Configuring Cloudforms 3.1 to do full tree searchs in LDAP

Solution In Progress - Updated -

Environment

  • CloudForms 3.1

Issue

In an attempt to get CloudForms to communicate and perform group lookups, the configurable options for user lookup is not generic enough for our LDAP. I have tried multiple ways to configure it and only one way works but it only finds one use due to how specific the configuration must be.

How do I configure CloudForms to be able to key up on a users and search the whole tree/OU?

Resolution

To Manually Configure CloudForms 3.1 for External Authentication against a LDAP Server:

  • ssh into CloudForms appliance to configure external authentication
Upload Apache Config files
  • Download cfme_auth.tar.gz
  • Copy files to a director on the appliance
  • Copy httpd-auth to /etc/pam.d/ directory
  • Copy cfme-remote-user.conf to /etc/httpd/conf.d/
  • Copy cfme-external-auth.conf.erb to /etc/httpd/conf.d/
  • Open with text editor /etc/httpd/conf.d/cfme-external-auth.conf
  • Replace <%= realm %> with LDAP realm (removing the <%=realm %> completely and putting your domain i.e- redhat.com)
Enable SSSD/LDAP
  • Copy below script to a file named sssd and run sh -x sssd (make sure to modify ldapserver= and ldapbasedn=)
    Script to run:
authconfig \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
--enableldap \
--enableldapauth \
--ldapserver=ldap://rhds:389 \
--disableldaptls \
--ldapbasedn="dc=redhat,dc=com" \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--update
Create SSL Certificate for LDAP (required for sssd-ldap)

i.e. the redhatds-cert.pem used in the example below.

Update the Directory Server to point to the keystore
for the certificate. This is used for both SSL and Start TLS.

Enable OpenLdap client
  • Modify /etc/openldap/ldap.conf to reflect below (please modify URI and BASE to reflect your settings)
 SASL_NOCANON    on

  URI             ldaps://aab-ldap:10636
  BASE            dc=example,dc=com <--Modify this to reflect your correct dc
  TLS_REQCERT     demand
  TLS_CACERTDIR   /etc/pki/tls/certs
  TLS_CACERT      /etc/pki/tls/certs/redhatds-cert.pem
Update sssd.conf

  • Edit the different sections in sssd.conf for CloudForms as in the following
    example, customize the main domain section for the particular LDAP installation.

  • Open text editor of your choice and modify /etc/sssd/sssd.conf (Please make sure to go through file and edit your company settings. i.e - search_base,etc...)

  [domain/example.com]
    debug_level = 5
    ipa_server = aab-ldap   # only needed for appliance console to show external auth configured
    autofs_provider = ldap
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_schema = rfc2307bis

    ldap_uri = ldap://aab-ldap:10389
    ldap_id_use_start_tls = True
    ldap_tls_cacertdir = /etc/pki/tls/certs
    ldap_tls_cacert = /etc/pki/tls/certs/apacheds-cert.pem
    enumerate = false

    ldap_pwd_policy = none

    ldap_search_base = dc=example,dc=com
    ldap_network_timeout = 3

    ldap_user_search_base = ou=people,dc=example,dc=com
    ldap_user_object_class = posixAccount
    ldap_user_name = uid
    ldap_user_uid_number = uidNumber
    ldap_user_extra_attrs = mail, givenname, sn, displayname

    ldap_group_object_class = groupOfNames
    ldap_group_search_base = ou=user_groups,dc=example,dc=com
    ldap_group_name = cn
    ldap_group_member = member

    cache_credentials = False
    entry_cache_timeout = 600

  [sssd]
    debug_level = 5
    services = nss, pam, autofs, ssh, ifp
    config_file_version = 2
    sbus_timeout = 30
    domains = example.com
    default_domain_suffix = example.com

  [nss]
    homedir_substring = /home

  [pam]
    debug_level = 5
    default_domain_suffix = example.com

  [sudo]

  [autofs]

  [ssh]
    debug_level = 5

  [pac]

  [ifp]
    debug_level = 5
    default_domain_suffix = example.com
    allowed_uids = apache, root
    user_attributes = +mail, +givenname, +sn, +displayname
For customizing sssd for any LDAP directory
SELinux Modifications
  • Assure non-standard ports (other than 389/636) are allowed (skip if not using non-standard ports)
  • Run semanage port -a -t ldap_port_t -p tcp 10389
  • Run semanage port -a -t ldap_port_t -p tcp 10636
Allow httpd/pam/sssd
  • Run setsebool -P allow_httpd_mod_auth_pam on
  • Run setsebool -P httpd_dbus_sssd on
Test OpenLDAP
  • Run yum install openldap-clients if you do not have installed on server

Test search: ldapsearch -x -H ldaps://aab-ldap:10636 -LLL -b "ou=people,dc=example,dc=com" -s sub "(objectclass=organizationalPerson)"

Restart services
  • Run service sssd restart
  • Run service httpd restart
CloudForms Web UI
  • Login as admin,
  • Navigate to Configure->Configuration->Authentication
  • Change mode External (httpd)
  • Select check box under Role Settings to Get User Groups from External Authentication (httpd)
  • DO NOT check Enable Single Signon since we did not configure Kerberos against Ldap
  • Click Save
  • Go to Configure->Configuration->Access Control
  • Verify that the user's Ldap group for CloudForms are created and the appropriate roles assigned to those groups.

Above setup needs to be done on each UI appliance

Attachments

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.