The way we have setup our LDAP structure is something like this:
An example of how we have setup our rundeck access
dc=company,dc=net
ou=users (organizationalUnit)
cn=UserA (inetOrgPerson)
cn=UserB (inetOrgPerson)
cn=UserC (inetOrgPerson)
ou=groups (organizationalUnit)
ou=rundeck (organizationalUnit)
cn=admin (groupOfNames)
cn=live (groupOfNames)
cn=staging (groupOfNames)
So now in the above the groupOfNames entries act as our rundeck ‘projects’. So user’s who are added into the admin group have admin access, while users in the staging group have access to the staging projects.
It would be great if something similar was possible on rancher. For example:
dc=company,dc=net
ou=users (organizationalUnit)
cn=UserA (inetOrgPerson)
cn=UserB (inetOrgPerson)
cn=UserC (inetOrgPerson)
ou=groups (organizationalUnit)
ou=rancher (organizationalUnit)
cn=admin (groupOfNames)
cn=live (groupOfNames)
cn=staging (groupOfNames)
where ou=groups,ou=rancher,cn=admin/live/staging were rancher environments.
Here is a sample of how the LDAP is configured on rundeck (using Jaas) for the above layout.
As for us we have separate cn for service accounts:
dc=company,dc=com
ou=services
cn=rancher-service-acc(*)
cn=UserB(*)
cn=UserC(*)
ou=rancher-users
uid=UserA(*)
uid=UserB(*)
uid=UserC(*)
We are going to bind to ldap server with service account (dn: cn=rancher-service-acc,ou=services,dc=company,dc=com, we input this string in service account field ) and make search query based on login username.
To make bind to ldap server in right way we have changed LdapIdentitySearchProvider.java:
public Set<Identity> getIdentities(String username, String password) {
if (!isConfigured()) {
return new HashSet<>();
}
LdapContext userContext;
try {
userContext = login(LdapConstants.SERVICE_ACCOUNT_USER.get(), LdapConstants.SERVICE_ACCOUNT_PASSWORD.get());
// userContext = login();
} catch (RuntimeException e) {
throw new ClientVisibleException(ResponseCodes.UNAUTHORIZED);
}
From ldap server we see that bind and search operation successful, but identities are null as a result we have UNAUTHORISED message, without any exception from cattle.
We have been using OpenLDAP with phpldapadmin to create the users and groups, but it seems that there are two ways that group management of users can occur.
mapping of groups to users.
ex: UserA is a member of GroupA and so to track this GroupA has many attributes for memberUid and one of them is memberUid=UserA
With this method to determine membership of a group you must see if the group has an entry for the member.
The other is with direct attribute usage.
ex: UserA is a member of GroupB and GroupB has an attribute gid=500 and UserA has an attribute of gid=500
With this method to determine membership of a group you just check to see if the user has an entry for the group attribute type.
Which way are you guys using groups? Or do you have groups using both methods?
Guys please advise how to set up the scheme.
Is anyone able to connect OpenLDAP?
What are the fields I need to correctly fill?
Configure an LDAP server
*HOSTNAME OR IP ADDRESS :**111.111.11.111
**PORT :**636 TLS
*SERVICE ACCOUNT USERNAME :*cn=admin,dc=ldap,dc=example,dc=com SERVICE ACCOUNT PASSWORD : ************
*SEARCH BASE :**dc=ldap,dc=example,dc=com
*DEFAULT LOGIN DOMAIN :**example.com
Customize Schema
Users
**OBJECT CLASS :**person
**LOGIN FIELD :**cn
**NAME FIELD :**name
**SEARCH FIELD :**cn
**STATUS FIELD :**userAccountControl
**DISABLED STATUS BITMASK :**2
Groups
**OBJECT CLASS :**group
**NAME FIELD :**name
**SEARCH FIELD :**cn
Test and enable authentication
*YOUR USERNAME :*cn=admin,dc=ldap,dc=example,dc=com YOUR PASSWORD : ************
@111 This will be added to Rancher, when the following issue is closed. You can also follow the announcements category to get updates on when we release new versions and it will include the release notes of what’s in the release.