Assigning Admin Privileges to LDAP Users for BOSH UAA in the Tanzu Platform
search cancel

Assigning Admin Privileges to LDAP Users for BOSH UAA in the Tanzu Platform

book

Article ID: 399676

calendar_today

Updated On:

Products

VMware Tanzu Application Platform VMware Tanzu Platform - TAP VMware Tanzu Application Service VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Kubernetes Grid Integrated Edition (Core) VMware Tanzu Kubernetes Grid Integrated EditionStarter Pack (Core) VMware Tanzu Platform Core

Issue/Introduction

By default, when LDAP is integrated with Ops Manager and BOSH, there is an option to enable the checkbox "Provision an admin client in the BOSH UAA" in the Ops Manager LDAP settings, as outlined in this Knowledge Base article.

However, if a user wants to manage the BOSH UAA using LDAP credentials, additional privileges must be assigned. These requirements will be explained in this article.

Cause

If you were to log in to the BOSH UAA, you would use the following command:

uaac token owner get login -s <login-client-secret>
User name:  alana
Password:  ********
Unknown key: SameSite = None

You will get the below error 

error response:
{
  "error": "invalid_scope",
  "error_description": "[bosh.admin, scim.write, scim.read, clients.admin, credhub.read, credhub.write] is invalid. This user is not allowed any of the requested scopes"
}
attempt to get token failed

 

Resolution

You will have to assign the following privileges to your LDAP user after switching the uaac context to the admin client 

uaac group map "cn=cluster-admins,ou=groups,dc=example,dc=org" --name bosh.admin
Successfully mapped bosh.admin to cn=cluster-admins,ou=groups,dc=example,dc=org for origin ldap
uaac group map "cn=cluster-admins,ou=groups,dc=example,dc=org" --name uaa.admin
Successfully mapped uaa.admin to cn=cluster-admins,ou=groups,dc=example,dc=org for origin ldap
uaac group map "cn=cluster-admins,ou=groups,dc=example,dc=org" --name scim.read
Successfully mapped scim.read to cn=cluster-admins,ou=groups,dc=example,dc=org for origin ldap
uaac group map "cn=cluster-admins,ou=groups,dc=example,dc=org" --name scim.write
Successfully mapped scim.write to cn=cluster-admins,ou=groups,dc=example,dc=org for origin ldap

After completing this step, you can retry logging in using your LDAP credentials.

uaac token owner get login -s <login-client-secret>
User name:  alana
Password:  ********
Unknown key: SameSite = None
WARNING: Decoding token without verifying it was signed by its authoring UAA

Successfully fetched token via owner password grant.
Target: https://<Director-IP>:8443
Context: alana, from client login
Powered by Wolken Software