PowerVC

 View Only

Examples of running PowerVC LDAP configuration

By Prashanth Kumar Reddyreddy posted Wed October 24, 2018 02:05 PM

  
PowerVC supports two identity providers: local OS registry and LDAP registry, for end user authentication. By default, it is configured to use the OS registry. Customers who would like to configure LDAP server can use the CLI command powervc-config identity repository –t ldap to configure PowerVC with their existing LDAP server. It is highly recommended that you read the documentation before reading this blog.
Listed below are a few examples to help you understand some of the different ways in which LDAP can be configured with PowerVC.


  1. Run the following command to view the current configuration of the identity backend:

    • On a newly installed PowerVC, the output will look something like the below, indicating that the backend repository is OS (operating system), which is set by default during installation:
      # powervc-config identity repository
      Result:
      Type: os
      User filter: (memberOf=powervc-filter)
      Group filter: (name=powervc-filter)



    • On a PowerVC server that’s already configured with a remote LDAP server, the output will look like the below:
      # powervc-config identity repository
      Result:
      Type: ldap
      URL: ldap://x.x.x.x
      Use TLS: n
      Anonymous bind: y
      User tree DN: ou=ou=people,dc=ibm,dc=com
      User filter: (|(uid=bob)(uid=joan)(uid=sam))
      User object class: inetOrgPerson
      User ID attribute: uid
      User name attribute: uid
      User mail attribute: email
      User description attribute: description
      Group tree DN: ou=group,dc=ibm,dc=com
      Group filter: (|(cn=admin)(cn=deployer)(cn=viewer))
      Group object class: groupOfNames
      Group ID attribute: gidNumber
      Group name attribute: cn
      Group member attribute: member
      Group description attribute: description
      Query scope: sub
      Chase referrals: y






  2. Configure PowerVC to use an LDAP server in interactive mode.

    To provide LDAP inputs in interactive mode, run powervc-config identity repository with two mandatory arguments namely -t / --type and either -u /--user or -g /--group. The prompts display default values on left hand side, which can be selected by hitting or overridden by entering your own value.

    In the below example, the command has been run in secure mode with user credentials (check fields User name and Password) given as input for authentication to the LDAP server. By default, the command is run in secure mode. You can specify -insecure to run in insecure mode instead. If you do not want to input a user name and password, use the –anon argument to run in anonymous mode.

    Secure mode requires that the path to the CA certificate is provided as input while performing the LDAP configuration. Therefore, before you start in secure mode, ensure that the certificate is available somewhere on the system where PowerVC is running. Otherwise, you will get certificate validation errors. It is recommended that you try the configuration first in the –insecure and –anon mode to verify that the communication works fine, and then do the configuration again in secure and non-anonymous mode.

    In the following example, an LDAP user with a user name abcdef@in.org.com is configured as a PowerVC admin user on the ibm-default project; ibm-default is the default project created at the time of PowerVC installation. This user must be present under the user tree dn that has been given as input.
    # powervc-config identity repository --type ldap --user abcdef@in.org.com
    Configuring PowerVC for LDAP.
    URL [ldap://localhost]: ldap://x.x.x.x
    CA certificate file [None]: /etc/pki/tls/certs/ca-bundle.crt
    User name [dc=Manager,dc=example,dc=com]: dc=admin_user,dc=ibm,dc=com
    Password:
    User tree DN [ou=Users,dc=example,dc=com]: ou=people,dc=ibm,dc=com
    User filter [None]: (|(uid=bob)(uid=joan)(uid=sam))
    User object class [inetOrgPerson]: inetOrgPerson
    User ID attribute [uid]: uid
    User name attribute [cn]: uid
    User mail attribute [email]: email
    User description attribute [description]: description
    Group tree DN [ou=Groups,dc=example,dc=com]: ou=group,dc=ibm,dc=com
    Group filter [None]: (|(cn=admin)(cn=deployer)(cn=viewer))
    Group object class [groupOfNames]: groupOfNames
    Group ID attribute [cn]: gidNumber
    Group name attribute [cn]: cn
    Group member attribute [member]: member
    Group description attribute [description]:
    Query scope [one]: sub

    Result:
    Updating /etc/keystone/domains/keystone.Default.conf
    Removing assignments...
    Adding default assignment for user "abcdef@in.org.com"
    Stopping httpd services...
    Starting httpd services...
    An admin role assignment has been created for abcdef@in.org.com. Use
    this assignment to
    create other role assignments by logging in to PowerVC user interface.



