How to:
- OpenLDAP Overview
- Configure OpenLDAP server
- Configure Authentication Connector for OpenLDAP
* For demonstration, all configuration in Lab has been done directly in appliance context.
OpenLDAP Structure
Attribute centric data (for example: ORG, Group, Users) is stored in a hierarchical object format.
These stored objects form a tree structure known as Directory Information Tree (DIT). The top of the tree is commonly called the root or the suffix.
These Attributes fall under some ObjectClass which is defined in the Schema.
Note: we can use only those attributes that are defined in Schema (if a custom schema is not defined)
dc: domain component
ou: organizational unit
cn: common name
dn: distinguished name (indicates the tree object where the search should start from)
Configure OpenLDAP Server
Prerequisites: Required packages are installed, Network interfaces are configured, Established reachability from Director.
Test LDAP connection via "ldapwhoami -H ldap:// -x" which should return the output as anonymous
Create LDIF (LDAP Data Interchange Format) text files for the information to be entered into the LDAP database.
For instance:
OU.ldif text file contains the top-level entry and/or OUs under suffix vd-lab.com
Role.ldif text file contains all the Tenant Role(s)
User.ldif text file contains the User(s)
#######################################
# vd-lab.com
dn: dc=vd-lab,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Versa
dc: vd-lab
# Tenants, vd-lab.com
dn: ou=Tenants,dc=vd-lab,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Tenants
# Tenant-1, Tenants, vd-lab.com
dn: cn=Tenant-1,ou=Tenants,dc=vd-lab,dc=com
cn: Tenant-1
member: cn=Tenant1_user,ou=people,dc=vd-lab,dc=com
objectClass: groupOfNames
objectClass: top
# people, vd-lab.com
dn: ou=people,dc=vd-lab,dc=com
objectClass: organizationalUnit
ou: people
#######################################
To add the created OU into LDAP database, execute "ldapadd -x -D cn=admin,dc=vd-lab,dc=com -W -f OU.ldif"
#######################################
# Roles, vd-lab.com
dn: ou=Roles,dc=vd-lab,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Roles
# TenantOperator, Roles, vd-lab.com
dn: cn=TenantOperator,ou=Roles,dc=vd-lab,dc=com
objectClass: top
objectClass: organizationalRole
cn: TenantOperator
# TenantSuperAdmin, Roles, vd-lab.com
dn: cn=TenantSuperAdmin,ou=Roles,dc=vd-lab,dc=com
cn: TenantSuperAdmin
member: cn=Tenant1_user,ou=people,dc=vd-lab,dc=com
objectClass: groupOfNames
objectClass: top
# TenantSecurityAdmin, Roles, vd-lab.com
dn: cn=TenantSecurityAdmin,ou=Roles,dc=vd-lab,dc=com
objectClass: top
objectClass: organizationalRole
cn: TenantSecurityAdmin
#######################################
To add the created Roles OU into LDAP database, execute "ldapadd -x -D cn=admin,dc=vd-lab,dc=com -W -f Role.ldif"
#######################################
# Tenant1_user, people, vd-lab.com
dn: cn=Tenant1_user,ou=people,dc=vd-lab,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Tenant1_user
userPassword:: VmVyc2FAMTIz
sn: user
ou: cn=TenantSuperAdmin,ou=Roles,dc=vd-lab,dc=com
#######################################
To add the created User into LDAP database, execute "ldapadd -x -D cn=admin,dc=vd-lab,dc=com -W -f User.ldif"
Note: Once the objects are added into the database, LDIF files are not required.
To verify the database, perform a search
"ldapsearch -x -h <LDAP Server> -p 389 -D "cn=admin,dc=vd-lab,dc=com" -W -b "dc=vd-lab,dc=com"
This would output all the ObjectClasses entered above
Configure Authentication Connector
To add a connector for External Authentication on VD
Go to Administration -> Connector -> Authentication -> Authentication Connectors and click ‘+’ to add
Fill the details such as IP address, Base and Bind DN of LDAP server
Map the configured connector to the desired ORG.
Go to Administration -> Organization -> Click “Organization” to open -> Authentication -> Authentication Connector -> Select the Connector from drop down.
==============================================================================
Troubleshooting: Take below outputs
- Packet capture (.pcap) on the VD interface towards LDAP server
- vnms-external-auth.log
- vnms-spring-boot.log