The following information relates to the integration of LDAP server and keycload in VMware Telco Cloud Operations.

The LDAP server is reachable by using FQDN for LDAPS configuration.
Note: To configure specific redirect URLs in Keycloak for VMware Telco Cloud Operations, refer KB Article.

Configuration Steps

The integration between Keycloak and LDAP depends on the schema configured in the LDAP server. The examples provided are used as an example only. The information cannot be used as it is in the customer environment. The configuration must use the Keycloak UI.
Note: For information about managing users and access control, go to VMware Telco Cloud Operations Configuration Guide.
  1. Login to the Keycloak UI using admin credentials. You can access Keycloak by using the following URL: http://<control-plane-node-1>/auth. The administrator user name is admin and default password is vmware@1!.
  2. Create a new instance of User Federation for LDAP. Following table provide an example
    Setting Value
    Enabled On
    Console Display Name <Any String >
    Priority 0
    Import Users OFF
    Edit Mode READ_ONLY
    Sync Registrations OFF
    Vendor Active Directory
    Username LDAP attribute Cn
    RDN LDAP attribute Cn
    User Object Classes *
    Connection URL ldap://<fqdn of LDAP>
    Users DN ou=users,dc=tco,dc=com
    Custom User LDAP Filter
    Search Scope One Level
    Bind Type Simple
    Bind DN cn=ldapadmin,ou=users,dc=tco,dc=com
    Bind Credential Password for ldapadmin

    Do not select the Synchronize Changed User or Synchronize All User button. The Import Users value is set to Of, and all other parameters depend on the LDAP schema.

    Note: The configuration of a secured LDAP and an unsecured LDAP is the same, except the Connection URL field value must start with ldaps://.

    Schema for users

    dn: ou=users,dc=tco,dc=com
objectClass: organizationalUnit
ou: People
ou: users

    Schema for admin users

    dn: cn=ldapadmin,dc=tco,dc=com
objectClass: organizationalRole
cn: ldapadmin
description: LDAP Admin
  3. Create a user-attribute-ldap-mapper on the same User Federation instance.

    This mapper is required for mapping the LDAP group information into the user attribute. To create an LDAP mapper, navigate through the User Federation > Ldap LDAP Mappers > Create LDAP mapper menu.

    Mapper Type user-attribute-ldap-mapper
    User Model Attribute memberOf
    LDAP Attribute This attribute contains the group information.

    In the example schema, it shows memberOf.
    Read Only ON
    Is Mandatory in LDAP OFF
    Is Binary Attribute OFF

    The following schema is used for configuring the LDAP user. The memberOf attribute in user contains the name of the groups that the user is part of:

    dn: cn={5}smartsengineer,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}smartsengineer
olcAttributeTypes: {0}( 2.25.128424792425578037463837247958458780603.1 NAME 
 'memberOf' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 2.25.128424792425578037463837247958458780603.2 NAME 
 'homeTown' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
  1.3.6.1.4.1.1466.115.121.1.15{1024} )
olcObjectClasses: {0}( 2.25.128424792425578037463837247958458780603.3 NAME '
 smartsEngineer' DESC 'SMARTSWorker' SUP inetOrgPerson STRUCTURAL MAY ( memb
 erOf $ homeTown ) )

    Once the mapper configuration is saved, the memberOf attribute populates with the user and group information.

    Verify that the memberOf attribute was added to the user. The following is the mapper used in the example.

  4. Create a protocol mapper:
    1. In the NGINX client. The NGIX client uses the protocol mapper for accessing user information. The protocol mapper places the user group information in the access token. To create the mapper navigate through Clients > nginx > Mappers > Create Protocol Mappers menus.
    2. In the Grafana client. The Grafana client uses the protocol mapper for accessing user information. The protocol mapper places the user group information in the access token. To create the mapper navigate through Clients > grafana > Mappers > Create Protocol Mappers menus.
    3. In the Operation UI. The Operation UI client uses the protocol mapper for accessing user information. The protocol mapper places the user group information in the access token. To create the mapper navigate through Clients > operation-ui > Mappers > Create Protocol Mappers menus.
    Attribute Name Attribute Value
    Mapper Type User Attribute
    User Attribute memberOf

    (The value of the attribute is the same value used in LDAP Attribute in step 3.)
    Token Claim Name ldapgroups

    (This must be ldapgroups)
    Claim JSON Type String
    Add to ID token ON
    Add to access token ON
    Add to userinfo ON
    Multivalued ON
    Aggregate attribute values OFF

    When the protocol mapper is created, the access token populates with user and group information.

LDAPS Integration with Keycloak

To enable LDAPS in Keycloak:

  1. Log in to control plane node.
  2. Nagivate to the /home/clusteradmin/keycloak directory.
  3. Provide the executable permissions to the import-ldap-cert.sh file (if required).
  4. Run the following script to add the LDAP certificate to Keycloak.
    ./import-ldap-cert.sh  -i -r <ldap ip > -p < Secured ldap port> -s < store password >
    store password: If you are importing the certificate for the first time, provide any string. Thereafter, the password must match with the password provided.
    Note: This step will delete the existing Keycloak pod. A new pod appear with an imported LDAP certificate.

    Example: ./import-ldap-cert.sh -i -r 10.185.19.172 -p 636 -s testtest

    Description Script Example Response of the Script
    Add certificate from the LDAP server ./import-ldap-cert.sh -i -r 10.185.19.172 -p 636 -s testtest

    Note: This step deletes the existing Keycloak pod. A new pod appears with an existing certificate in truststore.

    		 
    {
  "response": "Successfully  added certificate for ldap 10.185.19.172",
  "errorMessage": "Success",
  "errorCode": 200
}
    List the imported certificate /import-ldap-cert.sh -l -s < store password >

    For example, the script will look like this: ./import-ldap-cert.sh -l -s testtest

    		 
    {
  "response": "10.185.19.172-1",
  "errorMessage": "Success",
  "errorCode": 200
}
    Delete the imported certificate ./import-ldap-cert.sh -d -s < store password > -a < alias of cert in truststore >

    Note: This step deletes the existing Keycloak pod. A new pod appears with an existing certificate in truststore.

    		 
    {
  "response": "Successfully  delete  10.185.19.172-1certificate from truststore  ",
  "errorMessage": "Success",
  "errorCode": 200
}
  5. Follow the steps from step 1 to step 4.

Multiple Groups Configuration for LDAP User

The user must adhere to the following rules for configuing multiple groups for a specific user. For a specific user, the entry for user group must have th attribute value of memberOf in the LDAP server.

When a user is part of multiple groups, there must be multiple instance of the memberOf attribute with the value as the group name the user is part of.

Example

userA is part of two groups: GroupA and GroupB. userA must have two instances of the attribute memberOf. The value of one attribute must be GroupA and the value of another attribute must be GroupB.
Example for userA
memberOf: GroupA
memberOf: GroupB
uid: userA