Configure LDAP Authentication

Warning

SoftIron provides these steps as reference examples, and they are not intended to be a reflection of best-practices in regard to the configuration, operation, or design schema of an LDAP server.

The configuration examples provided are in no means exhaustive or representative of every possible configuration of an LDAP directory. As such, they may not match the configuration of your LDAP infrastructure, and the configuration may need to be modified by local experts to match the needs and configuration of your organization.

Assumptions

  • Have followed the steps in Installation and have a working VM Squared cluster.
  • Have added SSH key to the Cluster SSH Authorized Keys outlined in Dashboard Console
  • Knowledge of LDAP configuration and credentials

Gather pre-requisite information

  • The IP of an LDAP server that is accessible by the dashboard
  • The credentials of a user account with permissions to read LDAP objects (typically a dedicated “bind” user is recommended)
  • The distinguished name of the base location within your LDAP schema from which you wish to search for users and groups
  • The distinguished name of the LDAP group which contains the users to whom you wish to grant access

LDAP Configuration

  1. SSH into the VM Squared dashboard console and run the manage-ldap command
VMsquared:vmsquared\dashboard> manage-ldap

Configuration Creation
----------------------
1) Create new AD configuration with wizard
2) Create new AD configuration
3) Create new LDAP configuration
4) Quit

Please select [1-4]:
  1. Select the Create new LDAP configuration option, and in the Configuration Management menu, select Edit Configuration
VMsquared:vmsquared\dashboard> manage-ldap

Configuration Creation
----------------------
1) Create new AD configuration with wizard
2) Create new AD configuration
3) Create new LDAP configuration
4) Quit

Please select [1-4]: 3

Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit

Please select [1-6]: 1
  1. In many cases, you will need to add user credentials for a bind user (unless unauthenticated binding is enabled in your LDAP configuration).
    # LDAP user with the ability to lookup other users.
    # If not set, we will attempt to connect anonymously.
    :user: 'uid=ldap-bind,ou=users,dc=sa,dc=lab''
    :password: 'Ld4pB1nd!'
  1. Define the IP or hostname and port number of the LDAP server you with to authenticate against
    :host: 192.168.1.10
    :port: 389
  1. Enter the base DN of the location within your LDAP schema where you wish to search for users and groups
    :base: 'dc=sa,dc=lab'
  1. Modify and add other values as-needed to match the configuration of your LDAP server.
    :user_field: 'uid'
    :group_field: 'uniqueMember'
    :mapping_filename: mapping.yaml
    :mapping_key: GROUP_DN
    :mapping_generate: false
  1. Use CTRL + S followed by CTRL + Q to save your changes and exit the editor

  2. At the Configuration Management menu, select Group Mappings...

Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit

Please select [1-6]: 3
  1. Select the option to edit the appropriate YAML file (mapping.yaml is the default file)
Group Mappings
--------------
1) Create new mapping file
2) Edit mapping.yaml
3) Delete mapping.yaml
4) Back ...
5) Quit

Please select [1-5]: 2
  1. Replace “cn=example_group,ou=Groups,dc=my_company,dc=com” with the distinguished name of the LDAP group you wish to map, and if needed, replace “1” with the ID of a group within the dashboard that you wish to map to the AD group.
# A mapping file maps from a directory group to a cloud group.
"cn=normal-users,ou=groups,dc=sa,dc=lab": "0"
  1. Add lines as-needed to map additional groups. When finished save your changes with CTRL + S, and then hit CTRL + Q to exit the editor.

  2. At the Group Mappings menu, select the option to go Back, and then commit your changes at the Configuration Management Menu

Group Mappings
--------------
1) Create new mapping file
2) Edit mapping.yaml
3) Delete mapping.yaml
4) Back ...
5) Quit

Please select [1-5]: 4

Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit

Please select [1-6]: 5
Committed
  1. Prior to testing the connection, follow the steps in the “Adding Users” section to ensure all of the requisite users have been created in the dashboard.

  2. At the Configuration Management menu, after users have been added to the dashboard, select the Test option, and follow the prompts to confirm the connection is valid.

Configuration Management
------------------------
1) Edit configuration
2) Delete configuration
3) Group Mappings ...
4) Test
5) Commit changes
6) Quit

Please select [1-6]: 4
Enter the username: normal-user
Enter the password: N0rmalUs3r!

Trying LDAP server 'server1'
'normal-user' (cn=normal-user,ou=People,dc=sa,dc=lab) => groups: 0
Success
  1. Select the Quit option to exit the manage-ldap tool.

At this point Active Directory has been enabled on the VM Squared cluster.

Adding LDAP Users to VM Squared

Please note that you must create placeholder users in the UI and associate them with the proper group before they will be able to log in. You can create users via the Glasshouse GUI, Manifold API calls, or the VM Squared Dashboard. This guide will focus on the first option.

Creating Users With the Glasshouse GUI

  1. After logging in, navigate to System > Users. Click the Create button to create a user. VM Squared Create New User

  2. Ensure that the username entered matches the username of a user that belongs to an LDAP group mapped during the configuration.

  • Change the “Authentication Type” to LDAP.
  • Enter a random character string in the “Password” and “Confirm Password” fields (it simply needs to match), this is required for user creation but does not need to be remembered and will not be used again. VM Squared Create LDAP User 01
  1. Click next, and ensure that the user’s primary group matches the mapping file. VM Squared Create LDAP User 02

  2. Click Finish. The user is now able to log in.