Open LDAP integration

LDAP configuration/schema

VxFlex OS identifies the groups which a user belongs to by search filter like (&(objectClass=inetOrgPerson)(uid=)(memberOf=)).

Therefore we need to enable “groupofNames” objectclass and to include groupofNames objectclass in each groups. This then creates a memberOf attribute to the member, when we add a member to the group.

For more information on this critical pre-requisite, please see:

The MemberOf attribute is not shown, if we don’t specify the attribute:

[root@ldap ldif]# ldapsearch -LLL -h localhost -x -D  cn=config -w admin -b "dc=example,dc=com" "(cn=monitor)"
dn: cn=monitor,ou=Group,dc=example,dc=com
objectClass: groupOfNames
cn: testgroup
cn: monitor
member: uid=test0,ou=People,dc=example,dc=com
member: uid=test1,ou=People,dc=example,dc=com
member: uid=test2,ou=People,dc=example,dc=com
member: uid=test3,ou=People,dc=example,dc=com

[root@ldap ldif]# ldapsearch -LLL -h localhost -x -D  cn=config -w admin -b "dc=example,dc=com" "(uid=test1)"
dn: uid=test1,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
sn: nakamura
cn: masanori
uid: test1
mail: test1@example.com

[root@ldap ldif]# ldapsearch -LLL -h localhost -x -D  cn=config -w admin -b "dc=example,dc=com" "(uid=test1)" uid memberOf
dn: uid=test1,ou=People,dc=example,dc=com
uid: test1
memberOf: cn=monitor,ou=Group,dc=example,dc=com

[root@ldap ldif]#

VxFlex OS settings

There are 3 things to do:

  • CLI, REST API
  • Installation Manager / Gateway
  • LIA

CLI, REST API

(REST API gets token from MDM through Gateway)

[root@vxflexos-1 ~]# scli --add_ldap_service --ldap_service_uri "ldap://ldap.example.com" --ldap_base_dn "dc=example,dc=com" --username_dn_format "uid=*,ou=People,dc=example,dc=com" --object_class_attribute inetOrgPerson --user_attribute_name uid --member_of_attribute_name memberOf --ldap_service_name myldap --disable_recursive_search
LDAP uri defined with unsecured protocol. Press 'y' and then Enter to confirm: y

Successfully added an LDAP service.  Object ID 8ddd51eb00000000 with Name: myldap, URI: ldap://ldap.example.com and base DN: dc=example,dc=com
[root@vxflexos-1 ~]# scli --assign_ldap_groups_to_roles --ldap_service_name myldap --backend_config_role_dn cn=backend,ou=Group,dc=example,dc=com --frontend_config_role_dn cn=frontend,ou=Group,dc=example,dc=com --monitor_role_dn cn=monitor,ou=Group,dc=example,dc=com --administrator_role_dn cn=administrator,ou=Group,dc=example,dc=com
Assignment of roles to LDAP groups completed successfully
[root@vxflexos-1 ~]# scli --set_user_authentication_method --native_and_ldap_authentication
Authentication method changed successfully
[root@vxflexos-1 ~]# scli --query_user_authentication_properties
------------------------------------------------------------
User authentication method: Native and LDAP
System has 1 configured LDAP services
------------------------------------------------------------
LDAP service ID: 8ddd51eb00000000
LDAP service name: myldap
LDAP service URI: ldaps://ldap.example.com
Users base DN: dc=example,dc=com
User search filter: (&(objectClass=inetOrgPerson)(uid=<USER>)(memberOf=<GROUP>))
Username DN format: uid=*,ou=People,dc=example,dc=com
LDAP service has 4 configured groups.
        Role: Administrator
        Group DN: cn=administrator,ou=Group,dc=example,dc=com
        Role: BackEndConfigure
        Group DN: cn=backend,ou=Group,dc=example,dc=com
        Role: Monitor
        Group DN: cn=monitor,ou=Group,dc=example,dc=com
        Role: FrontEndConfigure
       Group DN: cn=frontend,ou=Group,dc=example,dc=com
------------------------------------------------------------
[root@vxflexos-1 ~]# scli --login --username test1 --ldap_authentication --password P@ssw0rd
Logged in. User role is Monitor. System ID is 7356df847ec9ac0f
[root@vxflexos-1 ~]#

Notes:
1. –disable_recursive_search is needed to set “User search filter” to make the format understandable by OpenLDAP.

Installation Manager / Gateway

[root@gateway ~]# /opt/emc/scaleio/gateway/bin/FOSGWTool.sh --reset_ldap_properties --server_url_list "ldap://ldap.example.com" --base_dn_list "dc=example,dc=com" --group_name_list "cn=administrator,ou=Group,dc=example,dc=com" --dn_format_list "uid=<USER>,ou=People,dc=example,dc=com" --filter_list "(&(objectClass=inetOrgPerson)(uid=<USER>)(memberOf=<GROUP>))" --create_default_lockbox

[root@gateway ~]# systemctl restart scaleio-gateway.service
[root@gateway ~]#

Notes:
1. Use <USER> to associate with the user name of input at Gateway.
2. login to Gateway by user like: test0@<base_dn>.

