How to manually add an ldap server to Tanzu Platform Cloud Foundry
Article ID: 402669
Updated On:
Products
VMware Tanzu Application Service
VMware Tanzu Platform - Cloud Foundry
Issue/Introduction
Platform Operators may require SAML authentication to be enabled in the Tanzu Application Service tile but also want to have some users authenticate with LDAP. For example a service account might use LDAP as it would not support two factor auth. Currently the tile does not support having both enabled. This procedure describes how to add an LDAP provide manually.
Resolution
Please note that you should review uaa logs when a failure occurs. The http response body will not include any errors. The stack traces for any errors will be in /var/vcap/sys/log/uaa.log on the uaa vm that processed the request. you can run "bosh -d CF-DEPLOYMENT-NAME logs uaa" to collect all the uaa logs and look for errors.
Before getting started please review the user management docs to understand how to authenticate with uaac.
Create New LDAP identity provider configuration
uaac curl -X POST -H 'Content-Type: application/json' /identity-providers?rawConfig=true -d '{"type":"ldap","name": "UAA LDAP Provider","originKey": "ldap","config": {"emailDomain": [],
"externalGroupsWhitelist": [
"*"
],
"attributeMappings": {},
"addShadowUserOnLogin": true,
"storeCustomAttributes": true,
"ldapProfileFile": "ldap/ldap-search-and-bind.xml",
"baseUrl": "ldap://ldap.yourdomain.com",
"referral": "follow",
"skipSSLVerification": false,
"bindUserDn": "cn=admin,dc=ldap,dc=yourdomain,dc=com",
"bindPassword": "password123",
"userSearchBase": "ou=people,dc=ldap,dc=yourdomain,dc=com",
"userSearchFilter": "cn={0}",
"mailAttributeName": "mail",
"mailSubstituteOverridesLdap": false,
"ldapGroupFile": "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase": "ou=groups,dc=ldap,dc=yourdomain,dc=com",
"groupSearchFilter": "member={0}",
"autoAddGroups": true,
"groupSearchSubTree": true,
"maxGroupSearchDepth": 1,
"groupRoleAttribute": "spring.security.ldap.dn"}
}'Retrieve Existing Identity Providers
We have to run this when we want to update or delete an existing identity provider config. This will return the ID of the provider. In the example below the id is "aed5d8e1-8267-47da-9c72-2bf139dc2e23" and will be used for the update and delete examples.
uaac curl /identity-providers?rawConfig=true'{
"type": "ldap",
"config": {...},
"id": "aed5d8e1-8267-47da-9c72-2bf139dc2e23",
"originKey": "ldap",
"name": "UAA LDAP Provider",
"version": 6,
"created": 946684800000,
"last_modified": 1751300396000,
"active": true,
"identityZoneId": "uaa",
"aliasId": null,
"aliasZid": null
}'
Update Existing Identity Provider
In this example we change the bind DN user from admin to NEWADMIN.
uaac curl -X PUT -H 'Content-Type: application/json' /identity-providers/aed5d8e1-8267-47da-9c72-2bf139dc2e23?rawConfig=true -d '{"type":"ldap","name": "UAA LDAP Provider","originKey": "ldap","config": {"emailDomain": [],
"externalGroupsWhitelist": [
"*"
],
"attributeMappings": {},
"addShadowUserOnLogin": true,
"storeCustomAttributes": true,
"ldapProfileFile": "ldap/ldap-search-and-bind.xml",
"baseUrl": "ldap://ldap.yourdomain.com",
"referral": "follow",
"skipSSLVerification": false,
"bindUserDn": "cn=NEWADMIN,dc=ldap,dc=yourdomain,dc=com",
"bindPassword": "password123",
"userSearchBase": "ou=people,dc=ldap,dc=yourdomain,dc=com",
"userSearchFilter": "cn={0}",
"mailAttributeName": "mail",
"mailSubstituteOverridesLdap": false,
"ldapGroupFile": "ldap/ldap-groups-map-to-scopes.xml",
"groupSearchBase": "ou=groups,dc=ldap,dc=yourdomain,dc=com",
"groupSearchFilter": "member={0}",
"autoAddGroups": true,
"groupSearchSubTree": true,
"maxGroupSearchDepth": 1,
"groupRoleAttribute": "spring.security.ldap.dn"}
}'
Delete Identity provider
uaac curl -X DELETE -H 'Content-Type: application/json' /identity-providers/aed5d8e1-8267-47da-9c72-2bf139dc2e23?rawConfig=true
Testing in Cloud Foundry
Create a user for ldap and assign a role test cf login.
cf create-user first.last --origin ldap
cf set-org-role first.last myOrg OrgManager --origin ldap
cf set-space-role first.last myOrg mySpace SpaceDeveloper --origin ldap
Additional Information
Some configuration parameters are omitted from the example above. To get a complete list of ldap configuration options see UAA API readme on github
LDAP Provider Configuration (provided in JSON format as part of the ``config`` field on the Identity Provider - See class org.cloudfoundry.identity.uaa.provider.LdapIdentityProviderDefinition
====================== ====================== ======== =================================================================================================================================================================================================
ldapProfileFile String Required Value must be "ldap/ldap-search-and-bind.xml" (until other configuration options are supported)
ldapGroupFile String Required Value must be "ldap/ldap-groups-map-to-scopes.xml" (until other configuration options are supported)
baseUrl String Required URL to LDAP server, starts with ldap:// or ldaps://
bindUserDn String Required Valid user DN for an LDAP record that has permission to search the LDAP tree
bindPassword String Required Password for user the above ``bindUserDn``
userSearchBase String Required search base - defines where in the LDAP tree the UAA will search for a user
userSearchFilter String Required user search filter used when searching for a user. {0} denotes the username in the search query.
groupSearchBase String Required search base - defines where in the LDAP tree the UAA will search for user groups, use the value `memberOf` to skip group search, and use the memberOf attributes of the user.
groupSearchFilter String Required Typically "memberOf={0}" group search filter used when searching for a group. {0} denotes the user DN in the search query, or the group DN in case of a nested group search.
mailAttributeName String Required the name of the attribute that contains the user's email address. In most cases this is "mail"
mailSubstitute String Optional If the user records do not contain an email address, the UAA can create one. It could be "{0}@this-default-was-not-configured.invalid" where
mailSubstituteOverridesLdap boolean Optional Set to true only if you always wish to override the LDAP supplied user email address
autoAddGroups boolean Required Currently not used
groupSearchSubTree boolean Required Should the sub tree be searched for user groups
groupMaxSearchDepth int Required When searching for nested groups (groups within groups)
skipSSLVerification boolean Optional Set to true if you wish to skip SSL certificate verification
emailDomain List<String> Optional List of email domains associated with the LDAP provider for the purpose of associating users to the correct origin upon invitation. If null or empty list, no invitations are accepted. Wildcards supported.
attributeMappings Map<String, Object> Optional List of UAA attributes mapped to attributes from LDAP. Currently we support mapping given_name, family_name, email, phone_number and external_groups.
externalGroupsWhitelist List<String> Optional List of external groups (`DN` distinguished names`) that can be included in the ID Token if the `roles` scope is requested. See `UAA-LDAP.md UAA-LDAP.md`_ for more information
providerDescription String Optional Human readable name/description of this provider
These examples were created from UAA API official documentation
https://docs.cloudfoundry.org/api/uaa/version/77.34.0/index.html#identity-providers
Feedback
Yes
No
Powered by
