PowerVC supports two identity providers: local OS registry and LDAP registry, for end user authentication. By default, it is configured to use the OS registry. Customers who would like to configure LDAP server can use the CLI command
powervc-config identity repository –t ldap
to configure PowerVC with their existing LDAP server. It is highly recommended that you read the
documentation before reading this blog.
Listed below are a few examples to help you understand some of the different ways in which LDAP can be configured with PowerVC.
- Run the following command to view the current configuration of the identity backend:
- On a newly installed PowerVC, the output will look something like the below, indicating that the backend repository is OS (operating system), which is set by default during installation:
# powervc-config identity repository
Result:
Type: os
User filter: (memberOf=powervc-filter)
Group filter: (name=powervc-filter)
- On a PowerVC server that’s already configured with a remote LDAP server, the output will look like the below:
# powervc-config identity repository
Result:
Type: ldap
URL: ldap://x.x.x.x
Use TLS: n
Anonymous bind: y
User tree DN: ou=ou=people,dc=ibm,dc=com
User filter: (|(uid=bob)(uid=joan)(uid=sam))
User object class: inetOrgPerson
User ID attribute: uid
User name attribute: uid
User mail attribute: email
User description attribute: description
Group tree DN: ou=group,dc=ibm,dc=com
Group filter: (|(cn=admin)(cn=deployer)(cn=viewer))
Group object class: groupOfNames
Group ID attribute: gidNumber
Group name attribute: cn
Group member attribute: member
Group description attribute: description
Query scope: sub
Chase referrals: y
- Configure PowerVC to use an LDAP server in interactive mode.
To provide LDAP inputs in interactive mode, run powervc-config identity repository
with two mandatory arguments namely -t / --type
and either -u /--user
or -g /--group
. The prompts display default values on left hand side, which can be selected by hitting
or overridden by entering your own value.
In the below example, the command has been run in secure mode with user credentials (check fields User name
and Password
) given as input for authentication to the LDAP server. By default, the command is run in secure mode. You can specify -insecure
to run in insecure mode instead. If you do not want to input a user name and password, use the –anon
argument to run in anonymous mode.
Secure mode requires that the path to the CA certificate is provided as input while performing the LDAP configuration. Therefore, before you start in secure mode, ensure that the certificate is available somewhere on the system where PowerVC is running. Otherwise, you will get certificate validation errors. It is recommended that you try the configuration first in the –insecure
and –anon
mode to verify that the communication works fine, and then do the configuration again in secure and non-anonymous mode.
In the following example, an LDAP user with a user name abcdef@in.org.com
is configured as a PowerVC admin user on the ibm-default
project; ibm-default
is the default project created at the time of PowerVC installation. This user must be present under the user tree dn
that has been given as input.
# powervc-config identity repository --type ldap --user abcdef@in.org.com
Configuring PowerVC for LDAP.
URL [ldap://localhost]: ldap://x.x.x.x
CA certificate file [None]: /etc/pki/tls/certs/ca-bundle.crt
User name [dc=Manager,dc=example,dc=com]: dc=admin_user,dc=ibm,dc=com
Password:
User tree DN [ou=Users,dc=example,dc=com]: ou=people,dc=ibm,dc=com
User filter [None]: (|(uid=bob)(uid=joan)(uid=sam))
User object class [inetOrgPerson]: inetOrgPerson
User ID attribute [uid]: uid
User name attribute [cn]: uid
User mail attribute [email]: email
User description attribute [description]: description
Group tree DN [ou=Groups,dc=example,dc=com]: ou=group,dc=ibm,dc=com
Group filter [None]: (|(cn=admin)(cn=deployer)(cn=viewer))
Group object class [groupOfNames]: groupOfNames
Group ID attribute [cn]: gidNumber
Group name attribute [cn]: cn
Group member attribute [member]: member
Group description attribute [description]:
Query scope [one]: sub
Result:
Updating /etc/keystone/domains/keystone.Default.conf
Removing assignments...
Adding default assignment for user "abcdef@in.org.com"
Stopping httpd services...
Starting httpd services...
An admin role assignment has been created for abcdef@in.org.com. Use
this assignment to
create other role assignments by logging in to PowerVC user interface.
