If you integrate LDAP for IAM to Mirantis Container Cloud,
add the required LDAP configuration to cluster.yaml.template
during the bootstrap of the management cluster.
Note
The example below defines the recommended non-anonymous
authentication type. If you require anonymous authentication,
replace the following parameters with authType: "none"
:
authType: "simple"
bindCredential: ""
bindDn: ""
To configure LDAP for IAM:
Select from the following options:
For a baremetal-based management cluster, open the
templates/bm/cluster.yaml.template
file for editing.
For an OpenStack management cluster, open the
templates/cluster.yaml.template
file for editing.
For an AWS-based management cluster, open the
templates/aws/cluster.yaml.template
file for editing.
Configure the keycloak:userFederation:providers:
and keycloak:userFederation:mappers:
sections as required:
Note
Verify that the userFederation
section is located
on the same level as the initUsers
section.
spec:
providerSpec:
value:
kaas:
management:
helmReleases:
- name: iam
values:
keycloak:
userFederation:
providers:
- displayName: "<LDAP_NAME>"
providerName: "ldap"
priority: 1
fullSyncPeriod: -1
changedSyncPeriod: -1
config:
pagination: "true"
debug: "false"
searchScope: "1"
connectionPooling: "true"
usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>"
userObjectClasses: "inetOrgPerson,organizationalPerson"
usernameLDAPAttribute: "uid"
rdnLDAPAttribute: "uid"
vendor: "ad"
editMode: "READ_ONLY"
uuidLDAPAttribute: "uid"
connectionUrl: "ldap://<LDAP_DNS>"
syncRegistrations: "false"
authType: "simple"
bindCredential: ""
bindDn: ""
mappers:
- name: "username"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "uid"
user.model.attribute: "username"
is.mandatory.in.ldap: "true"
read.only: "true"
always.read.value.from.ldap: "false"
- name: "full name"
federationMapperType: "full-name-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.full.name.attribute: "cn"
read.only: "true"
write.only: "false"
- name: "last name"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "sn"
user.model.attribute: "lastName"
is.mandatory.in.ldap: "true"
read.only: "true"
always.read.value.from.ldap: "true"
- name: "email"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "mail"
user.model.attribute: "email"
is.mandatory.in.ldap: "false"
read.only: "true"
always.read.value.from.ldap: "true"
Now, return to the bootstrap instruction depending on the provider type of your management cluster.