4 Configuring CNC Console IAM

Note:

Not applicable for OCI deployment.

This section provides details on how to configure CNC Console IAM.

Restricted Actions on CNC Console IAM

You can only perform those actions that are listed in the Oracle Communications Cloud Native Configuration Console User Guide using CNC Console IAM. The following error message appears if you try to perform a restricted action:

Figure 4-1 Restrict Access

Click the Press here to refresh and continue link to reload CNC Console IAM.

4.1 Role Based Acess Control in CNC Console IAM

Role-Based Access Control (RBAC) is one of the main methods for advanced access control.

It enables you to restrict network access to authorized users based on their assigned roles.

Role

A Role is a collection of permissions that you can apply to users. Roles are defined according to the authority and responsibility of the users within the organization. Using roles makes it easier to add, remove, and update permissions to the users.

Composite Role

A Composite Role is a collection of one or more additional roles grouped together.

4.1.1 Types of Roles in CNC Console

Role Based Access Control (RBAC) is controlled by Identity and Access Management (IAM) functionality provided by CNC Console IAM.

The following roles are predefined in the CNC Console IAM:

Roles for CNCC IAM Admin Users

Admin Role

In CNCC IAM, a user in the default realm must be assigned the admin role to gain administrative privileges.

An admin user has the necessary permissions to modify settings related to other admin users.

Roles for CNCC Core Users

Read and Write Roles:

• NF Roles
  The user assigned with this role can perform read and write operations for the assigned NFs. NF level roles are classified into:

  • <NF>_READ: With this permission, the assigned user can perform the read operation for NFs.

    For example, If user has POLICY_READ role, then the user can only read configurations of any MOs configurations within the Policy and cannot write or update or delete any record.

  • <NF>_WRITE: With this permission, the assigned user can perform create, read, update, and delete operations for NFs. For example, if user has POLICY_WRITE then the user can read or write or update or delete any MOs configurations within the NF.

  Note:

  CNCC_READ/WRITE roles are also included under NF roles.
• Common Services Roles

  Role: CS_WRITE

  The user assigned with this role has access to all the common services and can perform create, read, update, and delete (CRUD) operations.

  The user can read, add, update, or delete MOs configurations for all common services such as Grafana, Kibana, Jaeger, Prometheus, Alertmanager, Promxy, OpenSearch, and Jaeger-ES supported by CNC Console application. For example, if user has CS_WRITE then, the user can read or write or update or delete any MOS configurations in common services.

• Admin Roles

  Role: ADMIN

  The user assigned this role has access to all resources (NF resources and CS resources) within CNC Console application.

  The user can create, read, updatem and delete MOs configurations for all NFs and CSa supported by CNC Console. For example, if the user has ADMIN then they can read, create, updare, or delete any MO configurations of any NFs and CSs supported by CNC Console.

Cluster or Site Roles

In case of multicluster deployments, in addition to ADMIN, <NF>_READ , <NF>_WRITE, or CS_WRITE roles, the user must be assigned a cluster role which corresponds to the cluster in which they are accessing a particular NF or CS. the nam eof the Cluster role must match with role name given in Helm configuration in global.mCnccCores.role/global.mCnccCores.id or global.aCnccs.role/global.aCnccs.id for M-CNCC and A-CNCC respectively. From 24.2.0 onwards, Cluster roles will be automatically created by Helm hooks.

The user can access all NFs or CS in that cluster. For example, if a user has Cluster1 role, and ADMIN, <NF>_READ, <NF>_WRITE, or CS_WRITE then they can access all the NFs or VS in Cluster1.

Instance Role

The operator can enable or disable this feature using the global.instanceLevelAuthorizationEnabled flag in Helm configuration. By default, this flag is set as false. Instance Level roles allow users to have access to specific NF instances. A user can be associated with single or multiple instance roles. Instance Role name must match with the instance ID of that particular instance given in Helm configuration in global.instances[i].id. Instance roles are automatically created by Helm hooks.