- Configure PowerVC with an LDAP server in the non-interactive mode.
Instead of running in interactive mode, you can specify all of the required information in the command when you initially run it. The following command sets up LDAP the same way as the previous example:
# powervc-config identity repository --type ldap --user abcdef@in.org.com --ldap-url ldap://x.x.x.x --tls-cacertfile /etc/pki/tls/certs/ca-bundle.crt --ldap-user dc=admin_user,dc=ibm,dc=com --user-tree-dn ou=ou=people,dc=ibm,dc=com --user-filter "(|(uid=bob)(uid=joan)(uid=sam))" --user-objectclass inetOrgPerson --user-id-attribute uid --user-name-attribute uid --user-mail-attribute email --user-desc-attribute description --group-tree-dn ou=group,dc=ibm,dc=com --group-filter "(|(cn=admin)(cn=deployer)(cn=viewer))" --group-objectclass groupOfNames --group-id-attribute gidNumber --group-name-attribute cn --group-member-attribute member --group-desc-attribute description --query-scope sub
Configuring PowerVC for LDAP.
Password:
Result:
Configuring PowerVC for LDAP.
Updating /etc/keystone/domains/keystone.Default.conf
Removing assignments...
Adding default assignment for user "abcdef@in.org.com"
Stopping httpd services...
Starting httpd services...
An admin role assignment has been created for abcdef@in.org.com. Use this assignment to create other role assignments by logging in to PowerVC user interface.
- Switch back to the OS driver
If you want to switch back to using the default OS identity backend driver (which pulls user/group information from the local OS registry and performs authentication against the same), run the below command. The existing LDAP configuration will be disabled, but the configuration information will be retained in PowerVC configuration files, so you can switch back to the same LDAP configuration using the –t ldap –quiet
argument for CLI powervc-config identity repository –user <<user_name>> –t ldap –quiet
without having to specify all the information again.
# powervc-config identity repository --user root --type os
Configuring PowerVC for local OS.
User filter [(memberOf=powervc-filter)]:
Group filter [(name=powervc-filter)]:
Result:
Removing assignments...
Adding default assignment for user "root"
Stopping httpd services...
Starting httpd services...
An admin role assignment has been created for root. Use this assignment to create other role assignments by logging in to PowerVC user interface.
- Running with the quiet option
When PowerVC is configured to use LDAP and is then switched back to using the local OS driver, PowerVC stores information about the previously configured LDAP server. This information can be used if user wishes to switch back to using LDAP as the backend at a later point of time. This is where the –quiet option comes in handy. Assume we followed these steps:
a) Configured PowerVC with LDAP server (user inputs details)
b) Switched PowerVC back to using local OS registry as the backend (PowerVC stores the LDAP configuration)
c) You want to switch back from local OS to LDAP using the basically same configuration you had before. You will use the –quiet
argument to speed up the process. You can keep the exact same configuration, or you can specify some new settings. In the following example, the --quiet
option is used with new values for –user-filter
and –group-filter
. Here, all the information except the user/group filters from the previous LDAP configuration is used.
# powervc-config identity repository --type ldap --quiet --user-filter "(|(uid=user1)(uid=user2)(uid=user3))" --group-filter "(|(cn=group1)(cn=group2))"
Result:
Configuring PowerVC for LDAP.
fetching assignments...
Updating /etc/keystone/domains/keystone.Default.conf
Stopping httpd services...
Starting httpd services...
No new role assignments were created. Pre-existing role assignments were preserved.
- Updating chase referrals
If your environment has the Microsoft Active Directory LDAP server, it is recommended to set chase referrals to False
. If you already configured the LDAP server, you can run the below command to get it updated.
# powervc-config identity repository -q --chase-referrals False --type ldap
Configuring PowerVC for LDAP.
fetching assignments...
Updating /etc/keystone/domains/keystone.Default.conf
Stopping httpd services...
Starting httpd services...
No new role assignments were created. Pre-existing role assignments were preserved.
As you can see, there are many combinations in which PowerVC can be configured with an LDAP server. If you have questions on this or any other PowerVC subject, comment on this post, on our
LinkedIn page, or on
Facebook!
Authors:
Prashanth K Reddy
Divya K Konoor #security