If you integrate LDAP for IAM to Mirantis Container Cloud,
add the required LDAP configuration to cluster.yaml.template
during the bootstrap of the management cluster.
Note
The example below defines the recommended non-anonymous
authentication type. If you require anonymous authentication,
replace the following parameters with authType: "none":
authType: "simple"
bindCredential: ""
bindDn: ""
To configure LDAP for IAM:
Select from the following options:
For a baremetal-based management cluster, open the
templates/bm/cluster.yaml.template file for editing.
For an OpenStack management cluster, open the
templates/cluster.yaml.template file for editing.
For an AWS-based management cluster, open the
templates/aws/cluster.yaml.template file for editing.
Configure the keycloak:userFederation:providers:
and keycloak:userFederation:mappers: sections as required:
Note
Verify that the userFederation section is located
on the same level as the initUsers section.
Verify that all attributes set in the mappers section
are defined for users in the specified LDAP system.
Missing attributes may cause authorization issues.
spec:
providerSpec:
value:
kaas:
management:
helmReleases:
- name: iam
values:
keycloak:
userFederation:
providers:
- displayName: "<LDAP_NAME>"
providerName: "ldap"
priority: 1
fullSyncPeriod: -1
changedSyncPeriod: -1
config:
pagination: "true"
debug: "false"
searchScope: "1"
connectionPooling: "true"
usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>"
userObjectClasses: "inetOrgPerson,organizationalPerson"
usernameLDAPAttribute: "uid"
rdnLDAPAttribute: "uid"
vendor: "ad"
editMode: "READ_ONLY"
uuidLDAPAttribute: "uid"
connectionUrl: "ldap://<LDAP_DNS>"
syncRegistrations: "false"
authType: "simple"
bindCredential: ""
bindDn: ""
mappers:
- name: "username"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "uid"
user.model.attribute: "username"
is.mandatory.in.ldap: "true"
read.only: "true"
always.read.value.from.ldap: "false"
- name: "full name"
federationMapperType: "full-name-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.full.name.attribute: "cn"
read.only: "true"
write.only: "false"
- name: "last name"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "sn"
user.model.attribute: "lastName"
is.mandatory.in.ldap: "true"
read.only: "true"
always.read.value.from.ldap: "true"
- name: "email"
federationMapperType: "user-attribute-ldap-mapper"
federationProviderDisplayName: "<LDAP_NAME>"
config:
ldap.attribute: "mail"
user.model.attribute: "email"
is.mandatory.in.ldap: "false"
read.only: "true"
always.read.value.from.ldap: "true"
Now, return to the bootstrap instruction depending on the provider type of your management cluster.