|
| 1 | +[id="enabling-user-provisioning-with-ldap"] |
| 2 | += Enabling user provisioning with LDAP |
| 3 | + |
| 4 | +When your identity provider is LDAP, consider provision the users and groups from LDAP to the {product-short} software catalog, rather than using the provider usually bound to your authentication provider. |
| 5 | + |
| 6 | +.Prerequisites |
| 7 | +* You link:{configuring-book-url}[added a custom {product-short} application configuration], and have sufficient permissions to modify it. |
| 8 | + |
| 9 | +* You have collected the required LDAP credentials: |
| 10 | + |
| 11 | +LDAP URL:: |
| 12 | +Your LDAP server URL, such as `ldaps://ds.example.net`. |
| 13 | + |
| 14 | +Bind dn:: |
| 15 | +Your bind distinguished name, such as `cn=admin,OU=Users,DC=rhdh,DC=test` |
| 16 | + |
| 17 | +LDAP secret:: |
| 18 | +Your LDAP secret. |
| 19 | + |
| 20 | +* You have configured authentication with your external authentication provider. |
| 21 | + |
| 22 | +.Procedure |
| 23 | +. To add your LDAP credentials to {product-short}, add the following key/value pairs to link:{configuring-dynamic-plugins-book-url}#provisioning-your-custom-configuration[your {product-short} secrets]. |
| 24 | +You can use these secrets in the {product-short} configuration files by using their respective environment variable name. |
| 25 | + |
| 26 | +`LDAP_SECRET`:: |
| 27 | +Enter your LDAP secret. |
| 28 | + |
| 29 | +. Enable the LDAP organization provisioning plugin (`backstage-plugin-catalog-backend-module-ldap`). |
| 30 | +This plugin ingests LDAP users and groups to the {product-short} software catalog. |
| 31 | ++ |
| 32 | +.`dynamic-plugins.yaml` file fragment |
| 33 | +[source,yaml] |
| 34 | +---- |
| 35 | +plugins: |
| 36 | + - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-ldap' |
| 37 | + disabled: false |
| 38 | +---- |
| 39 | + |
| 40 | +. To provision GitHub users and groups to the {product-short} software catalog, add the `catalog.providers.ldapOrg` section to your custom {product-short} `{my-app-config-file}` configuration file: |
| 41 | + |
| 42 | +.. Optional: Consider removing any other |
| 43 | + |
| 44 | +.. Enter the mandatory fields: |
| 45 | ++ |
| 46 | +[id=ldapOrg] |
| 47 | +.`{my-app-config-file}` fragment with mandatory `catalog.providers.ldapOrg` fields |
| 48 | +[source,yaml] |
| 49 | +---- |
| 50 | +catalog: |
| 51 | + providers: |
| 52 | + ldapOrg: |
| 53 | + default: |
| 54 | + target: ldaps://ds.example.net |
| 55 | + bind: |
| 56 | + dn: cn=admin,ou=Users,dc=rhdh |
| 57 | + secret: ${LDAP_SECRET} |
| 58 | + users: |
| 59 | + - dn: OU=Users,OU=RHDH Local,DC=rhdh,DC=test |
| 60 | + options: |
| 61 | + filter: (uid=*) |
| 62 | + groups: |
| 63 | + - dn: OU=Groups,OU=RHDH Local,DC=rhdh,DC=test |
| 64 | + schedule: |
| 65 | + frequency: PT1H |
| 66 | + timeout: PT15M |
| 67 | +---- |
| 68 | + |
| 69 | +target:: |
| 70 | +Your LDAP server URL, such as `ldaps://ds.example.net`. |
| 71 | + |
| 72 | +bind:: |
| 73 | + |
| 74 | +dn::: |
| 75 | +Enter the distinguished name (DN) of your service account, such as `cn=admin,OU=Users,DC=rhdh,DC=test` |
| 76 | + |
| 77 | +secret::: |
| 78 | +Enter the name of the variable containing your LDAP secret: `${LDAP_SECRET}`. |
| 79 | + |
| 80 | +users:: |
| 81 | + |
| 82 | +dn::: |
| 83 | +Enter the DN containing the user information. |
| 84 | + |
| 85 | +options::: |
| 86 | + |
| 87 | +filter:::: |
| 88 | +Enter your filter, such as `(uid=*)` to provision to the {product-very-short} software catalog only users with a valid `uid`. |
| 89 | + |
| 90 | +groups:: |
| 91 | + |
| 92 | +dn::: |
| 93 | +Enter the DN containing the group information. |
| 94 | + |
| 95 | +`schedule.frequency`:: |
| 96 | +Enter your schedule frequency, in the cron, ISO duration, or "human duration" format. |
| 97 | + |
| 98 | +`schedule.timeout`:: |
| 99 | +Enter your schedule timeout, in the ISO duration or "human duration" format. |
| 100 | + |
| 101 | +`schedule.initialDelay`:: |