  3. Configure PowerVC with an LDAP server in the non-interactive mode.

    Instead of running in interactive mode, you can specify all of the required information in the command when you initially run it. The following command sets up LDAP the same way as the previous example: 
    # powervc-config identity repository --type ldap --user abcdef@in.org.com --ldap-url ldap://x.x.x.x  --tls-cacertfile /etc/pki/tls/certs/ca-bundle.crt --ldap-user dc=admin_user,dc=ibm,dc=com  --user-tree-dn ou=ou=people,dc=ibm,dc=com --user-filter "(|(uid=bob)(uid=joan)(uid=sam))" --user-objectclass inetOrgPerson --user-id-attribute uid --user-name-attribute uid --user-mail-attribute email --user-desc-attribute description --group-tree-dn ou=group,dc=ibm,dc=com  --group-filter "(|(cn=admin)(cn=deployer)(cn=viewer))" --group-objectclass groupOfNames --group-id-attribute gidNumber --group-name-attribute cn --group-member-attribute member --group-desc-attribute description --query-scope sub
    	
    	Configuring PowerVC for LDAP.
    	Password:
    	
    	Result:
    	Configuring PowerVC for LDAP.
    	Updating /etc/keystone/domains/keystone.Default.conf
    	Removing assignments...
    	Adding default assignment for user "abcdef@in.org.com"
    	Stopping httpd services...
    	Starting httpd services...
    	An admin role assignment has been created for abcdef@in.org.com. Use this assignment to create other role assignments by logging in to PowerVC user interface.



  4. Switch back to the OS driver

    If you want to switch back to using the default OS identity backend driver (which pulls user/group information from the local OS registry and performs authentication against the same), run the below command. The existing LDAP configuration will be disabled, but the configuration information will be retained in PowerVC configuration files, so you can switch back to the same LDAP configuration using the –t ldap –quiet argument for CLI powervc-config identity repository –user <<user_name>> –t ldap –quiet without having to specify all the information again.

    # powervc-config identity repository --user root --type os
    	Configuring PowerVC for local OS.
    	User filter [(memberOf=powervc-filter)]:
    	Group filter [(name=powervc-filter)]:


    Result:

    	Removing assignments...
    	Adding default assignment for user "root"
    	Stopping httpd services...
    	Starting httpd services...

    An admin role assignment has been created for root. Use this assignment to create other role assignments by logging in to PowerVC user interface.



  5. Running with the quiet option

    When PowerVC is configured to use LDAP and is then switched back to using the local OS driver, PowerVC stores information about the previously configured LDAP server. This information can be used if user wishes to switch back to using LDAP as the backend at a later point of time. This is where the –quiet option comes in handy. Assume we followed these steps:
    a) Configured PowerVC with LDAP server (user inputs details)
    b) Switched PowerVC back to using local OS registry as the backend (PowerVC stores the LDAP configuration)
    c) You want to switch back from local OS to LDAP using the basically same configuration you had before. You will use the –quiet argument to speed up the process. You can keep the exact same configuration, or you can specify some new settings. In the following example, the --quiet option is used with new values for –user-filter and –group-filter. Here, all the information except the user/group filters from the previous LDAP configuration is used.
    # powervc-config identity repository --type ldap --quiet --user-filter "(|(uid=user1)(uid=user2)(uid=user3))" --group-filter "(|(cn=group1)(cn=group2))"

    Result:

    	Configuring PowerVC for LDAP.
    	fetching assignments...
    	Updating /etc/keystone/domains/keystone.Default.conf
    	Stopping httpd services...
    	Starting httpd services...
    No new role assignments were created. Pre-existing role assignments were preserved.



  6. Updating chase referrals

    If your environment has the Microsoft Active Directory LDAP server, it is recommended to set chase referrals to False. If you already configured the LDAP server, you can run the below command to get it updated.

    # powervc-config identity repository -q --chase-referrals False --type ldap
    Configuring PowerVC for LDAP.
    fetching assignments...
    Updating /etc/keystone/domains/keystone.Default.conf
    Stopping httpd services...
    Starting httpd services...
    No new role assignments were created. Pre-existing role assignments were preserved.





As you can see, there are many combinations in which PowerVC can be configured with an LDAP server. If you have questions on this or any other PowerVC subject, comment on this post, on our LinkedIn page, or on Facebook!

Authors:
Prashanth K Reddy
Divya K Konoor
#security
0 comments
6 views

Permalink