LIA

1. Edit /opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/gatewayUser.properties.

INF/classes/gatewayUser.properties and restart Gateway
# properties for add lia ldap server
lia.ldap.objectClassAttr=inetOrgPerson
lia.ldap.userIdAttrName=uid
lia.ldap.memberOfAttrName=memberOf
lia.ldap.replicationExisting=
lia.ldap.disableRecursiveSearch=true
lia.ldap.usernameDnFormat=uid=*,ou=People,dc=example,dc=com
lia.ldap.authorizerDn=

2. Restart Gateway.

[root@gateway ~]# systemctl restart scaleio-gateway.service
[root@gateway ~]#

3. Setting at Maintain tab of Gateway.

  1. Execute “Retrieve system topology”
  2. At Security Setting , execute “Add LDAP Server”


  3. At Security Setting, execute “Change LIA authentication method to LDAP”
  4. Once Cancel the job. Then execute “Retrieve system topology” again
  5. Check LIA authentication set LDAP

SSL/TSL setting

By default, OpenLDAP server uses self-signed certificate. We need to set LDAP client to accept untrusted certificates or resister LDAP server’s certificate.

There two thins to do:

  • CLI, REST API, LIA
  • Gateway

CLI, REST API, LIA

CLI, REST API and LIA use openldap client config is from /etc/openldap/ldap.conf.

Option 1. To accept untrusted certificates, check /etc/openldap/ldap.conf

TLS_REQCERT allow

Option 2. To register the LDAP server’s certificate, copy the LDAP server’s certificate to /etc/openldap/certs.

We need to configure on all nodes on which MDM and LIA run. And after we change the settings we need to restart MDM and/ or LIA.

Restart MDM

[root@vxflexos-1 ~]# /opt/emc/scaleio/mdm/bin/delete_service.sh
Removed symlink /etc/systemd/system/multi-user.target.wants/mdm.service.
[root@vxflexos-1 ~]# /opt/emc/scaleio/mdm/bin/create_service.sh
Created symlink from /etc/systemd/system/multi-user.target.wants/mdm.service to /usr/lib/systemd/system/mdm.service.
[root@vxflexos-1 ~]#

Restart LIA

[root@vxflexos-1 ~]# /opt/emc/scaleio/lia/bin/delete_service.sh
Removed symlink /etc/systemd/system/multi-user.target.wants/lia.service.
[root@vxflexos-1 ~]# /opt/emc/scaleio/lia/bin/create_service.sh
Created symlink from /etc/systemd/system/multi-user.target.wants/lia.service to /usr/lib/systemd/system/lia.service.
[root@vxflexos-1 ~]#

Gateway

Gateway uses ldap client in Java. So we need to store the LDAP server’s certificate in lockbox for Gateway.

Copy LDAP server’s certificate to Gateway node, then import it to the lockbox and restart Gateway.

[root@gateway ~]# keytool -import -alias ldapserver -file "path_to_ldap_server.crt" --keystore "/opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/certificates/truststore.jks" --storepass changeit
所有者: CN=ldap.example.com, OU=Example, O=Example Ltd, L=Shibuya-ku, ST=Tokyo, C=JP
発行者: CN=ldap.example.com, OU=Example, O=Example Ltd, L=Shibuya-ku, ST=Tokyo, C=JP
シリアル番号: fe602af83ef96ae3
有効期間の開始日: Sat Oct 26 10:54:45 JST 2019 終了日: Tue Oct 23 10:54:45 JST 2029
証明書のフィンガプリント:
         MD5:  35:94:C1:CC:C8:FE:DE:1D:D7:F4:54:56:F9:CC:5E:0A
         SHA1: E4:24:CA:B1:E6:22:00:BA:65:BD:A4:92:56:4D:B0:F5:9A:99:7C:6B
         SHA256: 66:E2:F1:70:86:96:7D:7E:5A:04:F5:CB:12:46:77:44:97:04:C9:BE:40:D0:70:BE:30:86:79:3B:E7:E1:E9:BE
署名アルゴリズム名: SHA256withRSA
サブジェクト公開鍵アルゴリズム: 2048ビットRSA鍵
バージョン: 1
この証明書を信頼しますか。 [いいえ]:  Y
証明書がキーストアに追加されました
[root@gateway ~]# keytool -list -v -keystore "/opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/certificates/truststore.jks" -alias ldapserver -storepass changeit
別名: ldapserver
作成日: 2020/03/30
エントリ・タイプ: trustedCertEntry

所有者: CN=ldap.example.com, OU=Example, O=Example Ltd, L=Shibuya-ku, ST=Tokyo, C=JP
発行者: CN=ldap.example.com, OU=Example, O=Example Ltd, L=Shibuya-ku, ST=Tokyo, C=JP
シリアル番号: fe602af83ef96ae3
有効期間の開始日: Sat Oct 26 10:54:45 JST 2019 終了日: Tue Oct 23 10:54:45 JST 2029
証明書のフィンガプリント:
         MD5:  35:94:C1:CC:C8:FE:DE:1D:D7:F4:54:56:F9:CC:5E:0A
         SHA1: E4:24:CA:B1:E6:22:00:BA:65:BD:A4:92:56:4D:B0:F5:9A:99:7C:6B
         SHA256: 66:E2:F1:70:86:96:7D:7E:5A:04:F5:CB:12:46:77:44:97:04:C9:BE:40:D0:70:BE:30:86:79:3B:E7:E1:E9:BE
署名アルゴリズム名: SHA256withRSA
サブジェクト公開鍵アルゴリズム: 2048ビットRSA鍵
バージョン: 1
[root@gateway ~]# systemctl restart scaleio-gateway.service
[root@gateway ~]#

Be the first to comment

Leave a Reply

Your email address will not be published.


*