When using LDAP for Authentication Invitations are not Supported
search cancel

When using LDAP for Authentication Invitations are not Supported

book

Article ID: 297731

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Symptoms:

You have configured PCF to use your LDAP server as a source of authentication. While LDAP integration is working properly, users experience odd behavior trying to accept invitations.

This includes:

  • The user receives the invitation email but is unable to log inn after clicking the link from the email
  • The user receives the invitation email, but is prompted to sign up for a new account when clicking the link despite already having an account

 

Environment


Cause

This is a known limitation of the invitation workflow. Currently, the invitation workflow assumes that a user's username will be the user's email address. When this does not happen, which is typical for a system configured to use LDAP, users will not be able to accept invitations.

 

Resolution

The suggested workaround is to not use the invitation workflow. There are two parts to this. The first part is to disable the invitation workflow and the second is to onboard your users. Both of these are discussed in detail below.

 

Disable Invitations

To disable the invitations, create an account and reset password flows in App Manager, you'll need to perform the following steps.

  1. Open the URL https://console.{system-domain} in your browser.
  2. Login with the Admin User Credentials and Navigate to the System ORG
  3. Navigate to the "apps_manager" space and click on the "apps_manager" app
  4. Click on the Environment Variables Section
  5. Locate the ENABLE_NON_ADMIN_USER_MANAGEMENT environment variable and set it to false
  6. Restart the App for the Environment Variable change to take effect.

 

On-boarding Users

Option #1

An administrator can manually add users to orgs with the `cf set-org-role` and `cf set-space-role` commands.

Here are the steps for this workflow.

  1. If the user has not done so already, instruct him or her to either log on to the Developer Console or log on using the CLI. The first time a user logs into PCF using his or her LDAP credentials, a shadow record will be created for that user in UAA. This needs to occur before proceeding to step #2.
  2. A user with administrator permissions for the entire PCF installation (not just the OrgManager role) will need to log on using the CLI.
  3. The administrator should run `cf set-org-role` and `cf set-space-role` to associate the user to a given org and assign an initial role.  Any OrgManager for the assigned org can later update these permissions through App Manager.
  4. Instruct the user to log out and login again (both for the Developer Console and the CLI). Upon logging in again, the user should have their new permissions.


Option #2

An administrator a bulk import user accounts from LDAP into UAA. With this option, the administrator can initialize and configure multiple user accounts without involving the end-users.

The import tool and instructions on its usage can be found here: 

https://github.com/pivotalservices/uaaldapimport 

 


Powered by Wolken Software