Configure LDAP for IAM¶
If you integrate LDAP for IAM to Mirantis Container Cloud,
add the required LDAP configuration to cluster.yaml.template
during the bootstrap of the management cluster.
Note
The example below defines the recommended non-anonymous
authentication type. If you require anonymous authentication,
replace the following parameters with authType: "none"
:
authType: "simple"
bindCredential: ""
bindDn: ""
To configure LDAP for IAM:
Open
cluster.yaml.template
for editing. Select from the following options depending on your cloud provider type:AWS:
templates/aws/cluster.yaml.template
Azure:
templates/azure/cluster.yaml.template
Bare metal:
templates/bm/cluster.yaml.template
OpenStack:
templates/cluster.yaml.template
vSphere:
templates/vsphere/cluster.yaml.template
Equinix Metal:
templates/equinixmetal/cluster.yaml.template
ortemplates/equinixmetalv2/cluster.yaml.template
Configure the
keycloak:userFederation:providers:
andkeycloak:userFederation:mappers:
sections as required:spec: providerSpec: value: kaas: management: helmReleases: - name: iam values: keycloak: userFederation: providers: - displayName: "<LDAP_NAME>" providerName: "ldap" priority: 1 fullSyncPeriod: -1 changedSyncPeriod: -1 config: pagination: "true" debug: "false" searchScope: "1" connectionPooling: "true" usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>" userObjectClasses: "inetOrgPerson,organizationalPerson" usernameLDAPAttribute: "uid" rdnLDAPAttribute: "uid" vendor: "ad" editMode: "READ_ONLY" uuidLDAPAttribute: "uid" connectionUrl: "ldap://<LDAP_DNS>" syncRegistrations: "false" authType: "simple" bindCredential: "" bindDn: "" mappers: - name: "username" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "uid" user.model.attribute: "username" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "false" - name: "full name" federationMapperType: "full-name-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.full.name.attribute: "cn" read.only: "true" write.only: "false" - name: "last name" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "sn" user.model.attribute: "lastName" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "true" - name: "email" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "mail" user.model.attribute: "email" is.mandatory.in.ldap: "false" read.only: "true" always.read.value.from.ldap: "true"
Note
Verify that the
userFederation
section is located on the same level as theinitUsers
section.Verify that all attributes set in the
mappers
section are defined for users in the specified LDAP system. Missing attributes may cause authorization issues.
Now, return to the bootstrap instruction depending on the provider type of your management cluster.