How to integrate LDAP and group mappings with the UAA release
search cancel

How to integrate LDAP and group mappings with the UAA release

book

Article ID: 293626

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

This article applies to Pivotal Cloud Foundry (PCF) UAA release versions 2.4 and above.

Note: PCF is now Tanzu Application Service (TAS) for VMs. 

Integrating LDAP with UAA in a BOSH only deployment can be cumbersome. This article provides a working example for creating the deployment manifest for UAA and shows how to map external groups.

Search-and-Bind and LDAP-Groups-Map-to-Scopes profiles:

 

Environment

Product Version: 2.0

Resolution

In this example, any user that is a member of the LDAP group "CN=pcfgroup,OU=testou,DC=support,DC=pivotal" will have UAA scope cloud_controller.admin.

This is defined by uaa.scim.external_groups settings in the below YAML:

uaa:
  scim:
    external_groups: 
      - cloud_controller.admin|CN=pcfgroup,OU=testou,DC=support,DC=pivotal
  ldap:
    enabled: true
    mailAttributeName: mail
    mailSubstitute: ""
    mailSubstituteOverridesLdap: false
    referral: follow
    searchBase: 'dc=support,dc=pivotal'
    searchFilter: 'cn={0}'
    url: 'ldap://10.###.###.116'
    userDN: 'cn=test,cn=Users,dc=support,dc=pivotal'
    userPassword: 'userDN-Password'
    groups:
      profile_type: groups-map-to-scopes
      autoAdd: true
      groupRoleAttribute: 'spring.security.ldap.dn'
      groupSearchFilter: 'member={0}'
      maxSearchDepth: 10
      searchBase: 'dc=support,dc=pivotal'
      searchSubtree: true
    ldapdebug: Ldap configured through UAA
    profile_type: search-and-bind
    ssl:
      skipverification: true


LDAP group mappings will be auto-populated when the user logs in for the first time. After they log in, all the group mappings will be stored in the "external_group_mapping" table within the UAA database.

 

Powered by Wolken Software