The user can only acess one NF or CS. For example, if the user has Cluster1-SCP-instance1 role, ADMIN, SCP_READ, or SCP_WRITE role, and Cluster1 role in case it is a multicluster deployment, then they can access only Cluster1-SCP-instance1.

Role: INSTANCE_ALL

INSTANCE_ALL is a catch all role for all instance level roles. A user with INSTANCE_ALL role can access all instances, provided they have ADMIN, <NF>_READ, or <NF>_WRITE role, and Cluster level role in case it is a multicluster deployment. This role is automatically assigned to all local users during the first upgrade when this feature is enabled. If operator wants to restrict a user to a particular instance, then they have to unassign INSTANCE_ALL role and assign any of the instance level roles to the user.

The user can access all NFs and CS instances. For example, if a user has INSTANCE_ALL role, then they can access all NF or CS instances, provided they have ADMIN, <NF>_READ, or <NF>_WRITE role and Cluster level role in case it is a multicluster deployment.

The following table describes the roles that must be assigned to a user to grant them access to NF or CS configurations:

Table 4-1 Accessing NF or CS Configurations

Multicluster Flag (global.isMultiClusterDeployment)	Instance Role Flag (global.instanceLevelAuthorizationEnabled)	Roles Required
Enabled	Enabled	Cluster Level role, Instance Level role, and NF Level role
Enabled	Disabled	Cluster Level role and NF Level role
Disabled	Enabled	Instance Level role and NF Level role
Disabled	Disabled	NF Level role

Note:

For more information on how to assign roles to a user, see Oracle Communications Cloud Native Configuration Console Installation, Upgrade, and Fault Recovery Guide.

4.1.2 Accessing Roles in CNC Console Applications

Viewing the Roles

1. Log into CNC Console IAM using Admin credentials.
   Select the appropriate realm based on the users whose roles you want to view.

   1. To view roles in the default realm, select realm as shown below:

      Figure 4-2 Viewing Realm

      
   2. To view roles in the CNCC realm, select the cncc realm. The following screen appears:

   Figure 4-3 viewing cncc realm

   
   

   

   
   

   In the example below, the cncc realm is selected to view the available CNCC realm roles.

   Follow similar step as outlined below in the default realm to view the available roles for CNCC IAM admin users.

2. To access or view the available roles, click Realm Roles on the left pane. The defined roles are available on the right pane. ( Here, the cncc realm is selected).

   Figure 4-4 Realm Role

   
   

   

   
   

Note:

To know more about roles, see Role Based Acess Control in CNC Console IAM.

4.1.3 Creating or Updating Admin User Password in CNC Console IAM

This section describes how to create or update the admin password in CNC Console IAM.

CNC Console provides support to change the CNC Console IAM password. To update password:

1. Login to CNC Console IAM and select the default realm.

   Figure 4-5 Log in to CNC Console IAM

   
2. Select Users tab to see all the users in the realm. Click the user for which you want to change password.

   Figure 4-6 Users

   
3. Under the Credentials tab, click Reset Password and set Temporary to Off and enter the existing Password and the new password. Click Save.

   Figure 4-7 Credentials

   

4.1.4 Creating or Updating CNC Core User Password in CNCC IAM

This section describes how to create or update the user password in CNC Console.

Perform the following steps to create or update the user password:

1. Login to CNC Console and select the cncc realm

   Figure 4-8 Realm Settings

   
   

   

   
   
2. Click Users on the left pane to view all users. Click Edit button for that user to update the credentials.

   Figure 4-9 Users

   
   

   

   
   
3. Under the Credentials tab, click Set Password, set Temporary to off, and update the Password. Click Save.

   Figure 4-10 Credentials

   
   

   

   
   

4.1.5 Password Policies for CNCC Users

The following password policies are enabled by default for all CNCC Console users.

These password policies are disabled for CNCC IAM users by default and can be enabled by setting the flag global.enableDefaultAdminPasswordPolicy to true in the occncc_custom_values_<version>.yaml file.

