uid=binduser,cn=users,cn=accounts,dc=tools,dc=anaconda,dc=io
We can see the “root” or “base” of the directory tree is dc=tools,dc=anaconda,dc=io
. From there we can discern the rest of the tree structure. In this example, we can see that the uid
attribute is stored in the users folder, which is stored in the accounts folder.
If you prefer, tools are available to aid in the visualization, navigation, and updating of your organization’s LDAP directory server, such as phpldapadmin, which was used to generate the following view. This provides additional information about the LDAP structure that you can’t discern from just looking at the bind credentials, such as the location of groups, which is also stored in the accounts folder.
ldapsearch
tool, along with the bind user credentials, to learn details about an individual user based on their User ID. For more information about the ldapsearch
tool, see the official documentation.
Gather the information you’ll need to configure user federation within Keycloak by running the following command against a known user ID:
User1
the command would look like this:
READ_ONLY
so you can view and import user information but don’t have to worry about making unwanted changes to your LDAP server.
ldapsearch
return. This attribute determines what is displayed as your user’s name when they sign into Anaconda. In this example, the username attribute is uid
.
ldapsearch
return. Usually, the relative distinguished name (RDN) attribute is the same as the username attribute, but this field may default to something else depending on your vendor.
ldapsearch
return. Your users’ unique identifiers (UUID).
ldapsearch
return. Generally, the user object classes field will have more than one entry, separated by a comma.
objectClass=person
that also have a uid
and are in the group cn=grp-anaconda-users
.
Because users must explicitly be added to the group, unauthorized access is prevented, and license management is simplified.
Filters also limit the need to synchronize a large number of objects from LDAP, which will help prevent out-of-memory errors in the auth pod.
ldapsearch
utilizes regular expressions and is notorious for its complexity. If implemented incorrectly, a custom filter could cause all users to have their access suspended or be functionally disabled.ldapsearch
tool to gather information about your LDAP directory, only this time, look for information pertaining to your organizations groups.
To gather information about groups in your LDAP directory, run the following command against a known group DN:
ldapsearch
return. Provide the distinguished name of the group you would like to map.
ldapsearch
return. Enter the attribute that is associated with groups. In this example, the attribute is cn
.
ldapsearch
return. This field will often have multiple entries, separated by a comma.
grp-anaconda-*
, which will reach out to the LDAP server and import all groups that begin with grp-anaconda-
.
LDAP Group | ae-admin | ae-creator | ae-deployer | ae-uploader | offline_access | uma_authorization | Description |
---|---|---|---|---|---|---|---|
grp-anaconda-biz-analyst | X | Business Analysts can access the system. They cannot create projects or grant others access to the system. | |||||
grp-anaconda-data-scientist | X | X | X | X | X | Data Scientists can create and share projects, but cannot deploy them. | |
grp-anaconda-data-engineer | X | X | X | X | Data Engineers can additionally deploy projects, as well as grant access to others. | ||
grp-anaconda-devops | X | X | X | DevOps can deploy projects and upload packages, but cannot create projects. | |||
grp-anaconda-sec-admin | This group should be used to administer user access within the system. Therefore, no roles should be defined in the AnacondaPlatform realm. If required, roles can be defined and access granted in the Auth Center Master realm. | ||||||
grp-anaconda-sysadmin | X | By default, the ae-admin role is a superuser for all other roles. | |||||
grp-anaconda-sysacct | The roles for system accounts are yet to be defined. These could be used for automated CI/CD tasks. | ||||||
grp-anaconda-users | This is used as a coarse-grained control for access to AE5, so no roles are defined. |
jre
package installed to complete this procedure.
You must have SSL/TLS certificates for your LDAP server.
LDAPS.jks
file.secrets-exported.yml
file prior to encoding it by running the following command:
base64
:
data
section of the secrets-exported.yml
file.
LDAPS.jks
entry has been added to the secret:
auth
service:
JAVA_OPTS
key/value:auth.yaml
file’s JAVA_OPTS
might look like when complete.