How to Log In to the BOSH CLI with LDAP Users in Tanzu Platform
Article ID: 399874
Updated On:
Products
VMware Tanzu Platform
Vmware Tanzu Platform - SM
VMware Tanzu Platform Core
VMware Tanzu Platform - TAP
VMware Tanzu Application Platform
VMware Tanzu Application Service
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Kubernetes Grid Integrated Edition (Core)
VMware Tanzu Kubernetes Grid Integrated EditionStarter Pack (Core)
Issue/Introduction
By default, when LDAP is integrated with Ops Manager and BOSH, there is an option to enable the "Provision an admin client in the BOSH UAA" checkbox in the Ops Manager LDAP settings, as described in this Knowledge Base article.
However, if a user wants to access and manage the BOSH CLI using LDAP credentials, additional privileges need to be granted. This article outlines the steps required to assign those privileges.
Cause
If the LDAP group is not mapped to the required scopes, attempting to log in with an LDAP user will result in the following error:
bosh login
Using environment '<Director-IP-Redacted>'
Email (): naomi
Password ():
Failed to authenticate with UAA
Resolution
You can assign read or admin privileges to the LDAP group using the following command:
uaac group map "cn=cluster-devs,ou=groups,dc=example,dc=org" --name bosh.read
Successfully mapped bosh.read to cn=cluster-devs,ou=groups,dc=example,dc=org for origin ldapAfter that, you can log in using the command below:
bosh login
Using environment '<Director-IP-Redacted>'
Email (): naomi
Password ():
Successfully authenticated with UAA
Succeededbosh env
Using environment '<Director-IP-Redacted>' as user 'naomi'
Name p-bosh
UUID 9cc27e1b-0174-49c6-8f76-3ea3234f3e88
Version 281.0.0 (00000000)
Director Stemcell -/1.785
CPI vsphere_cpi
Features config_server: enabled
local_dns: enabled
snapshots: disabled
User naomi
Succeeded
Feedback
Yes
No
Powered by
