Configuring Cloudforms 3.1 to do full tree searchs in LDAP
Environment
- CloudForms 3.1
Issue
In an attempt to get CloudForms to communicate and perform group lookups, the configurable options for user lookup is not generic enough for our LDAP. I have tried multiple ways to configure it and only one way works but it only finds one use due to how specific the configuration must be.
How do I configure CloudForms to be able to key up on a users and search the whole tree/OU?
Resolution
To Manually Configure CloudForms 3.1 for External Authentication against a LDAP Server:
- ssh into CloudForms appliance to configure external authentication
Upload Apache Config files
- Download cfme_auth.tar.gz
- Copy files to a director on the appliance
- Copy
httpd-authto/etc/pam.d/directory - Copy
cfme-remote-user.confto/etc/httpd/conf.d/ - Copy
cfme-external-auth.conf.erbto/etc/httpd/conf.d/ - Open with text editor
/etc/httpd/conf.d/cfme-external-auth.conf - Replace
<%= realm %>with LDAP realm (removing the <%=realm %> completely and putting your domain i.e- redhat.com)
Enable SSSD/LDAP
- Copy below script to a file named
sssdandrun sh -x sssd(make sure to modify ldapserver= and ldapbasedn=)
Script to run:
authconfig \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
--enableldap \
--enableldapauth \
--ldapserver=ldap://rhds:389 \
--disableldaptls \
--ldapbasedn="dc=redhat,dc=com" \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--update
Create SSL Certificate for LDAP (required for sssd-ldap)
i.e. the redhatds-cert.pem used in the example below.
Update the Directory Server to point to the keystore
for the certificate. This is used for both SSL and Start TLS.
Enable OpenLdap client
- Modify
/etc/openldap/ldap.confto reflect below (please modify URI and BASE to reflect your settings)
SASL_NOCANON on
URI ldaps://aab-ldap:10636
BASE dc=example,dc=com <--Modify this to reflect your correct dc
TLS_REQCERT demand
TLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/certs/redhatds-cert.pem
Update sssd.conf
-
Edit the different sections in
sssd.conffor CloudForms as in the following
example, customize the main domain section for the particular LDAP installation. -
Open text editor of your choice and modify
/etc/sssd/sssd.conf(Please make sure to go through file and edit your company settings. i.e - search_base,etc...)
[domain/example.com]
debug_level = 5
ipa_server = aab-ldap # only needed for appliance console to show external auth configured
autofs_provider = ldap
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://aab-ldap:10389
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_tls_cacert = /etc/pki/tls/certs/apacheds-cert.pem
enumerate = false
ldap_pwd_policy = none
ldap_search_base = dc=example,dc=com
ldap_network_timeout = 3
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_extra_attrs = mail, givenname, sn, displayname
ldap_group_object_class = groupOfNames
ldap_group_search_base = ou=user_groups,dc=example,dc=com
ldap_group_name = cn
ldap_group_member = member
cache_credentials = False
entry_cache_timeout = 600
[sssd]
debug_level = 5
services = nss, pam, autofs, ssh, ifp
config_file_version = 2
sbus_timeout = 30
domains = example.com
default_domain_suffix = example.com
[nss]
homedir_substring = /home
[pam]
debug_level = 5
default_domain_suffix = example.com
[sudo]
[autofs]
[ssh]
debug_level = 5
[pac]
[ifp]
debug_level = 5
default_domain_suffix = example.com
allowed_uids = apache, root
user_attributes = +mail, +givenname, +sn, +displayname
For customizing sssd for any LDAP directory
SELinux Modifications
- Assure non-standard ports (other than 389/636) are allowed (skip if not using non-standard ports)
- Run
semanage port -a -t ldap_port_t -p tcp 10389 - Run
semanage port -a -t ldap_port_t -p tcp 10636
Allow httpd/pam/sssd
- Run
setsebool -P allow_httpd_mod_auth_pam on - Run
setsebool -P httpd_dbus_sssd on
Test OpenLDAP
- Run
yum install openldap-clientsif you do not have installed on server
Test search: ldapsearch -x -H ldaps://aab-ldap:10636 -LLL -b "ou=people,dc=example,dc=com" -s sub "(objectclass=organizationalPerson)"
Restart services
- Run
service sssd restart - Run
service httpd restart
CloudForms Web UI
- Login as admin,
- Navigate to
Configure->Configuration->Authentication - Change mode
External (httpd) - Select check box under
Role SettingstoGet User Groups from External Authentication (httpd) - DO NOT check Enable Single Signon since we did not configure Kerberos against Ldap
- Click
Save - Go to
Configure->Configuration->Access Control - Verify that the user's Ldap group for CloudForms are created and the appropriate roles assigned to those groups.
Above setup needs to be done on each UI appliance
Attachments
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
