Conductor Documentation

LDAP Installation

Introduction

Set up LDAP authentication to allow users to use their email address to login to conductor via the GUI or UI.

Prerequisites

Procedure Steps

Instruct Conductor to use LDAP authentication

  1. SSH to Wind River Conductor and set up the environment variable to trust all SSL connections.

    a. CLOUDIFY_SSL_TRUST_ALL=True

  2. Activate the virtual env for running cloudify CLI commands.

  3. Run the following command to tell conductor to use LDAP authentication.

    1. cfy ldap set

      • ldap-server ldap://<ldap ip>:<ldap port>
      • ldap-username <admin dn>
      • ldap-password <pw>
      • ldap-base-dn <ldab base dn>
      • ldap-bind-format '<bind format>
      • ldap-user-filter <user filter>
      • ldap-group-dn <ldap group dn>
      • ldap-group-member-filter <group member filter>
      • ldap-attribute-first-name <user first name>
      • ldap-attribute-uid <ldap attibute id>

    2. Example cfy ldap set:

      • ldap-server ldap://1.2.3.4:111
      • ldap-username 'cn=admin,dc=spog,dc=com'
      • ldap-password 'password'
      • ldap-base-dn 'dc=spog,dc=com'
      • ldap-bind-format 'cn=admin,{base_dn}'
      • ldap-user-filter 'uid={username}'
      • ldap-group-dn 'ou=Groups,dc=spog,dc=com'
      • ldap-group-member-filter 'member={object_dn}'
      • ldap-attribute-first-name 'givenName'
      • ldap-attribute-uid 'uid'

    cfy ldap example

    1. Check with cfy config list, cfy ldap status commands to confirm the setup is done. The below screenshot is the output of cfy config list. It contains data related to ldap.

    ldap example output

Configuring Conductor to use LDAP for authentication

  1. Login to conductor UI as admin. Note that even with LDAP setup done, the admin will be authenticated locally and not with LDAP.

  2. Create a few tenants. Here three tenants are created: wra_tenant1, wrc_tenant1 and wrcp_tenant1

    screen shot of the Add tenant screen

    screen shot of the Add tenant screen fields

  3. Create Groups. 3 groups are created based on the users created in LDAP:

    • wra_grp
    • wrc_grp
    • wrcp_grp

    screen shot of ldap groups

    In this step, make sure to add the LDAP group same as the user created in the LDAP, this is how the link between the user and the conductor is made.

    Associate the tenant to groups and assign a role. Conductor has 4 roles to choose from - viewer, operations, user and manager. And example of group creation is shown below (note: this is for a different group)

screen shot of an example ldap groups

  1. Once these are done, the connection between the LDAP and Conductor is completed. After this the login to conductor via the GUI using the username/password will be working.

Assigning an email address as a username

Configure LDAP to allow a user to use their email address as an LDAP username.

  1. Add a new user to the LDAP via phpMyAdmin or add directly via the ldif file.

Entry 10: cn=testgrp,ou=Groups,dc=spog,dc=com                      
dn: cn=testgrp,ou=Groups,dc=spog,dc=com                               
cn: testgrp                                                           
description: Group                                                    
member: cn=rgregory@spog.com,ou=Users,dc=spog,dc=com                  
objectclass: groupOfNames                                             
objectclass: top                                                      
ou: Groups                                                            
   
Entry 11: cn=rgregory@spog.com,ou=Users,dc=spog,dc=com             
dn: cn=rgregory@spog.com,ou=Users,dc=spog,dc=com                      
cn: rgregory                                                          
gidnumber: 505                                                        
givenname: Reena                                                      
homedirectory: /home/Users/rgregory@spog.com                          
objectclass: inetOrgPerson                                            
objectclass: posixAccount                                             
objectclass: top                                                      
sn: Gregory                                                           
uid: rgregory@spog.com                                                
mail: rgregory@spog.com                                               
uidnumber: 1006                                                       
userpassword: {SSHA}MMmp4MvL+6PkNfdczq30rWg6HdpsNMY+

  1. Verify LDAP setup

  2. Add the tenant and user group

LDAP add tenant

LDAP add tenant

The user group and tenant is added to the conductor.
  1. Login via the GUI with the email address and password in conductor.

LDAP login

Once the login is successful, it will login to the conductor.

screen shot of LDAP login

  1. Troubleshooting:

    Ensure the login works by checking the log of rest-service pod:

    *kubectl logs \<rest-service pod\> -f*

    Keep the logs open and try login. The logs will be displayed there. If the login is not working for a fresh install of conductor, try installing a plugin (conductor-wrcp-plugin) and then logout and try login again. This seems to be a bug, which requires further debugging.

LDAP Login via CLI

**Note: Ensure you have a licensed WRC CLI distributed by Wind River.

  1. Login as admin to conductor and create corresponding tenant and user groups associated with it. Create the user group privilege as “manager”.

  2. Connect conductor and ldapserver, using cfy ldap set command via the cloudify cli.

  3. Login with the user via CLI using the following command: cfy profiles set --manager-username <username> --manager-password <password> -t <tenant_name>