RHIDP-7612 Added _Enablig user provisioning with LDAP_

themr0c · themr0c · commit 5b734f2824f9 · 2025-10-13T19:18:50.000+02:00
Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;
diff --git a/assemblies/assembly-authenticating-with-rhbk.adoc b/assemblies/assembly-authenticating-with-rhbk.adoc
@@ -7,4 +7,7 @@
 include::modules/authentication/proc-enabling-user-authentication-with-rhbk.adoc[leveloffset=+1]
 
 
+include::modules/authentication/proc-enabling-user-provisioning-with-ldap.adoc[leveloffset=+1]
+
+
 include::modules/authentication/proc-creating-a-custom-transformer-to-provision-users-from-rhbk-to-the-software-catalog.adoc[leveloffset=+1]
diff --git a/modules/authentication/proc-enabling-user-provisioning-with-ldap.adoc b/modules/authentication/proc-enabling-user-provisioning-with-ldap.adoc
@@ -0,0 +1,353 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="enabling-user-provisioning-with-ldap"]
+= Enabling user provisioning with LDAP
+
+Provision users and groups from Lightweight Directory Access Protocol (LDAP) to the {product} software catalog, rather than using authentication provider in {product-short}.
+
+.Prerequisites
+* You link:{configuring-book-url}[added a custom {product-short} application configuration], and have sufficient permissions to modify it.
+
+* You have configured xref:assembly-authenticating-with-rhbk[authentication with {rhbk-brand-name} ({rhbk})].
+
+* You have collected the required LDAP credentials:
+
+LDAP URL::
+Your LDAP server URL, such as `ldaps://ds.example.net`.
+
+Bind dn::
+Your bind distinguished name, such as `cn=admin,OU=Users,DC=rhdh,DC=test`
+
+LDAP secret::
+Your LDAP secret.
+
+Recommended: LDAP certificates and keys::
+Your LDAP certificates and keys, when using a secure LDAP connexion (`ldaps://`).
+
+
+.Procedure
+. Enter your LDAP credentials to {product-short}, by adding the following key/value pairs to link:{configuring-dynamic-plugins-book-url}#provisioning-your-custom-configuration[your {product-short} secrets].
+You can use these secrets in the {product-short} configuration files by using their respective environment variable name.
+
+`LDAP_SECRET`::
+Enter your LDAP secret.
+
+. Recommended: To use a secure LDAP connection (`ldaps://`), add your LDAP certificates and keys files to link:{configuring-dynamic-plugins-book-url}#provisioning-your-custom-configuration[your {product-short} secrets].
+
+`ldap_certs`::
+
+`ldap_keys`::
+
+. Enable the LDAP organization provisioning plugin (`backstage-plugin-catalog-backend-module-ldap`).
+This plugin ingests LDAP users and groups to the {product-short} software catalog.
++
+.`dynamic-plugins.yaml` file fragment
+[source,yaml]
+----
+plugins:
+  - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-ldap'
+    disabled: false
+----
+
+. Enable provisioning GitHub users and groups to the {product-short} software catalog, by adding the `catalog.providers.ldapOrg` section to your custom {product-short} `{my-app-config-file}` configuration file:
+
+.. Optional: Consider removing other catalog provider, by removing other catalog provider section.
+
+.. Enter the mandatory fields:
++
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        target: ldaps://ds.example.net
+        bind:
+          dn: cn=admin,ou=Users,dc=rhdh
+          secret: ${LDAP_SECRET}
+        users:
+          - dn: OU=Users,OU=RHDH Local,DC=rhdh,DC=test
+            options:
+              filter: (uid=*)
+        groups:
+          - dn: OU=Groups,OU=RHDH Local,DC=rhdh,DC=test
+        schedule:
+          frequency: PT1H
+          timeout: PT15M
+----
+
+`target`::
+Enter your LDAP server URL, such as `ldaps://ds.example.net`.
+
+`bind`::
+Enter your service account informations:
+
+`dn`:::
+Enter your service account distinguished name (DN), such as `cn=admin,OU=Users,DC=rhdh,DC=test`
+
+`secret`:::
+Enter the name of the variable containing your LDAP secret: `${LDAP_SECRET}`.
+
+`users`::
+Enter information about how to find your users:
+
+`dn`:::
+Enter the DN containing the user information.
+
+`options`:::
+
+`filter`::::
+Enter your filter, such as `(uid=*)` to provision to the {product-very-short} software catalog only users with a valid `uid`.
+
+`groups`::
+Enter information about how to find your groups:
+
+`dn`:::
+Enter the DN containing the group information.
+
+`schedule`::
+Enter your schedule information:
+
+`frequency`:::
+Enter your schedule frequency, in the cron, ISO duration, or "human duration" format.
+
+`timeout`:::
+Enter your schedule timeout, in the ISO duration or "human duration" format.
+
+`initialDelay`:::
+Enter your schedule initial delay, in the ISO duration or "human duration" format.
+
+.. Optional: To change how {product-short} maps LDAP user fields to the software catalog, enter optional `maps` and `set` fields.
++
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        target: ldaps://ds.example.net
+        bind:
+          dn: cn=admin,ou=Users,dc=rhdh
+          secret: ${LDAP_SECRET}
+        users:
+          - dn: OU=Users,OU=RHDH Local,DC=rhdh,DC=test
+            options:
+              filter: (uid=*)
+            map:
+              rdn: uid
+              name: uid
+              description: {}
+              displayName: cn
+              email: mail
+              picture: {}
+              memberOf: memberOf
+            set:
+              metadata.customField: 'hello'
+        groups:
+          - dn: OU=Groups,OU=RHDH Local,DC=rhdh,DC=test
+        schedule:
+          frequency: PT1H
+          timeout: PT15M
+----
+
+`rdn`::
+To change the default value: `uid`, enter the relative distinguished name of each entry.