Table 4-2 Password Policies for CNC Console Users

Policy	Description	Value
Expire Password	The number of days the password is valid before a new password is required.	30
Special Characters	The minimum number of special characters required in the password string.	1
Uppercase Characters	The minimum number of uppercase characters required in the password string.	1
Lowercase Characters	The minimum number of lowercase characters required in the password string.	1
Digits	The minimum number of numerical digits required in the password string.	1
Not Recently Used	Prevents a recently used password from being reused.	5
Not Username	The password cannot match the username.	ON

4.2 Configuring the CNC Console Redirection URL

After successfully deploying CNC Console IAM, the administrator must perform the following steps to configure the CNC Console redirection URL:

1. Log into CNC Console IAM using admin credentials provided during installation.
2. On the left pane, select Clients and on the right pane select the cncc Client ID.

   Figure 4-11 Clients Screen

   
   

   

   
   
3. Enter CNC Console Core Ingress URI in the Root URL field and Save.

   <scheme>://<cncc-mcore-ingress IP/FQDN>:<cncc-core-ingress Port>
    

   Note:

   Valid Redirect URIs is prepopulated, only root URL needs to be configured as part of the post installation procedure.

   Figure 4-12 Redirection URL

   
   

   

   
   

4.3 Users in CNC Console IAM

Users can be created in both the default (master) and CNCC realms.

A user created in the default realm will have administrative privileges, enabling them to log in to CNCC IAM and perform various tasks related to user management, authentication, authorization, and system configuration.

A user created in the CNCC realm can log in to the CNCC Core GUI and access Network Functions (NF) and Common Services, depending on the roles assigned to them.

This section includes:

• Creating the users
• Viewing the Users
• Assigning the roles to the users

Note:

For the details on setting or updating the admin password, see Creating or Updating Admin User Password in CNC Console IAM.

Note:

For the details about setting or updating the user password, see Creating or Updating CNC Core User Password in CNCC IAM.

Note:

In CNCC IAM, the default realm refers to master realm. Users created in default (master) realm refers to CNCC IAM admin users and users created in cncc realm refers to CNCC users.

4.3.1 Creating the Users

Perform the following procedure to create users:

1. Login to CNC Console IAM and select the appropriate realm based on where you want to create users.
   1. To create users in default realm, select the default realm. The following screen appears:

      Figure 4-13 default realm

      
   2. To create users in the CNCC realm, select the cncc realm. The following screen appears:

   Figure 4-14 cncc realm

   
   

   

   
   
   In the example below, the cncc realm is selected to create cncc users, as users have access to CNCC. Follow similar steps as outlined below in the default realm to create CNCC IAM admin users.
2. Click Users under Manage on the left pane and click Add user on the right pane.

   Figure 4-15 Add User

   
   

   

   
   
3. The Add user screen appears. Add the user details and click Create.

   Figure 4-16 User Details

   
   

   

   
   
4. The user has been created and the user details screen appears.

   Figure 4-17 New User Created

   
   

   

   
   

5. Go to the Credentials tab and click Set Password to set the password for that user. Enable the Temporary flag to prompt the user to change their password when they login for the first time to CNC Console GUI.

Note:

You are recommended to enable the Temporary flag for security.

Figure 4-18 Set Password

Note:

Setting the Temporary flag ON prompts the user change the password when logging in to the CNC Console for the first time.

4.3.2 Viewing the Users

Perform the following procedure to view users:

1. Login to CNC Console IAM and select the appropriate realm based on how users want to view.
   1. To view the users with administrative privileges, select the default realm.

      Figure 4-19 default realm

      
   2. To view users with access to CNCC, select the cncc realm. The following screen appears:

   Figure 4-20 cncc realm

   
   

   

   
   
   In the example below, the cncc realm is selected to view users with access to CNCC. Follow similar steps as outlined below in the default realm to view CNCC IAM admin users.
2. Select Users on the left-side navigation bar and click the button View all users on the page that appears.

