OpenLDAP Support

I am trying to understand how people plan on using OpenLDAP with Rancher.

  1. Full DN ex: cn=UserA,dc=example,dc=com
  • This seems like a poor UX
  1. Username (i.e. userA, example.com/UserA, userA@example.com)
  • This causes issues with assuming a specific domain and not supporting multiple/ if any OU’s.

Will you want to use multiple OU’s / Domains within rancher concurrently on one install?

I’m trying to see how Rancher users plan to integrate with OpenLDAP.

The way we have setup our LDAP structure is something like this:

An example of how we have setup our rundeck access

  • dc=company,dc=net
    • ou=users (organizationalUnit)
      • cn=UserA (inetOrgPerson)
      • cn=UserB (inetOrgPerson)
      • cn=UserC (inetOrgPerson)
    • ou=groups (organizationalUnit)
      • ou=rundeck (organizationalUnit)
        • cn=admin (groupOfNames)
        • cn=live (groupOfNames)
        • cn=staging (groupOfNames)

So now in the above the groupOfNames entries act as our rundeck ‘projects’. So user’s who are added into the admin group have admin access, while users in the staging group have access to the staging projects.

It would be great if something similar was possible on rancher. For example:

  • dc=company,dc=net
    • ou=users (organizationalUnit)
      • cn=UserA (inetOrgPerson)
      • cn=UserB (inetOrgPerson)
      • cn=UserC (inetOrgPerson)
    • ou=groups (organizationalUnit)
      • ou=rancher (organizationalUnit)
        • cn=admin (groupOfNames)
        • cn=live (groupOfNames)
        • cn=staging (groupOfNames)

where ou=groups,ou=rancher,cn=admin/live/staging were rancher environments.

Here is a sample of how the LDAP is configured on rundeck (using Jaas) for the above layout.

{
providerUrl=“ldap://LDAP_SERVER_DNS:389"
bindDn=”“
bindPassword=”"
authenticationMethod="none"
userBaseDn="ou=users,dc=company,dc=net"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=rancher,ou=groups,dc=company,dc=net"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass=“groupOfNames”
}

We will be using just a single domain, and preferrably with only the uid as the login name, without any additional domain info.

As for us we have separate cn for service accounts:

  • dc=company,dc=com
    • ou=services
      • cn=rancher-service-acc(*)
      • cn=UserB(*)
      • cn=UserC(*)
    • ou=rancher-users
      • uid=UserA(*)
      • uid=UserB(*)
      • uid=UserC(*)

We are going to bind to ldap server with service account (dn: cn=rancher-service-acc,ou=services,dc=company,dc=com, we input this string in service account field ) and make search query based on login username.

To make bind to ldap server in right way we have changed LdapIdentitySearchProvider.java:

    public Set<Identity> getIdentities(String username, String password) {
    if (!isConfigured()) {
        return new HashSet<>();
    }
    LdapContext userContext;
    try {
        userContext = login(LdapConstants.SERVICE_ACCOUNT_USER.get(), LdapConstants.SERVICE_ACCOUNT_PASSWORD.get());
//            userContext = login();
    } catch (RuntimeException e) {
        throw new ClientVisibleException(ResponseCodes.UNAUTHORIZED);
    }

From ldap server we see that bind and search operation successful, but identities are null :disappointed: as a result we have UNAUTHORISED message, without any exception from cattle.

We have been using OpenLDAP with phpldapadmin to create the users and groups, but it seems that there are two ways that group management of users can occur.

  • mapping of groups to users.

    • ex: UserA is a member of GroupA and so to track this GroupA has many attributes for memberUid and one of them is memberUid=UserA
    • With this method to determine membership of a group you must see if the group has an entry for the member.
  • The other is with direct attribute usage.

    • ex: UserA is a member of GroupB and GroupB has an attribute gid=500 and UserA has an attribute of gid=500
    • With this method to determine membership of a group you just check to see if the user has an entry for the group attribute type.

Which way are you guys using groups? Or do you have groups using both methods?

Guys please advise how to set up the scheme.
Is anyone able to connect OpenLDAP?
What are the fields I need to correctly fill?

  1. Configure an LDAP server
    *HOSTNAME OR IP ADDRESS :**111.111.11.111
    **PORT :**636 TLS
    *SERVICE ACCOUNT USERNAME :*cn=admin,dc=ldap,dc=example,dc=com
    SERVICE ACCOUNT PASSWORD :
    ************
    *SEARCH BASE :**dc=ldap,dc=example,dc=com
    *DEFAULT LOGIN DOMAIN :**example.com

  2. Customize Schema
    Users
    **OBJECT CLASS :**person
    **LOGIN FIELD :**cn
    **NAME FIELD :**name
    **SEARCH FIELD :**cn
    **STATUS FIELD :**userAccountControl
    **DISABLED STATUS BITMASK :**2
    Groups
    **OBJECT CLASS :**group
    **NAME FIELD :**name
    **SEARCH FIELD :**cn

  3. Test and enable authentication
    *YOUR USERNAME :*cn=admin,dc=ldap,dc=example,dc=com
    YOUR PASSWORD :
    ************

@111 Right now Rancher does not support OpenLDAP. The purpose of this thread is to aid in figuring out the Implementation we will use.

I do not understand the answer. Will you implement? If so then when do you plan to do it? Thank you for your great work!

@111 This will be added to Rancher, when the following issue is closed. You can also follow the announcements category to get updates on when we release new versions and it will include the release notes of what’s in the release.

:muscle: It will great!

If I’d like to automation the ldap setting in Rancher server. What can I do?

For example, I can run ansible-playbook to install rancher sever, then prefer to add it in openldap directly, which config file should I update?

====
Updates:

I got the answer by myself, it is in these documents.