Instana

 View Only

LDAP groups mapping example

By Oleg Samoylov posted Wed December 25, 2024 10:31 AM

  

1. Create Instana groups with set of roles

In the example MS Active Directory domain controller is used to authenticate users and grant Instana roles. As a first step we create a group in Instana for example InstanaSRE with necessary roles that will match MS Active Directory groups to handle SRE tasks:

2. Configure LDAP connection

All users will get permissions and authenticated against MS AD, so we create LDAP configuration like below:

where:

  • Base - is the branch to narrow down LDAP search for users and groups, only users and groups in the branch will be visible to Instana;
  • Group Query - is the filter of entities that defines only groups Instana should consider (objectClass=group) means Instana will use all groups, as the attribute is specified for groups only. The filter might contain a list of groups with certain name, as in the example: https://www.ibm.com/docs/en/instana-observability/current?topic=ldap-integrating-active-directory
  • Group Member Field - the attribute of a group entity which contains user reference for example (AD group SRE will be mapped to Instana group InstanaSRE):
    ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD>" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=SRE)"
    . . .
    dn: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
    objectClass: group
    cn: SRE
    member: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
    member: CN=test3,OU=Users,OU=Instana,DC=fyre,DC=ibm
    member: CN=test2,OU=Users,OU=Instana,DC=fyre,DC=ibm
    . . .
  • User Query Template - this attribute of user entity will be used as a username for logging in to Instana, %s - is value user specified as Username:
    ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=test4)"
    . . .
    dn: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
    objectClass: inetOrgPerson
    cn: test4
    . . .
  • Email Field - mandatory attribute of a user entity with email, all Instana users should have email address specified to be able to login! The value will not be verified.

3. Map groups

Users will get permissions by matching their AD group to certain Instana groups with a set of permissions, for example:

where:

  • Key - is an attribute of user entity that holds assigned group
    ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=test4)"
    . . .
    dn: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
    objectClass: user
    objectClass: inetOrgPerson
    cn: test4
    memberOf: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
    . . .
  • Value - is a Value of the group attribute of a user entity
    ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=test4)"
    . . .
    dn: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
    objectClass: inetOrgPerson
    cn: test4
    memberOf: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
    . . .
  • Instana Group - is the Instana group with roles that we created on step 1 to map to

Ldapsearch results for reference

  • All groups from ou=Groups,ou=Instana,dc=fyre,dc=ibm:
[root@k3sinst1 ~]# ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Groups,ou=Instana,dc=fyre,dc=ibm" "*"
# extended LDIF
#
# LDAPv3
# base <ou=Groups,ou=Instana,dc=fyre,dc=ibm> with scope subtree
# filter: (objectclass=*)
# requesting: * 
#
# Groups, Instana, fyre.ibm
dn: OU=Groups,OU=Instana,DC=fyre,DC=ibm
objectClass: top
objectClass: organizationalUnit
ou: Groups
distinguishedName: OU=Groups,OU=Instana,DC=fyre,DC=ibm
instanceType: 4
whenCreated: 20241115225055.0Z
whenChanged: 20241115225055.0Z
uSNCreated: 12770
uSNChanged: 12771
name: Groups
objectGUID:: kffZkMO7pUm+YcW/iwFYeg==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=fyre,DC=ibm
dSCorePropagationData: 20241115225055.0Z
dSCorePropagationData: 16010101000000.0Z

# Admins, Groups, Instana, fyre.ibm
dn: CN=Admins,OU=Groups,OU=Instana,DC=fyre,DC=ibm
objectClass: top
objectClass: group
cn: Admins
member: CN=test1,OU=Users,OU=Instana,DC=fyre,DC=ibm
distinguishedName: CN=Admins,OU=Groups,OU=Instana,DC=fyre,DC=ibm
instanceType: 4
whenCreated: 20241115231149.0Z
whenChanged: 20241115231544.0Z
uSNCreated: 16425
uSNChanged: 16442
name: Admins
objectGUID:: uuj2wKd30EiWWevLCNZYMA==
objectSid:: AQUAAAAAAAUVAAAAYwvY5607DPp9f4rdXAQAAA==
sAMAccountName: Admins
sAMAccountType: 536870912
groupType: -2147483644
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=fyre,DC=ibm
dSCorePropagationData: 16010101000000.0Z