   Figure 4-21 View All Users

   
   

   

   
   

4.3.3 Assigning Roles to the User

Perform the following procedure to assign roles to the user:

1. Select a user. Navigate to the Role Mappings tab and click Assign Role to assign the user role. From the drop-down menu on the top left,select Filter by realm roles.

   Figure 4-22 Assign Roles

   

   Note:

   You must change number of entries displayed per page from the pagination drop-down to 100 per page to view all the entries.
2. Select the checkbox for the roles you wish to assign to the user and click Assign at the bottom to save the changes.
3. For users created in the default realm, ensure that the admin role is assigned to the newly created user from the list of available roles.

   Figure 4-23 Assign Roles

   

4.4 CNC Console SAML SSO Integration

4.4.1 Integrating SAML SSO with CNC Console IAM

Overview

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). The identity provider authenticates the user and returns the assertion information about the authenticated user and the authentication event to the application. Using SSO, if the user tries to access any other application that uses the same identity provider for user authentication, the userdoes not need to login again. This is the principle of SSO (Single Sign On).

Note:

To enable SAML identity provider authentication for user login, ensure that the CNC Console is deployed using the secure HTTPS protocol.

Note:

CNC Console supports SAML 2.0.

Configuring SAML Identity Provider in CNC Console IAM

Perform the following procedure to configure SAML identity provider

1. Log in to CNC Console IAM Console using admin credentials provided during CNC Console IAM installation.

   http://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
   Example: http://cncc-iam-ingress-gateway.cncc.svc.cluster.local:30085/

   Figure 4-24 Login screen

   

2. Select the appropriate realm based on where you want to enable authentication through an identity provider:
   1. To enable authentication for CNCC IAM admin users, choose the default realm.

      Figure 4-25 default realm

      
   2. To enable authentication for CNCC users, choose the cncc realm.

      Figure 4-26 cncc realm

      
   In the following example, the cncc Realm is selected to enable authentication through an identity provider to CNCC.
   Follow similar steps as outlined below in the default Realm to enable authentication through an identity provider to CNCC IAM.
3. Click the cncc realm and click Identity providers tab on the left pane. Identity providers screen appears on the right pane.

   Figure 4-27 Identity Provider Screen

   
   

   

   
   
4. Click the SAML v2.0 button under User-defined. The Add SAML Provider screen appears.

   Figure 4-28 SAML Settings

   
   

   

   
   

   Note:

   • Give an appropriate name for the Display Name field.
   • To import the metadata file exported from SAML client in the IdP, disable the Use Entity descriptor flag, and upload the file from the Browse button of "Import from config file".

   Click Import and Save. The other required fields populate automatically.

   Perform the following procedure to configure the IdP manually, if you are facing difficulty in importing the metadata file from the IdP Client:

   1. Navigate to the Identity providers screen and click SAML v2.0.
   2. Set the value of Single Sign-On Service URL to the URL of the preferred IdP.

      Example: <IP/FQDN>:<PORT>/auth/realms/master/protocol/saml (URI for their preferred IdP where SAML AuthnRequest will be sent).

   3. Set the value of Single Logout Service URL.

      Example: <IP/FQDN>:<PORT>/auth/realms/master/protocol/saml (URI for their preferred IdP where logout requests must be sent).

   4. If the IdP supports HTTP POSTbinding methods, enable HTTP-POST Binding Response, HTTP-POST Binding Logout and HTTP-POST Binding for AuthnRequest flags. By default, HTTP-Redirect will be used.
   5. If the IdP is sending signed Assertions, set Want Assertions Signed to ON.
   6. Set Validate Signature to ON.
   7. Provide value for Validating X509 Certificates (If you are using Keycloak as an IdP, use the certificate from master realm -> Realm Settings -> Keys).
   8. Click Add.

   IdP is now configured manually.