+
+`name`::
+To change the default value: `uid`, enter the LDAP field to map to the {product-very-short} `metadata.name` field.
+
+`description`::
+To set a value, enter the LDAP field to map to the {product-very-short} `metadata.description` field.
+
+`displayName`::
+To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.displayName` field.
+
+`email`::
+To change the default value: `mail`, enter the LDAP field to map to the {product-very-short} `spec.profile.email` field.
+
+`picture`::
+To set a value, enter the LDAP field to map to the {product-very-short} `spec.profile.picture` field.
+
+`memberOf`::
+To change the default value: `memberOf`, enter the LDAP field to map to the {product-very-short} `spec.memberOf` field.
+
+`set`::
+To set a value, enter the hard coded JSON to apply to the entities after ingestion, such as `metadata.customField: 'hello'`.
+
+.. Optional: To change how {product-short} maps LDAP group fields to the software catalog, enter optional `groups.maps` fields.
++
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        target: ldaps://ds.example.net
+        bind:
+          dn: cn=admin,ou=Users,dc=rhdh
+          secret: ${LDAP_SECRET}
+        users:
+          - dn: OU=Users,OU=RHDH Local,DC=rhdh,DC=test
+            options:
+              filter: (uid=*)
+        groups:
+          - dn: OU=Groups,OU=RHDH Local,DC=rhdh,DC=test
+            map:
+              rdn: uid
+              name: uid
+              description: {}
+              displayName: cn
+              email: mail
+              picture: {}
+              memberOf: memberOf
+              members: member
+              type: groupType
+            set:
+              metadata.customField: 'hello'
+        schedule:
+          frequency: PT1H
+          timeout: PT15M
+----
+
+`rdn`::
+To change the default value: `cn`, enter the relative distinguished name of each entry.
+
+`name`::
+To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.name` field.
+
+`description`::
+To set a value, enter the LDAP field to map to the {product-very-short} `metadata.description` field.
+
+`displayName`::
+To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.displayName` field.
+
+`email`::
+To change the default value: `mail`, enter the LDAP field to map to the {product-very-short} `spec.profile.email` field.
+
+`picture`::
+To set a value, enter the LDAP field to map to the {product-very-short} `spec.profile.picture` field.
+
+`memberOf`::
+To change the default value: `memberOf`, enter the LDAP field to map to the {product-very-short} `spec.memberOf` field.
+
+`members`::
+To change the default value: `member`, enter the LDAP field to map to the {product-very-short} `spec.children` field.
+
+`type`::
+To change the default value: `groupType`, enter the LDAP field to map to the {product-very-short} `spec.type` field.
+
+`set`::
+To set a value, enter the hard coded JSON to apply to the entities after ingestion, such as `metadata.customField: 'hello'`.
+
+.. Recommended: To use a secure LDAP connection (`ldaps://`), enter optional `tls` fields.
++
+.Optional `tls` fields
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        target: ldaps://ds.example.net
+        bind:
+          dn: cn=admin,ou=Users,dc=rhdh
+          secret: ${LDAP_SECRET}
+        users:
+ldapOrg:
+  default:
+    tls:
+      rejectUnauthorized: true
+      keys: '/path/to/keys.pem'
+      certs: '/path/to/certs.pem'
+----
+
+`rejectUnauthorized`::
+Set to `false` to allow self-signed certificates
++
+WARNING: This option is not recommended for production.
+
+`keys`::
+Enter a file containing private keys in PEM format
+
+`certs`::
+Enter a file containing cert chains in PEM format
+
+.. Optional: Enter configuration for vendor-specific attributes to set custom attribute names for distinguished names (DN) and universally unique identifiers (UUID) in LDAP directories.
+Default values are defined per supported vendor and automatically detected.
++
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        vendor:
+          dnAttributeName: customDN
+          uuidAttributeName: customUUID
+----
+
+`dnAttributeName`::
+Enter the attribute name that holds the distinguished name (DN) for an entry.
+
+`uuidAttributeName`::
+Enter the attribute name that holds a universal unique identifier (UUID) for an entry.
+
+.. Optional: Enter low level users and groups configuration in the `options` subsection.
++
+[source,yaml]
+----
+catalog:
+  providers:
+    ldapOrg:
+      default:
+        target: ldaps://ds.example.net
+        bind:
+          dn: cn=admin,ou=Users,dc=rhdh
+          secret: ${LDAP_SECRET}
+        users:
+          options:
+            scope: sub
+            filter: (uid*)
+            attributes:
+              - cn
+              - uid
+              - description
+            paged:
+            pageSize: 500
+        groups:
+          options:
+            scope: sub
+            filter: (uid*)
+            attributes:
+              - cn
+              - uid
+              - description
+            paged:
+            pageSize: 500
+----
+
+`scope`::
+To change the default value: `one`, enter how deep the search should go within the directory tree:
+* `base` to search only the base DN.
+* `one` to search one level below the base DN.
+* `sub` to search all descendant entries.
+
+`filter`::
+To change the default value: `(objectclass=*)`, enter your LDAP filter.
+With the default mapping:
+* For users, enter `(uid=*)` to make sure only users with valid uid field is synced, since users without uid will cause error and ingestion fails.
+* For groups, enter `(cn=*)`
++
+[TIP]
+====
+When you change the mapping, also update the filter.
+====
+
+.Verification
+* To verify user and group provisioning, check the console logs.
++
+.Successful synchronization example:
+[source,json]
+----
+
+----
