ViPR Controller and User Group Attributes

I finally got it working yesterday and I am still not sure why it is working now. It is pretty much setup as I had it before.  I did delete the authentication provider and add it back.

I pretty much have all the defaults from an AD authentication provider except search scope is subtree as opposed to one level and search base is at domain level.   After I did that I was able to create a new role for VDC with group@domain.com and grant it administrator.  I can now login with AD credentials that reside in that AD group successfully.

I still don't know under Use Groups (even though it is not used with AD) where you determine the attribute options to use. The same thing for Tenant, User Mapping Rules.  Where do you find the attribute options you can use in those values?

Thanks

Jeff

Davidson,

That makes much more sense now on the User groups.  I have read and reread the docs but it did not click until you wrote that.

Thanks again.

Jeff

Hi Davidson, et al:

I'm having an issue with mapping users into tenants and making them see the correct projects.  Specifically, Service Catalog / End Users are able to see a Project A created under the Provider Tenant created at deployment, and only then when I add AD userID to the Project List.   I don't want them to user the Provider Tenant/Project A.

I have created other Tenants and Projects, but the End Users do not see those at all even if I add them to the Project ACL using VIPR User Groups, AD userID, or  AD AdminsID.  If I add AD AdminsID to VDC roles, then they can see all the projects, but these are supposed to be service catalog end users

There is an authentication provider for this domain that is allowing us to login with our NW PINS, so AD authentication is working.  The AD group "Admins*" is added to the Authentication whitelist, but even when it's "*" it still doesn't find the members.  The AD group is Admins at Domain,  but in the whitelist I input Admins*.

Would also like to know the difference between ViPR User Group and AD User Groups, seems like I shouldn't *have* to user the VIPR User Group if the AD group is implemented correctly in VIPR, right?  It seems like the VIPR User Group is not picking up the AD attribute and value.

My VDC roles are System Admin, Security Admin, System Monitor, and System Auditor.

I am the owner of Projects I created.

I have gone through your checklist above, authentication user has read all inet and search permissions in the search base.

While  logged w my AD pin, when adding the AD adminsgroup.domain to a Tenant B (not Provider) -

Error:  1013 (http: 400):  Bad request body.  Invalid User-Mapping change, which will cause SecurityAdmin  myADpin@ get mapped out of Provider Tenant, and lose its SecurityAdmin roles.

Logged out and logged on as Root, edit Tenant B, add  ADadminsgroup to Tenant B - so the good news is that everyone in ADadminsgroup can now see Tenant B, the bad news is that I am also a member of that group so now I too can only see the Service Catalog

Now I can only see *everything* when I am logged on as Root...  will see if I can get myPIN back to correct VDC roles,  maybe  w/ VIPR user groups and attributes...or another AD group for VIPRadmins@ domain.

Is anyone creating separate AD groups for Service Catalog End Users and another AD group for VIPR admins?