5. To create custom First Login Flow, click Authentication tab on the left pane. The Authentication screen appears.

   Figure 4-29 Authentication

   
   

   

   
   
6. Click Create Flow on the right pane. The Create Flow screen appears.

   Figure 4-30 Create Flow

   
   

   

   
   

   Enter the appropriate name and click Create.

7. The Simple Login Flow screen appears. Click Add execution on the right pane.

   Figure 4-31 Simple Login Flow

   
   

   

   
   
8. Select Create User If Unique, and click Add.

   Figure 4-32 Add Step to Simple Login Flow

   
   

   

   
   
9. You will be redirected to Authentication page. From Requirement section, select Alternative.

   Figure 4-33 Authentication

   
   

   

   
   
10. Click Identity providers in the left pane. Click the name of the Identity provide created in the previous steps, and scroll down to Advanced Settings. Select the custom flow from First Login Flow drop-down list.

    Figure 4-34 Advanced Settings Page

    
    

    

    
    
11. Click Save.

    The above screen appears. Now the SAML Idp roles must be mapped with CNC Console IAM API roles.

Note:

CNC Console IAM(SP) Configuration in IdP

In a SAML based SSO Implementation, the IdP needs to send SAML assertions towards a Service Provider (CNC Console IAM in this case) endpoint.

Use the following CNC Console endpoint in the IdP:

http://<IP/FQDN>:<PORT>/cncc/auth/realms/cncc/broker/saml/endpoint

Example:

http://cncc-iam-ingress-gateway.cncc.svc.cluster.local:30085/cncc/auth/realms/cncc/broker/saml/endpoint

Mapping SAML IdP roles with CNC Console IAM API roles

Perform the following procedure to map SAML IdP roles with CNC Console IAM API roles:

1. After saving SAML IdP configurations in CNC Console IAM, select Identity providers on the left pane and click the name of your identity provider. Click Mappers tab on the right pane. Click Add Mapper.

   Figure 4-35 Single Sign On

   
   

   

   
   
2. The Add Identity Provider Mapper screen appears.
   • Give an appropriate name for the Identity Provider Mapper in the Name field.
   • Select 'SAML Attribute to Role' from Mapper Type drop-down.
   • Enter the Attribute Value as the one of the roles added in SAML IdP. For example: 'NRF', 'SCP', etc.
   • Click Select Role to select the API roles to be enabled for this mapping.
   • Click Assign. Then click Save.

   Figure 4-36 Example Values for scp role mapper for cncc realm

   

   Figure 4-37 Example Values for admin role mapper for default realm

   

   Figure 4-38 Single Sign On

   
   

   

   
   

You can create as many mapping as required.

Accessing CNC Console Core Application

Perform the following procedure to access the CNC Console application:

1. Log in to CNC Console Core, and browse to the application using hostname and port. The user is redirected to CNC Console IAM (broker).

   http://<cncc-core-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
   Example: http://cncc-core-ingress-gateway.cncc.svc.cluster.local:30075/  

   

2. Click Single Sign On to authenticate using SAML SSO. The user is redirected to SAML IdP log in. Enter user details to access CNC Console Core application.

4.5 Integrating CNC Console LDAP Server with CNC Console IAM

Overview

The CNC Console IAM can be used as an integration platform to connect it into existing LDAP and Active Directory servers.

User Federation in CNC Console IAM let the user to sync users and groups from LDAP and Active Directory servers and assign roles respectively.

CNCC IAM provides an option to configure a secured connection URL to your LDAP store.

example: `ldaps://myhost.com:636'

CNCC IAM uses SSL for communication with the LDAP server. The truststore must be properly configured on the CNCC IAM server side, otherwise CNCC IAM cannot trust the SSL connection to LDAP.

