Tanzu Mission Control - add identities to TMC Access Management - Access Policies where configured IDP for ldap: type: activedirectory
search cancel

Tanzu Mission Control - add identities to TMC Access Management - Access Policies where configured IDP for ldap: type: activedirectory

book

Article ID: 394163

calendar_today

Updated On:

Products

VMware Tanzu Mission Control - SM VMware Tanzu Mission Control VMware Tanzu Mission Control Self-Managed

Issue/Introduction

After configuring your TMC with IDP of ldap: type: activedirectory, it is unclear or you are unable to add identities to TMC's for Access Management - Access Policies to configure for access to Organization, Cluster Groups, Clusters, Workspaces or Namespaces.

Environment

TMC
TMC Self-Managed

Cause

Note - Tanzu Mission Control Self-Managed does not store user identities directly.

When in TMC menu Access Management - Access Policies and configuring access policy to Organization, Cluster Groups, Clusters, Workspaces or Namespaces note that there is no validation or auto-populate the user or groups names for fine-grained role bindings.

Resolution

You have configured a user or group in your IDP Active Directory and you need to add this identity user or group to a TMC role within TMC Access Management - Access Policies.

When configuring TMC you configured similar to below with ldap: type: activedirectory:

ldap:
  type: activedirectory
  host: ###.#########.##
  username: "CN=svc-tmc,OU=Service Accounts,OU=Users,OU=#########,DC=###,DC=#########,DC=##"
  password: ###########
  domainName: "#########.##"
  userBaseDN: "DC=###,DC=#########,DC=##"
  userSearchFilter: "(&(objectClass=person)(sAMAccountName={}))"
  groupBaseDN: "DC=###,DC=#########,DC=##"
  groupSearchFilter: "(&(objectClass=group)(member={}))"

-- note - that the userSearchFilter and groupSearchFilter must be configured so they are finding the precise user and group identities you require them to find within you IDP, these filters will need to be configured accurately. ldapsearch command could be used to test these within your environment.


An AD group is configure example dev-team-a and you want to configure TMC role cluster.admin.

Via the Access Management - Access Policies view, an Organization, Cluster, Cluster group, Workspace or Namespace can be selected and a role, user/group name can be added and saved to configure the desired access.

The user/group's access can then be displayed via Access Management - User Permission - and viewing it under Mapped resources types of the added identity user/group.

So via the Access Management - Access Policies for below a group dev-team-a with cluster.admin access to example cluster niall-test cluster can be added and then click Save.

It is the group identity from below screenshot where you will see no validation or auto-populate identity name.

Just be sure to add the identity name as it appears in your IDP, noting the case.

Powered by Wolken Software