What's on this page

Manage Users and Groups

The following guide details how to configure users in the default OpenLDAP installed as part of Stratoss™ Lifecycle Manager (LM).

Stratoss LM provides no built-in mechanism for managing users. There are many available LDAP clients which can be used for such purposes which makes the management much easier and a lot more visual.

If your environment is connecting to an LDAP managed outside of Stratoss LM, then the system administrator is expected to already understand the connection and user model in use.

Pre-requisites

To complete this guide you will need:

Connecting to OpenLDAP

Identify NodePort

As part of the helm-foundation install, OpenLDAP should have been installed and should be exposed externally via a NodePort. This NodePort is randomly assigned so it will need to be discovered from the installation environment. The following command should reveal this:

kubectl get service foundation-openldap | awk '{print $5}' | grep TCP | cut -d ':' -f 2 | cut -d'/'  -f 1

Connect with LDAP client

Having established the port, it should be possible to connect to the environment using the IP address or hostname and this port with your chosen LDAP Client.

Assuming the default installation values were used, the connection details will be as follows:

Username Password
URL ldap://<kubernetes-host>:<port>
Base dc=lm,dc=com
Username cn=admin,dc=lm,dc=com
Password lmadmin

Add a user

Create a new entry for a user in OpenLDAP with the extendedPerson class, already added as part of the Stratoss LM installation. The entry should have the following properties set:

dn: uid=<username>,ou=people,dc=<domain>
objectClass: extendedPerson
objectClass: uidObject
cn: <username>
sn: <username>
uid: <username>
userPassword: <Bcrypt encoded password>

dn is the directory path in OpenLDAP this user should be created in. Replace <username> with a username of your choice and replace the <domain> with the domain set at installation (the default is: lm.com which results in dc=lm,dc=com)

The password must be provided as an BCrpyt encoded value. The BCrypt hashing library used in Stratoss LM currently only supports hashed passwords with the $2a prefix. It should be ensured that any LDAP passwords generated make use of a BCrypt hashing algorithm which only generates password hashes with the $2a prefix, otherwise login attempts will fail. An example tool that may be used to convert plain-text passwords to BCrypt is the bcrypt-cli.

Below is an example for adding a new user named TestUser and password of secret:

dn: uid=TestUser,ou=people,dc=lm,dc=com
objectClass: extendedPerson
objectClass: uidObject
cn: TestUser
sn: TestUser
uid: TestUser
userPassword: $2a$12$hAxDAyjuxbSgFP9b6Fi8VetFnCxlQGO2vlvEdVHNyQeEOpqZQtyWW

Add a group

Create a new entry for a group in OpenLDAP with the existing groupOfNames. The entry should have the following properties set:

dn: cn=<group-name>,ou=groups,dc=<domain>
objectclass: groupOfNames
cn: <group-name>

dn is the directory path in OpenLDAP this group should be created in. Replace <group-name> with a name of your choice (this will be needed when managing roles). Replace the <domain> with the domain set at installation (the default is: lm.com which results in dc=lm,dc=com)

Below is an example for adding a new group named TestGroup:

dn: cn=TestGroup,ou=groups,dc=lm,dc=com
objectclass: groupOfNames
cn: TestGroup

Add user to group

In order to assign a user with roles, the user must be made a member of an appropriate LDAP group. If the LDAP group doesn’t already exist, then it should be created. If it does exist, the user should be added as a group member to grant them the role.

The member list of a group should contain the users who are part of it. To add a member to a group, add the full identifier of the user entry to the member list:

dn: cn=<group-name>,ou=groups,dc=<domain>
objectclass: groupOfNames
cn: <group-name>
member: <member1-id>
member: <member2-id>
...

Below is an example a group named TestGroup with 2 members; TestUserA and TestUserB:

dn: cn=TestGroup,ou=groups,dc=lm,dc=com
objectclass: groupOfNames
cn: TestGroup
member: uid=TestUserA,ou=people,dc=lm,dc=com
member: uid=TestUserB,ou=people,dc=lm,dc=com

Note: a user can be a member of multiple groups

Revoke user access

An existing user may be suspended in order to disable their access. Do this by adding the isSuspended field to a user’s entry in OpenLDAP:

dn: uid=TestUser,ou=people,dc=lm,dc=com
objectClass: extendedPerson
objectClass: uidObject
cn: TestUser
sn: TestUser
uid: TestUser
userPassword: $2a$12$hAxDAyjuxbSgFP9b6Fi8VetFnCxlQGO2vlvEdVHNyQeEOpqZQtyWW
isSuspended: true

This avoids having to make permanent changes to the LDAP configuration (e.g. removing them from group membership). To restore access for this user, simply remove the isSuspended field or set the corresponding value to false.

Note: a logged in user with suspended access will be able to perform operations until any existing access token expires. If using the default expiry time, this could be up to 15 minutes.

Plain text passwords

It is possible to use Stratoss LM with an LDAP database that stores passwords in plain text, by changing the following application property in the ishtar Secret in Vault (see Administration - Configuration):

alm.ishtar.security.ldap.passwordEncoding: PLAIN