1. Cloud Native Core Console User's Guide
  2. Setting up CNC Console IAM
  3. Integrating CNC Console LDAP Server with CNC Console IAM

Integrating CNC Console LDAP Server with CNC Console IAM

Overview

The CNC Console IAM can be used as an integration platform to connect it into existing LDAP and Active Directory servers.

User Federation in CNC Console-IAM let the user to sync users and groups from LDAP and Active Directory servers and assign roles respectively.

Sample LDAP ldif File
dn: dc=oracle,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: oracle
 
dn: ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
 
dn: ou=people,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
 
dn: uid=ben,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: benspass
 
dn: uid=bob,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspass
 
dn: uid=joe,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespass
 
dn: cn=admin,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
ou: admins
 
dn: cn=scp,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: scp
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=joe,ou=people,dc=oracle,dc=org
ou: scpusers
 
dn: cn=nrf,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: nrf
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=bob,ou=people,dc=oracle,dc=org
ou: nrfusers

Setting up User Federation with CNC Console IAM (LDAP Server integration)

  1. Go to CNCC IAM console http://<cncc-iam-ingress-ip>:<cncc-iam-ingress-port> and login using admin credentials provided during installation of CNCC IAM.

    img/cnc_iam.png

  2. Select Realm Settings and click Add realm under Cncc. Click the User Federation in the left pane. The User Federation screen appears in the right pane.

    img/f03.png

  3. From the drop down list in the User federation screen select ldap, the Add user federation provider screen appears.

    img/f04.png

  4. Fill the following parameters:
    • Console Display Name: Enter the display name.
    • Vendor: Enter the LDAP server provider name for the company.

    Note:

    This must usually fill the defaults for many of the fields. But in case user have a different setup than the defaults, enter the correct values to be provided. Current set up is Spring embedded LDAP, so select the last option "Other" from the drop-down list. This fills in many of the required fields.

    img/f05.png

    • Most companies have the UUID LDAP attribute value set as "entryUUID". If you don't have this field, than just use another unique identifier.
    • The default setting for Import Users is 'ON'. Change it to 'OFF' to disable user sync.
    • Provide company LDAP server details.
    • If the LDAP is secured then select 'simple' from the Bind Type drop down and provide the admin bind username and password else select Bind Type as "none". Sample data for the field Bind DN "cn=admin,dc=oracle,dc=org".
    • Click "Test Connection" and "Test Authentication".
    • Set Cache policy as "NO_CACHE".
  5. After filling the required fields, the screen appears as below. Click Save.

    img/import3.png

  6. New buttons (Synchronize changed users, Synchronize all users, Remove imported, Unlink users) appears next to the Save and Cancel.

    img/f07.png

  7. If a user has to be import to CNCC-IAM, Click Synchronize all users. If the synchronization is successful, the success message appears. If the synchronization fails, then check the trouble shooting section and look at cncc-iam logs in debug mode.

    img/f08.png

  8. The user can view the imported users by clicking Users under Manage in the left pane and click View all users in the right pane. The list of users and details appears.

    img/f09.png

  9. The user can remove the imported users by clicking the Remove imported and set Import Users to OFF to ensure that the users are not imported to CNCC IAM on your subsequent logins.

    img/ldap_remove.png

Note:

The steps 8 and 9 are optional.

Group LDAP Mapper and Role Assignment

When an LDAP Federation provider is created, CNC Console-IAM provides a set of built-in mappers for this provider. User can change this set and create a new mapper or update/delete existing ones.

Group Mapper

The Group Mapper allows you to configure group mappings from LDAP into cncc-iam group mappings. Group mapper can be used to map LDAP groups from a particular branch of an LDAP tree into groups in cncc-iam. It also propagates user-group mappings from LDAP into user-group mappings in cncc-iam.

To add Group-Mapper and assign roles:
  1. Click Configure and select User Federation. Click ldap (Console Display Name) and select the Mappers tab, and click Create.

    img/f010.png

  2. The Add User federation mapper page appears. Give an appropriate name for the field Name. Select 'group-ldap-mapper' as Mapper Type drop down menu. Click Save.

    img/f011.png

    The following screen appears.

    img/f012.png

    Note:

    When selected, default values will be set by cncc-iam. But you need change some values based on your ldap records.
  3. Click Save. New buttons appears next to the Save and Cancel. They are Synchronize LDAP Groups to Keyclaok and Synchronize Keyclaok Groups to LDAP.

    img/f013.png

  4. Click Synchronize LDAP Groups to Keyclaok. The success message appears with the number of groups imported and so on.

    img/f014.png

    Note:

    If this step fails then you might need to check to the trouble shooting section and look at cncc-iam logs in debug mode.
  5. Select the Groups in the left pane and click the View all groups in the right pane.

    img/f015.png

  6. Click any group and click Edit. The following tabs appear: Settings, Attributes, Role Mappings, and Members.

    img/f016.png

    • Select Role Mapping tab to see a list of roles that are pre-defined in cncc-iam.
    • Select one or more roles from Available Roles and assign it to the group. For example, If group "admin" is assigned with role "ADMIN", it means that any user which belongs to the admin group will be automatically assigned the admin role which allows him to access all the NF resource of CNC console that it supports.
    • Once done you can test authentication and authorization by logging into CNC Console GUI.

    Note:

    • When the password of user is updated from CNCC-IAM and sent to LDAP, it is always sent in plain-text. This is different from updating the password to built-in CNCC-IAM database, when the hashing and salting is applied to the password before it is sent to DB. In the case of LDAP, the CNCC-IAM relies on the LDAP server to provide hashing and salting of passwords.
    • Most of LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some others (OpenLDAP, ApacheDS) may store the passwords in plain text by default and user need to explicitly enable password hashing for them.

Note:

For more information about the user roles, refer APPENDIX.