Example 2: Configuring IBM Telco Network Cloud Manager - Orchestration to integrate with the external LDAP server using ldapbind authentication

This example explains how to set up an external LDAP directory service with predefined IBM® Telco Network Cloud Manager - Orchestration groups and users, and to authenticate using ldapbind authentication with one of the predefined users.

The following example assumes that an OpenLDAP server has been set up as described in Example 1.
  1. Modifying predefined IBM Telco Network Cloud Manager - Orchestration LDAP groups and users for the ldapbind mechanism
    1. On the OpenLDAP server, create a file called predefined-bind-user.ldif with the following content, making sure to preserve the new lines between sections:
      dn: uid=almuser,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password

dn: uid=almoperator,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password

dn: uid=almoeditor,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password

dn: uid=almadmin,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password

dn: uid=secadmin,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password

dn: uid=readonly,ou=people,dc=example,dc=org
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
replace: userPassword
userPassword: password
    2. Apply the changes on the OpenLDAP server.

      On the OpenLDAP server, run the following command:

      ldapmodify -H ldap://localhost:389 -D "cn=admin,dc=example,dc=org" -w password -f predefined-bind-user.ldif
  2. Creating an LDAP secret

    On the cluster in the IBM Telco Network Cloud Manager - Orchestration namespace, create a secret that will be used to connect to the LDAP server. The secret should contain the data that you provided while setting up the server (for example LDAP_URL as ldap://serverIP:port and LDAP_BASE_DN as dc=example,dc=org )

    The following code shows the secret content for the Ldapbind Authentication Mechanism:

    oc create secret generic ldapbind-secret \
--from-literal=LDAP_BASE_DN=dc=example,dc=org \
--from-literal=LDAP_BIND_DN=cn=admin,dc=example,dc=org \
--from-literal=LDAP_ADMIN_PASSWORD=password \
--from-literal=LDAP_PASSWORD_ATTR=userPassword \
--from-literal=LDAP_PASSWORD_ENC=PLAIN \
--from-literal=LDAP_URL=ldap://<ldapHostMachineIp>:389 \
--from-literal=LDAP_USER_SEARCH_BASE=ou=people \
--from-literal=LDAP_USER_SEARCH_FILTER=uid={0} \
--from-literal=LDAP_GROUP_SEARCH_BASE=ou=groups \
--from-literal=LDAP_GROUP_SEARCH_FILTER=member={0} \
--from-literal=AUTH_PROVIDER=ldapBind

    When created, the following output message should appear: secret/ldapbind-secret created

    Note: If there was already a secret for LDAP, you must delete it and create a new secret with a different name. Otherwise, the upgrade will not take effect.
  3. Installing or updating IBM Telco Network Cloud Manager - Orchestration using the newly created LDAP secret
    1. Update the spec.ldap.ldapSecretName key to use the name of the newly created LDAP secret by using the following command:
      oc edit tnco <tnco_instance>

      Where <tnco_instance> is the IBM Telco Network Cloud Manager - Orchestration custom resource instance.

    2. Wait for Vault and Ishtar pods to restart. You can use the following command to monitor them:
      watch oc get pods -l \'app in \(vault,ishtar\)\'
    3. When the pods have restarted, verify that you can log in to the IBM Telco Network Cloud Manager - Orchestration User Interface using the user almadmin and password password.