# SRE, Groups, Instana, fyre.ibm
dn: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
objectClass: top
objectClass: group
cn: SRE
member: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
member: CN=test3,OU=Users,OU=Instana,DC=fyre,DC=ibm
member: CN=test2,OU=Users,OU=Instana,DC=fyre,DC=ibm
distinguishedName: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
instanceType: 4
whenCreated: 20241115231213.0Z
whenChanged: 20241118094644.0Z
uSNCreated: 16429
uSNChanged: 16778
name: SRE
objectGUID:: aj1q/LqqwEGaAfHAEgp0HQ==
objectSid:: AQUAAAAAAAUVAAAAYwvY5607DPp9f4rdXQQAAA==
sAMAccountName: SRE
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=fyre,DC=ibm
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
[root@k3sinst1 ~]#
  • User "test4":
[root@k3sinst1 ~]# ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=test4)"
# extended LDIF
#
# LDAPv3
# base <ou=Instana,dc=fyre,dc=ibm> with scope subtree
# filter: (cn=test4)
# requesting: ALL
#
# test4, Users, Instana, fyre.ibm
dn: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: inetOrgPerson
cn: test4
givenName: test4
distinguishedName: CN=test4,OU=Users,OU=Instana,DC=fyre,DC=ibm
instanceType: 4
whenCreated: 20241118094607.0Z
whenChanged: 20241118095515.0Z
displayName: test4
uSNCreated: 16770
memberOf: CN=SRE,OU=Groups,OU=Instana,DC=fyre,DC=ibm
uSNChanged: 16792
name: test4
objectGUID:: fNKS6r6VH0i7N+9tPPYrtA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133763967678597753
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAYwvY5607DPp9f4rdZAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test4
sAMAccountType: 805306368
userPrincipalName: test4@fyre.ibm
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fyre,DC=ibm
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133763973156662517
mail: test4@fyre.ibm
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@k3sinst1 ~]#
  • User "test5" from another group with space character:
[root@k3sinst1 ~]# ldapsearch -H "ldap://myad1.fyre.ibm.com:389" -x -D "cn=bind1,ou=Users,ou=Instana,dc=fyre,dc=ibm" -w "$PASSWORD" -b "ou=Instana,dc=fyre,dc=ibm" "(cn=test5)"
# extended LDIF
#
# LDAPv3
# base <ou=Instana,dc=fyre,dc=ibm> with scope subtree
# filter: (cn=test5)
# requesting: ALL
#
# test5, Users, Instana, fyre.ibm
dn: CN=test5,OU=Users,OU=Instana,DC=fyre,DC=ibm
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: inetOrgPerson
cn: test5
givenName: test5
distinguishedName: CN=test5,OU=Users,OU=Instana,DC=fyre,DC=ibm
instanceType: 4
whenCreated: 20241118094720.0Z
whenChanged: 20241118095540.0Z
displayName: test5
uSNCreated: 16781
memberOf: CN=OtherSRE,OU=Another Groups,OU=Instana,DC=fyre,DC=ibm
uSNChanged: 16793
name: test5
objectGUID:: KNt5wdirE0C+xF/gA7jmeg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133763968403911393
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAYwvY5607DPp9f4rdZQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test5
sAMAccountType: 805306368
userPrincipalName: test5@fyre.ibm
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fyre,DC=ibm
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133763973408381061
mail: test5@fyre.ibm
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@k3sinst1 ~]#

Relevant documentation:

https://www.ibm.com/docs/en/instana-observability/current?topic=ldap-integrating-active-directory 

https://www.ibm.com/docs/en/instana-observability/current?topic=configuration-configuring-ldap

0 comments
21 views

Permalink