Skip to Content
This is the latest documentation for BMC Helix Network Management (formerly known as Netreo).

 

How to Configure Netreo to Use Active Directory (LDAP) for User Management

This feature is available for on-premises deployments only.

Once Active Directory (LDAP) is enabled, you will only be able log in to BMC Helix Network Management using Active Directory usernames and passwords (except for the default BMC Helix Network Management administrator local account).

(To log in to BMC Helix Network Management using the default "administrator" local account, use the user name “administrator” along with the password configured for that account when BMC Helix Network Management was first set up. This indicates to BMC Helix Network Management that you wish to bypass Active Directory. This is useful if your active directory server is down or unreachable for some reason.)

Warning

If Active Directory is enabled and you delete the preconfigured BMC Helix Network Management local account "administrator", you will not have access to BMC Helix Network Management if your Active Directory server becomes unreachable.

  1. Log in to BMC Helix Network Management as a user with the SuperAdmin access level.
  2. Go to the main menu and select Administration > Users > Authentication Settings to navigate to the Authentication Settings page.
  3. In the TYPE field of the Authentication panel, select Active Directory (LDAP) from the pull-down menu. The Active Directory configuration options become visible.
  4. Select Add New Directory Server to add a new Active Directory server to BMC Helix Network Management.
  5. In the dialog that appears:
    1. In the LDAP SERVER IP field, enter the IP address of the directory serverthat you want BMC Helix Network Management to use (this will usually be a primary or backup domain controller in an Active Directory environment).
    2. In the DESCRIPTION field, enter a description for this directory server (for example, “Primary Domain Controller”).
    3. In the PRIORITY field, select either Primary or Backup from the pull-down selector.
      • Select Primary if you are only configuring a single directory server.
      • Select Backup if you are configuring a backup server for use if the primary server is unreachable.
    4. In the DOMAIN SUFFIX field, enter your AD domain suffix.
      • The account suffix is required. It is typically the part of your addressing system after the “at" symbol (@), for example, “@netreo.com.” It is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
    5. In the BASE DN field, enter your AD Base DN.
      • The Base DN is the top level of the LDAP directory tree and typically takes the form “dc=netreo,dc=com” where each section of the account suffix is identified as a separate “dc=” section. In some cases, it may differ from your account suffix. This is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
    6. In the OPENLDAP field, select Yes or No, depending on whether or not you are using OpenLDAP.
    7. In the USER GROUP NAME, enter the AD user group names to which you would like to give BMC Helix Network Management access.
      • These may be either “Security” or “Distribution” groups. Either will work.
      • Changes in permission levels for individual accounts within the specified group must be done on BMC Helix Network Management's Users Administration page.
      • You may select to forego entering a group name here and instead specify specific AD user groups for specific BMC Helix Network Management access levels in the User Permission Mapping section detailed below.
    8. Select Save.
  6. If your AD server uses SSL, switch the USE SSL field to ON.
    • Turning on this option allows BMC Helix Network Management to send the authentication request over a secure SSL/TLS connection using port 636/TCP. For this option to work, an SSL certificate must be installed on your LDAP authentication server, and port 636/TCP must be open from BMC Helix Network Management to the server.
  7. Optional: If desired, you may specify multiple AD user groups in the User Permission Mapping section for any or all BMC Helix Network Management user access levels. Enter a user group name in the entry field next to a BMC Helix Network Management access level for that group to be granted the access privileges of that level.
    • If groups are configured in this section, the group specified in the directory server settings above is ignored.
    • Specifying user groups in this section also causes BMC Helix Network Management to update a user's access level every time they log in (facilitating the movement of a user from one group to another).
    • If a user belongs to more than one of the configured groups, their permissions level will be set to reflect the highest permissions level group they are assigned to.
  8. Select Save.

All current users must log out and log back in again using their Active Directory credentials.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Network Management