uid=binduser,cn=users,cn=accounts,dc=tools,dc=continuum,dc=io
, we can deduce that the root or base of the tree is dc=tools,dc=continuum,dc=io
.
Tools are available to help you visualize your organization’s directory structure. For example, phpldapadmin generated the following view:
cn=accounts > cn=users
, and groups live under cn=accounts > cn=groups
Now that you know the directory structure, you can gather information about the user and group entries that you’ll need later.
You can use the ldapsearch
tool—along with the binduser
credentials—to learn details about an individual user based on their uid. Here’s a sample command for the user gandalf
:
ldap
from the Add provider selector to display the Add user federation provider Required Settings.
Field | Setting |
---|---|
Enabled | ON |
Console Display Name | ldap(tools.continuum.io) |
Priority | 0 |
Import Users | ON |
Edit Mode | READ_ONLY |
Sync Registration | OFF |
Vendor | Red Hat Directory Server |
Username LDAP attribute | uid |
RDN LDAP attribute | uid |
UUID LDAP attribute | uidNumber |
User Object Classes | person,organizationalperson,inetorgperson |
Connection URL | <ldap://ipa.tools.continuum.io:389> |
Users DN | cn=users,cn=accounts,dc=tools,dc=continuum,dc=io |
Authentication Type | simple |
Bind DN | uid=binduser,cn=users,cn=accounts,dc=tools,dc=continuum,dc=io |
Bind Credential | |
Custom User LDAP Filter | (&(objectClass=person)(uid=*)(memberOf=cn=grp-ae5-user,cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io)) |
Search Scope | One level |
Validate Password Policy | OFF |
User Truststore SPI | Only for ldaps |
Connection Pooling | ON |
Connection Timeout | |
Read Timeout | |
Pagination | ON |
Allow Kerberos authentication | OFF |
User Kerberos for Password Authentication | OFF |
Batch Size | 1000 |
Periodic Full Sync | OFF |
Periodic Changed Users Sync | OFF |
Cache Policy | DEFAULT |
ldapsearch
command you ran previously. The following table outlines how the fields map to the relevant values from our gandalf user example:
Field | LDAP Search Value | Description |
---|---|---|
Username | uid: gandalf | The unique ID used to identify the user. |
RDN | uid: gandalf | Usually the same as the Username, but may default to something else depending on the vendor selected |
UUID | uidNumber: 1666600031 | Unique identifier |
User Object Classes | objectClass: person objectClass: organizationalperson objectClass: inetorgperson | User object classes combined in a single field |
Users DN | dn: uid=gandalf,cn=users,cn=accounts,dc=tools,dc=continuum,dc=io | The dn less the uid entry |
Bind DN | uid=binduser,cn=users,cn=accounts,dc=tools,dc=continuum,dc=io | Usually provided by Security Admin |
objectClass=person
) with any uid (uid=*
) that are a member of group grp-ae5-user
(memberOf=cn=grp-ae5-user,cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io
). No other users will be able to log in, thereby preventing unauthorized access. This is also useful for managing licences, as users will have to be explicitly added to this group to be able to access the platform.
Filters also limit the need to synchronize a large number of objects from LDAP, which will help prevent out of memory errors in the auth
pod.
ldap-group-mapper
and configure it based on the results generated by the ldapsearch
command. In this case, we ran the command against a known group to retrieve additional information needed:
Field | LDAP Search Value |
---|---|
Name * | ldap-group-mapper |
Mapper Type | group-ldap-mapper |
LDAP Groups DN | cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io |
Group Name LDAP Attribute | cn |
Group Object Classes | groupOfNames |
Preserve Group Inheritance | ON |
Ignore Missing Groups | OFF |
Membership LDAP Attribute | member |
Membership Attribute Type | DN |
Membership User LDAP Attribute | uid |
LDAP Filter | (cn=grp-ae5*) |
Mode | READ_ONLY |
User Groups Retrieve Strategy | LOAD_GROUPS_BY_MEMBER_ATTRIBUTE |
Member-Of LDAP Attribute | memberOf |
Mapped Group Attributes | |
Drop non-existing groups during sync | OFF |
ldapsearch
field: dn: cn=grp-ae5-user,**cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io**
Group Name LDAP Attribute
Derived from the ldapsearch
field: cn: grp-ae5-user
Group Object Classes
A default should have been selected. In this case it is objectClass: groupofnames
.
LDAP Filter
All relevant groups—whether they are based on functional role or team membership–have been set up with the prefix grp-ae5-
. This prefix is used to filter the relevant groups from the User Federation provider, preventing any unnecessary groups from being pulled into the AE platform.
For example, the user Gandalf is a member of the following groups:
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io
memberOf: cn=grp-ae5-user,cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io
memberOf: cn=grp-ae5-wizards,cn=groups,cn=accounts,dc=tools,dc=continuum,dc=io
memberOf: cn=grp-lord-of-the-rings,cn=groups,cn=accounts,dc=tools,dc=continuum
If you perform a group synchronisation, only the groups in bold will be imported. Additionally, when Gandalf logs in, only the grp-ae5
-prefixed groups from his profile will be imported. You can test this by deleting the grp-ae5-wizards
group, then login as the user gandalf
. His team membership group grp-ae5-wizards
will be visible in the Auth Center, but the group grp-lord-of-the-rings
will be filtered out and therefore not imported.
LDAP Group | ae-admin | ae-creator | ae-deployer | ae-uploader | offline_access | uma_authorization | Description |
---|---|---|---|---|---|---|---|
grp-ae5-biz-analyst | X | Business Analysts can access the system. They cannot create projects or grant others access to the system. | |||||
grp-e5-data-scientist | X | X | X | X | X | Data Scientists can create and share projects, but cannot deploy them. | |
grp-ae5-data-engineer | X | X | X | X | Data Engineers can additionally deploy projects, as well as grant access to others. | ||
grp-ae5-devops | X | X | X | DevOps can deploy projects and upload packages, but cannot create projects. | |||
grp-ae5-sec-admin | This group should be used to administer user access within the system. Therefore, no roles should be defined in the AnacondaPlatform realm. If required, roles can be defined and access granted in the Auth Center Master realm. | ||||||
grp-ae5-sysadmin | X | By default, the ae-admin role is a superuser for all other roles. | |||||
grp-ae5-sysacct | The roles for system accounts are yet to be defined. These could be used for automated CI/CD tasks. | ||||||
grp-ae5-user | This is used as a coarse-grained control for access to AE5, so no roles are defined. | ||||||
grp-ae5-wizards | This is a team membership role, so no AE roles are defined for it. |