Sample LDAP ldif File

This is a sample ldap-ldif file that ldap is loaded with for importing LDAP users and groups to CNC C Core.

dn: dc=oracle,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: oracle
 
dn: ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
 
dn: ou=people,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
 
dn: uid=ben,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: benspass
 
dn: uid=bob,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspass
 
dn: uid=joe,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe Smeth
sn: Smeth
uid: joe
userPassword: joespass
 
dn: cn=admin,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
ou: admins
 
dn: cn=scp,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: scp
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=joe,ou=people,dc=oracle,dc=org
ou: scpusers
 
dn: cn=nrf,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: nrf
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=bob,ou=people,dc=oracle,dc=org
ou: nrfusers

The above data will be used as a reference to integrate our LDAP with CNCC IAM to import users in cncc realm.

Sample LDAP ldif File

This is a sample ldap-ldif file that ldap is loaded with for importing LDAP users and groups to CNCC IAM.

dn: dc=oracle,dc=org
objectclass: top
objectclass: domain
objectclass: extensibleObject
dc: oracle
 
dn: ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: groups
 
dn: ou=people,dc=oracle,dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
 
dn: uid=ben,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Ben Alex
sn: Alex
uid: ben
userPassword: benspass
 
dn: uid=bob,ou=people,dc=oracle,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Bob Hamilton
sn: Hamilton
uid: bob
userPassword: bobspass
 
 
dn: cn=admin,ou=groups,dc=oracle,dc=org
objectclass: top
objectclass: groupOfUniqueNames
cn: admin
uniqueMember: uid=ben,ou=people,dc=oracle,dc=org
uniqueMember: uid=bob,ou=people,dc=oracle,dc=org
ou: admins

The above data can be used as a reference to integrate LDAP with CNCC IAM for importing users into the default realm.

4.5.1 Configuring User Federation with CNC Console IAM

This section provides information about configuring user federation with CNC Console IAM (LDAP Server integration).

To configure user federation:

1. Login to CNC Console IAM console http://<cncc-iam-ingress-ip>:<cncc-iam-ingress-port> using admin credentials provided during CNC Console IAM installation.

   Figure 4-39 Login Screen

   
2. Select the appropriate realm based on where you want to import users:
   1. To grant LDAP users access to CNCC IAM, choose the default realm.

      Figure 4-40 default realm

      
   2. To grant LDAP users access to CNCC Core, choose the cncc realm.

      Figure 4-41 cncc realm

      
3. Click Realm Settings and click Add realm under cncc. Click User Federationon the left pane. The User Federation screen appears in the right pane.

   Figure 4-42 User Federation

   
   

   

   
   
4. Click Add LDAP providers. The following page will automatically open a form to fill in your LDAP connection parameters. The form will be initially empty as shown below:

   Figure 4-43 Add LDAP providers

   
   

   

   
   
5. Enter the values for the following fields:
   • UI Display Name: Enter the display name.
   • Vendor: Enter the LDAP server provider name for the company.

   Note:

   This usually populates the defaults for many fields. However, in case the user has a different setup than the defaults, the correct values must be provided. Based on the current setup, select 'Other' from the drop-down list.
   • Provide your company LDAP server details in the Connection URL field, in the same way as you provided for ldap-ldif file alread. That is, the connection URL (hostname prefixed with ldap:// OR when LDAP Secure connection enabled (LDAPS) hostname prefix should be ldaps://), and the port.

     Figure 4-44 General Options

     
     

     

     
     
   • If your LDAP is secured then select simple from the Bind Type drop-down, and add the admin bind username and password, or select Bind-type as none. Sample data for the field Bind DN: "cn=admin,dc=oracle,dc=org"
   • Click Test Connection and Test Authentication. Both these tests will be successful.
   • Proceed to the Edit Mode drop-down list. Select READ_ONLY.
   • In most cases, the UUID LDAP attribute value is set as entry UUID. If you do not have a suitable value, use an alternate unique identifier.
   • Click Test Connection and Test Authentication.

