Title here
Summary here
Configure LDAP Authentication
Warning
SoftIron provides these steps as reference examples, and they are not intended to be a reflection of best-practices in regard to the configuration, operation, or design schema of an LDAP server.
The configuration examples provided are in no means exhaustive or representative of every possible configuration of an LDAP directory. As such, they may not match the configuration of your LDAP infrastructure, and the configuration may need to be modified by local experts to match the needs and configuration of your organization.
Assumptions
- Have followed the steps in Installation and have a working VM Squared cluster.
- Have added SSH key to the Cluster SSH Authorized Keys outlined in Dashboard Console
- Knowledge of LDAP configuration and credentials
Gather pre-requisite information
- The IP of an LDAP server that is accessible by the dashboard
- The credentials of a user account with permissions to read LDAP objects (typically a dedicated “bind” user is recommended)
- The distinguished name of the base location within your LDAP schema from which you wish to search for users and groups
- The distinguished name of the LDAP group which contains the users to whom you wish to grant access
LDAP Configuration
- SSH into the VM Squared dashboard console and run the manage-ldap command
VMsquared:vmsquared\dashboard> manage-ldap
Configuration Creation
----------------------
1) Create new AD configuration with wizard
2) Create new AD configuration
3) Create new LDAP configuration
4) Quit
Please select [1-4]:- Select the
Create new LDAP configurationoption, and in the Configuration Management menu, selectEdit Configuration
VMsquared:vmsquared\dashboard> manage-ldap
Configuration Creation
----------------------
1) Create new AD configuration with wizard
2) Create new AD configuration
3) Create new LDAP configuration
4) Quit
Please select [1-4]: 3
Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit
Please select [1-6]: 1- In many cases, you will need to add user credentials for a bind user (unless unauthenticated binding is enabled in your LDAP configuration).
# LDAP user with the ability to lookup other users.
# If not set, we will attempt to connect anonymously.
:user: 'uid=ldap-bind,ou=users,dc=sa,dc=lab''
:password: 'Ld4pB1nd!'- Define the IP or hostname and port number of the LDAP server you with to authenticate against
:host: 192.168.1.10
:port: 389- Enter the base DN of the location within your LDAP schema where you wish to search for users and groups
:base: 'dc=sa,dc=lab'- Modify and add other values as-needed to match the configuration of your LDAP server.
:user_field: 'uid'
:group_field: 'uniqueMember'
:mapping_filename: mapping.yaml
:mapping_key: GROUP_DN
:mapping_generate: falseUse
CTRL + Sfollowed byCTRL + Qto save your changes and exit the editorAt the Configuration Management menu, select
Group Mappings...
Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit
Please select [1-6]: 3- Select the option to edit the appropriate YAML file (mapping.yaml is the default file)
Group Mappings
--------------
1) Create new mapping file
2) Edit mapping.yaml
3) Delete mapping.yaml
4) Back ...
5) Quit
Please select [1-5]: 2- Replace “cn=example_group,ou=Groups,dc=my_company,dc=com” with the distinguished name of the LDAP group you wish to map, and if needed, replace “1” with the ID of a group within the dashboard that you wish to map to the AD group.
# A mapping file maps from a directory group to a cloud group.
"cn=normal-users,ou=groups,dc=sa,dc=lab": "0"Add lines as-needed to map additional groups. When finished save your changes with
CTRL + S, and then hitCTRL + Qto exit the editor.At the Group Mappings menu, select the option to go Back, and then commit your changes at the Configuration Management Menu
Group Mappings
--------------
1) Create new mapping file
2) Edit mapping.yaml
3) Delete mapping.yaml
4) Back ...
5) Quit
Please select [1-5]: 4
Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit
Please select [1-6]: 5
CommittedPrior to testing the connection, follow the steps in the “Adding Users” section to ensure all of the requisite users have been created in the dashboard.
At the Configuration Management menu, after users have been added to the dashboard, select the
Testoption, and follow the prompts to confirm the connection is valid.
Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit
Please select [1-6]: 4
Enter the username: normal-user
Enter the password: N0rmalUs3r!
Trying LDAP server 'server1'
'normal-user' (cn=normal-user,ou=People,dc=sa,dc=lab) => groups: 0
Success- Select the
Quitoption to exit themanage-ldaptool.
At this point Active Directory has been enabled on the VM Squared cluster.
Adding LDAP Users to VM Squared
Please note that you must create placeholder users in the UI and associate them with the proper group before they will be able to log in. You can create users via the Glasshouse GUI, Manifold API calls, or the VM Squared Dashboard. This guide will focus on the first option.
Creating Users With the Glasshouse GUI
After logging in, navigate to System > Users. Click the Create button to create a user.
Ensure that the username entered matches the username of a user that belongs to an LDAP group mapped during the configuration.
- Change the “Authentication Type” to LDAP.
- Enter a random character string in the “Password” and “Confirm Password” fields (it simply needs to match), this is required for user creation but does not need to be remembered and will not be used again.
Click next, and ensure that the user’s primary group matches the mapping file.
Click Finish. The user is now able to log in.