Pivotal Knowledge Base

Follow

How to Integrate LDAP and Group Mappings with the UAA Release

Environment

 Product  Version
 Pivotal Cloud Foundry UAA release  v24 or greater

Purpose

Integrating LDAP with UAA in a Bosh only deployment can be cumbersome. This article provides a working example for creating the deployment manifest for UAA and shows how to map external groups.

Search-and-Bind and LDAP-Groups-Map-to-Scopes profiles:

In this example, any user that is a member of the LDAP group "CN=pcfgroup,OU=testou,DC=support,DC=pivotal" will have UAA scope cloud_controller.admin. This is defined by uaa.scim.external_groups settings in the below YAML:

uaa:
  scim:
    external_groups: 
      - cloud_controller.admin|CN=pcfgroup,OU=testou,DC=support,DC=pivotal
  ldap:
    enabled: true
    mailAttributeName: mail
    mailSubstitute: ""
    mailSubstituteOverridesLdap: false
    referral: follow
    searchBase: 'dc=support,dc=pivotal'
    searchFilter: 'cn={0}'
    url: 'ldap://10.110.123.116'
    userDN: 'cn=test,cn=Users,dc=support,dc=pivotal'
    userPassword: 'userDN-Password'
    groups:
      profile_type: groups-map-to-scopes
      autoAdd: true
      groupRoleAttribute: 'spring.security.ldap.dn'
      groupSearchFilter: 'member={0}'
      maxSearchDepth: 10
      searchBase: 'dc=support,dc=pivotal'
      searchSubtree: true
    ldapdebug: Ldap configured through UAA
    profile_type: search-and-bind
    ssl:
      skipverification: true

LDAP group mappings will be auto-populated when the user logs in for the first time. After they login, all the group mappings will be stored in the "external_group_mapping" table within the UAA database. 

Comments

Powered by Zendesk