     Figure 4-45 User Federation

     
     

     

     
     
   • The default setting for Import Users is ON. Change it to OFF to disable user sync.
   • Set Cache policy as NO_CACHE.
6. After populating the required fields, the following screen appears:

   Figure 4-46 User Federation

   
   

   

   
   
7. Click Save.

   Figure 4-47 User Federation

   
   

   

   
   

   Note:

   Enabling and Disabling the Manage DSA IT Control in LDAP Requests:

   CNC Console IAM allows the user to enable or disable Manage DSA IT Control in the LDAP Requests sent from CNC Console IAM pods towards LDAP Server.

   Manage DSA IT Control is enabled by default as Refferal is set to Ignore in the User Federation Setup.

   This can be disabled by setting Referral to Follow.

   Figure 4-48 Enabling and Disabling the Manage DSA IT Control in LDAP Requests

   
   

   

   
   

4.5.2 Grouping the LDAP Mapper and Assigning the Roles

When an LDAP Federation provider is created, CNC Console IAM provides a set of built-in mappers for this provider. Users can change the set and create a new mapper, or update and delete existing ones.

Group Mapper

The Group Mapper allows you to configure group mappings from LDAP into CNC Console IAM group mappings. Group mapper can be used to map LDAP groups from a particular branch of an LDAP tree into groups in CNC Console IAM. It also propagates user-group mappings from LDAP into user-group mappings in CNC Console IAM.

Perform the following procedure to add the group mapper and assign the roles:

1. Under Configure in the left pane, click User Federation. Click ldap and select the Mappers tab, and then click Add Mapper.

   Figure 4-49 LDAP Mapper Page

   
   

   

   
   
2. The Create New Mapper page appears. Give an appropriate name for the field Name. Select group-ldap-mapper as Mapper Type drop-down menu. Click Save.

   Figure 4-50 User Federation Mapper Page

   
   

   

   
   
   The following screen appears:

   Figure 4-51 LDAP Mapper Filled Form

   
   

   

   
   

   Note:

   When selected, default values will be set by CNC Console IAM. However, you must change some values based on your LDAP records.
3. Click Save.

   Figure 4-52 Save

   
   

   

   
   
4. Click the name of your mapper. Under the Action menu, click Sync LDAP Groups to Keyclaok. The success message appears with the number of groups imported and so on.

   Figure 4-53 Group Mapper

   
   

   

   
   

   Note:

   If this step fails, then you might need to look through the troubleshooting section and check the CNC Console IAM logs in debug mode. See CNC Console Logs section in the Oracle Communication Cloud Native Configuration Console Troubleshooting Guide for further details.
5. Select the Groups in the left pane to view all groups.

   Figure 4-54 Groups

   
   

   

   
   
6. Click any group and click Edit. The following tabs appear: Child groups, Attributes, Role Mappings, and Members.
   • Select the Role Mapping tab to see a list of roles that are predefined in CNC Console IAM.
   • Select one or more roles from Available Roles and assign it to the group.
   • When you're done, you can test authentication and authorization by logging into the CNC Console GUI.
   For example, In the CNCC realm, if the group admin is assigned the ADMIN role, any user belonging to the admin group automatically inherits the admin role, granting them full access to all NF resources supported by the CNC Console.

   Figure 4-55 Role mapping to LDAP Group

   
   • In the default realm, if the group admin is assigned the ADMIN role, any user belonging to the admin group automatically inherits the admin role, granting full permissions to perform all operations and manage the realm.

   Figure 4-56 CNCC IAM Role mapping to LDAP Group for default Realm

   

Note:

• When the user password is updated from CNC Console IAM and sent to LDAP, it is always sent in plain-text. This is different from updating the password to the built-in CNC Console IAM database, where hashing and salting is applied to the password before it is sent to the DB. In the case of LDAP, CNC Console IAM relies on 5the LDAP server to provide hashing and salting to passwords.
• Most LDAP servers (Microsoft Active Directory, RHDS, FreeIPA) provide this by default. Some servers (OpenLDAP, ApacheDS) may store the passwords in plain text by default, and the user must explicitly enable password hashing for them.