1. Cloud Native Core Console User's Guide
  2. Setting up CNC Console IAM
  3. Integrating CNC Console LDAP Server with CNC Console IAM
  4. Group LDAP Mapper and Role Assignment

Group LDAP Mapper and Role Assignment

When an LDAP Federation provider is created, CNC Console-IAM provides a set of built-in mappers for this provider. User can change this set and create a new mapper or update/delete existing ones.

Group Mapper

The Group Mapper allows you to configure group mappings from LDAP into cncc-iam group mappings. Group mapper can be used to map LDAP groups from a particular branch of an LDAP tree into groups in cncc-iam. It also propagates user-group mappings from LDAP into user-group mappings in cncc-iam.

To add Group-Mapper and assign roles:
  1. Click Configure and select User Federation. Click ldap (Console Display Name) and select the Mappers tab, and click Create.

    img/f010.png

  2. The Add User federation mapper page appears. Give an appropriate name for the field Name. Select 'group-ldap-mapper' as Mapper Type drop down menu. Click Save.

    img/f011.png

    The following screen appears.

    img/f012.png

    Note:

    When selected, default values will be set by cncc-iam. But you need change some values based on your ldap records.
  3. Click Save. New buttons appears next to the Save and Cancel. They are Synchronize LDAP Groups to Keyclaok and Synchronize Keyclaok Groups to LDAP.

    img/f013.png

  4. Click Synchronize LDAP Groups to Keyclaok. The success message appears with the number of groups imported and so on.

    img/f014.png

    Note:

    If this step fails then you might need to check to the trouble shooting section and look at cncc-iam logs in debug mode.
  5. Select the Groups in the left pane and click the View all groups in the right pane.

    img/f015.png

  6. Click any group and click Edit. The following tabs appear: Settings, Attributes, Role Mappings, and Members.

    img/f016.png

    • Select Role Mapping tab to see a list of roles that are pre-defined in cncc-iam.
    • Select one or more roles from Available Roles and assign it to the group. For example, If group "admin" is assigned with role "ADMIN", it means that any user which belongs to the admin group will be automatically assigned the admin role which allows him to access all the NF resource of CNC console that it supports.
    • Once done you can test authentication and authorization by logging into CNC Console GUI.

    Note:

    • When the password of user is updated from CNCC-IAM and sent to LDAP, it is always sent in plain-text. This is different from updating the password to built-in CNCC-IAM database, when the hashing and salting is applied to the password before it is sent to DB. In the case of LDAP, the CNCC-IAM relies on the LDAP server to provide hashing and salting of passwords.
    • Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords in plain text by default and user need to explicitly enable password hashing for them.

Note:

For more information about the user roles, refer APPENDIX.