| 102 | +Enter your schedule initial delay, in the ISO duration or "human duration" format. |
| 103 | + |
| 104 | +.. Optional: Enter optional `users` fields: |
| 105 | + |
| 106 | +map:: |
| 107 | + |
| 108 | +rdn::: |
| 109 | +To change the default value: `uid`, enter the relative distinguished name of each entry. |
| 110 | + |
| 111 | +name::: |
| 112 | +To change the default value: `uid`, enter the LDAP field to map to the {product-very-short} `metadata.name` field. |
| 113 | + |
| 114 | +description::: |
| 115 | +To set a value, enter the LDAP field to map to the {product-very-short} `metadata.description` field. |
| 116 | + |
| 117 | +displayName::: |
| 118 | +To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.displayName` field. |
| 119 | + |
| 120 | +email::: |
| 121 | +To change the default value: `mail`, enter the LDAP field to map to the {product-very-short} `spec.profile.email` field. |
| 122 | + |
| 123 | +picture::: |
| 124 | +To set a value, enter the LDAP field to map to the {product-very-short} `spec.profile.picture` field. |
| 125 | + |
| 126 | +memberOf::: |
| 127 | +To change the default value: `memberOf`, enter the LDAP field to map to the {product-very-short} `spec.memberOf` field. |
| 128 | + |
| 129 | +set:: |
| 130 | +To set a value, enter the hard coded JSON to apply to the entities after ingestion, such as `metadata.customField: 'hello'`. |
| 131 | + |
| 132 | +.. Optional: Enter optional `groups` fields: |
| 133 | + |
| 134 | +map:: |
| 135 | + |
| 136 | +rdn::: |
| 137 | +To change the default value: `cn`, enter the relative distinguished name of each entry. |
| 138 | + |
| 139 | +name::: |
| 140 | +To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.name` field. |
| 141 | + |
| 142 | +description::: |
| 143 | +To set a value, enter the LDAP field to map to the {product-very-short} `metadata.description` field. |
| 144 | + |
| 145 | +displayName::: |
| 146 | +To change the default value: `cn`, enter the LDAP field to map to the {product-very-short} `metadata.displayName` field. |
| 147 | + |
| 148 | +email::: |
| 149 | +To change the default value: `mail`, enter the LDAP field to map to the {product-very-short} `spec.profile.email` field. |
| 150 | + |
| 151 | +picture::: |
| 152 | +To set a value, enter the LDAP field to map to the {product-very-short} `spec.profile.picture` field. |
| 153 | + |
| 154 | +memberOf::: |
| 155 | +To change the default value: `memberOf`, enter the LDAP field to map to the {product-very-short} `spec.memberOf` field. |
| 156 | + |
| 157 | +members::: |
| 158 | +To change the default value: `member`, enter the LDAP field to map to the {product-very-short} `spec.children` field. |
| 159 | + |
| 160 | +type::: |
| 161 | +To change the default value: `groupType`, enter the LDAP field to map to the {product-very-short} `spec.type` field. |
| 162 | + |
| 163 | +set:: |
| 164 | +To set a value, enter the hard coded JSON to apply to the entities after ingestion, such as `metadata.customField: 'hello'`. |
| 165 | + |
| 166 | +.. Optional: Enter optional `tls` fields. |
| 167 | +TLS options only apply when using the secure protocol: `ldaps://`. |
| 168 | ++ |
| 169 | +.Optional `tls` fields |
| 170 | +[source,yaml] |
| 171 | +---- |
| 172 | +ldapOrg: |
| 173 | + default: |
| 174 | + tls: |
| 175 | + rejectUnauthorized: true |
| 176 | + keys: '/path/to/keys.pem' |
| 177 | + certs: '/path/to/certs.pem' |
| 178 | +---- |
| 179 | + |
| 180 | +rejectUnauthorized:: |
| 181 | +Set to `false` to allow self-signed certificates |
| 182 | ++ |
| 183 | +WARNING: This option is not recommended for production. |
| 184 | + |
| 185 | +keys:: |
| 186 | +Enter a file containing private keys in PEM format |
| 187 | + |
| 188 | +certs:: |
| 189 | +Enter a file containing cert chains in PEM format |
| 190 | + |
| 191 | +.Verification |
| 192 | +* To verify user and group provisioning, check the console logs. |
| 193 | ++ |
| 194 | +.Successful synchronization example: |
| 195 | +[source,json] |
| 196 | +---- |
| 197 | +
|
| 198 | +---- |
0 commit comments