Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
Configure LDAP for IAM¶
If you integrate LDAP for IAM to Mirantis OpenStack for Kubernetes, add the required LDAP
configuration to cluster.yaml.template during the management cluster
bootstrap.
Note
The example below defines the recommended non-anonymous
authentication type. If you require anonymous authentication, replace the
following parameters with authType: "none":
authType: "simple"
bindCredential: ""
bindDn: ""
To configure LDAP for IAM:
Open
templates/bm/cluster.yaml.template.Configure the
keycloak:userFederation:providers:andkeycloak:userFederation:mappers:sections as required:spec: providerSpec: value: kaas: management: helmReleases: - name: iam values: keycloak: userFederation: providers: - displayName: "<LDAP_NAME>" providerName: "ldap" priority: 1 fullSyncPeriod: -1 changedSyncPeriod: -1 config: pagination: "true" debug: "false" searchScope: "1" connectionPooling: "true" usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>" userObjectClasses: "inetOrgPerson,organizationalPerson" usernameLDAPAttribute: "uid" rdnLDAPAttribute: "uid" vendor: "ad" editMode: "READ_ONLY" uuidLDAPAttribute: "uid" connectionUrl: "ldap://<LDAP_DNS>" syncRegistrations: "false" authType: "simple" bindCredential: "" bindDn: "" mappers: - name: "username" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "uid" user.model.attribute: "username" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "false" - name: "full name" federationMapperType: "full-name-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.full.name.attribute: "cn" read.only: "true" write.only: "false" - name: "last name" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "sn" user.model.attribute: "lastName" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "true" - name: "email" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "mail" user.model.attribute: "email" is.mandatory.in.ldap: "false" read.only: "true" always.read.value.from.ldap: "true"
Verify that the
userFederationsection is located on the same level as theinitUserssection.Verify that all attributes set in the
mapperssection are defined for users in the specified LDAP system. Missing attributes may cause authorization issues.
Now, return to the bootstrap instruction for your management cluster.