Pivotal Knowledge Base

Follow

When using LDAP for Authentication, Invitations are not supported

Environment

PCF 1.3.x, 1.4.x & 1.5.x

Symptom

You have configured Pivotal Cloud Foundry® (PCF) to use your LDAP server as a source of authentication. While LDAP integration is working properly, users experience odd behavior trying to accept invitations.

This includes:

  • user receives the invitation email, but is unable to login after clicking the link from the email
  • user receives the invitation email, but is prompted to sign up for a new account when clicking the link despite already having an account

Cause

This is a known limitation of the invitation workflow.  Currently the invitation workflow assumes that a user's username will be the user's email address.  When this does not happen, which is typical for a system configured to use LDAP, users will not be able to accept invitations.

Resolution

The suggested workaround is to not use the invitation workflow.  There are two parts to this.  The first part is to disable the invitation workflow and the second is to on-board your users.  Both of these are discussed in detail below.

Disable Invitations

To disable the invitations, create an account and reset password flows in App Manager, you'll need to perform the following steps.

  1. Open the URL https://console.{system-domain} in your browser.
  2. Login with the Admin User Credentials and Navigate to the System ORG
  3. Navigate to the "apps_manager" space and click on the "apps_manager" app
  4. Click on the Environment Variables Section
  5. Locate the ENABLE_NON_ADMIN_USER_MANAGEMENT environment variable and set it to false
  6. Restart the App for the Environment Variable change to take effect.

On-boarding Users

Option #1

An administrator can manually add users to orgs with the `cf set-org-role` and `cf set-space-role` commands.

Here are the steps for this workflow.

  1. If the user has not done so already, instruct the him or her to either log on to the Developer Console or log on using the CLI.  The first time a user logs into PCF using his or her LDAP credentials, a shadow record will be created for that user in UAA.  This needs to occur before proceeding to step #2.
  2. A user with administrator permissions for the entire PCF installation (not just the OrgManager role) will need to log on using the CLI.
  3. The administrator should run `cf set-org-role` and `cf set-space-role` to associate the user to a given org and assign an initial role.  Any OrgManager for the assigned org can later update these permissions through App Manager.
  4. Instruct the user to logout and login again (both for the Developer Console and the CLI).  Upon logging in again, the user should have their new permissions.

Option #2

An administrator a bulk import user accounts from LDAP into UAA.  With this option the administrator can initialize and configure multiple user accounts without involving the end-users.

The import tool and instructions on its usage can be found here: 

https://github.com/pivotalservices/uaaldapimport 

Additional Information

Future versions of PCF aim to improve on this process, however at this time there is no target for what or when those improvements will be available.

Comments

  • Avatar
    Daniel Jones

    +1 for this to be addressed. Also, an endpoint in the UAA for "create this user in the UAADB if they existed in LDAP even though we weren't given their password to authenticate them" would be really handy for automation, and I expect it would be the same code path the App Manager could use.

Powered by Zendesk