I'm setting up NCM for the first time. Is there a Pro's \ Con's list or Best Practices doc that helps me understand why I should use MSAPI or LDAP for authenticating NCM users? The Admin Guide briefly mentions MSAPI and LDAP but not in any detail.
Optimally I want to have an AD group that has some users and I only want members of that group to be able to login to the NCM web console.
Thanks for any tips.
I haven't tried using MSAPI but I use LDAP and one of the limitations is that you can only bind to one AD server. There is a work around by binding to a load balancer in front of a AD server you gain redundancy. As are as NCM is concerned there is a lot of control over which groups have access to which features. I use role based security and my network admin group is allowed full access to read configs, modify templates, and do operations on devices, while my helpdesk group is only allowed minimal functionality.
I see the 1 LDAP server limitation. That alone is a big deal.
I'd rather not guess which one to use so if there is any documentation or why to use MSAPI or LDAP it would be helpful. I've google searched MSAPI and the results are scarce.
Any help or guidance would be great. Thanks!
In looking at the settings with LDAP it appears you have more control over mechanism used to connect to the authentication source. With LDAP you can use a SSL binding and pull groups from a specific cn. I used LDAP because I wanted to use an SSL binding to the AD servers.
I see that but I still dont understand what MSAPI is. Do you feel that MSAPI insecure?
I opened a support ticket with SW and if I receive any good info Ill post it to this thread.
Ok check out these links. If you use MSAPI then the webserver or polling server needs to be a member of the domain your AD users are in. If you use LDAP then it doesn't need to be in the domain.
The webserver uses IIS as the webserver for the orion web pages. IIS uses MSAPI to talk to AD to authenticate users meaning so your users will need to be in the same AD structure that your web server is in. If you have users from other domains then the domains would need a trust relationship with the domain of your Orion web server in order to authenticate them. If you use LDAP then you can link to the users in the other domain without having to setup a trust.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.