, and LDAP credentials in the respective boxes. See the following table for individual field descriptions.

    Table 1.

    Field

    Description

    Domain

    This is typically the last part of the user email address after the '@' sign. Example: For a user logging in as johndoe@example.com, this field is example.com

    LDAP Host URLs

    You can specify multiple LDAP Host URLs separated by commas.

    Username

    User with the necessary rights to log in using the settings provided.

    Password

    Password of the user.

    You can configure a group and provide a role to the members of that group. To enable this functionality, select Group based access control.

    1. Under Base DN, type the Base DN, the point from which the server starts searching for users.

    2. Under Group DN, add groups .

    3. For each group, select the role of the user as member or administrator from the drop-down menu. If you select the administrator role for a particular group, then all the members of that group have the administrator privilege. Similarly, if you select the member role for a particular group, then all the members of that group have the member privilege. If this option is not selected, then the group setting is used to assign the privileges. But other valid LDAP users who do not belong to the groups that you have added can log in to the product.

    4. Click Add more to add groups in the inclusion list.

    To allow access to the users only from the LDAP groups (direct or inherited membership) that you have added, select the Restrict access to members of the above groups only check box. To

  4. Click Submit to configure LDAP.

After the LDAP configuration is successful, a new drop-down menu is available on the login screen where users can select whether they want to log in locally or using their LDAP credentials.

The LDAP credentials are not saved anywhere.

Considerations about Groups and Inheritance

  • For the groups that you have added under Group DN, their child groups also can log in using the LDAP credentials.

  • Inheritance is not considered for the role assignment. For example, if a user has to be an administrator, the direct group to which the user belongs should be assigned the administrator role. The user belonging to the child group will not have the administrator role.

  • Suppose that you have assigned the administrator role to a group and you want to exclude a particular user in that group from the administrator role, perform the following steps:

    1. On the Settings page, click User Management.

    2. Under the LDAP Users tab, you can see the assigned role of that particular user and also that the role has been inherited from the group.

    3. Click the edit icon. Under Role, select Member from the drop-down menu for that user. In this way, you assign a role directly to the user.

    4. Click Save Changes.

    5. Enter your password to confirm. Click Authorize.

  • Suppose that you want a user to inherit the role from the group to which the user belongs, then perform the following steps:

    1. On the Settings page, click User Management.

    2. Under the LDAP Users tab, you can see the assigned role of that particular user and also that the role has been directly assigned to the user.

    3. Click the delete icon to delete that LDAP user.

    4. When that particular user logs in, the user inherits the role from the parent group by default.

  • While a user is logged in, if someone changes the role of the group to which the user belongs, the new role comes into effect only after the user logs out.

  • Suppose that there are some LDAP users who are logged in before an upgrade. After an upgrade, the LDAP users have direct roles and do not inherit from the group.

  • Suppose that a user belongs to multiple groups. For example, a user belongs to Group A, Group, B, and Group C. If Group A is assigned the administrator role, and Group B and Group C are assigned the member role, then the user inherits the administrator role.