How to Configure LDAP SSO Support for a Customer-Managed Environment

Overview

This guide outlines configuring single sign-on support using a Lightweight Directory Access Protocol (LDAP) for a customer-managed installation.

📘

For assistance with configuring SSO support in the kinops hosted platform, see How to Configure LDAP SSO Support for a Hosted Environment.

Prerequisites

Before starting the configuration process, open your desired terminal emulator, access the command line interface (CLI), and run the command below that corresponds to your package manager. This is required to parse the JSON used during the installation process.

sudo yum install jq
sudo apt-get update
sudo apt-get install jq
sudo dnf install jq

Additionally, ensure you can access a code editor to create script files. The instructions in this document use the vim editor, but you can use any editor you like.

Workstation Setup

  1. From the workstation communicating with the Kubernetes cluster, follow these steps to create the necessary working directories and back up the current state of your SSO configuration.

    ⚠️

    IMPORTANT: The scripts used in this process write to to ~/[Home Directory] by default. To change the location, replace ~/ with the desired location (for example, /opt/) in each script.

  2. From your CLI, navigate to a path where you have permission to create and run the scripts necessary to configure SSO using LDAP.

  3. Run the following commands to create the script files:

    touch init_backup.sh
    chmod +x init_backup.sh
    vi init_backup.sh
    
  4. Open the init.sh script in your code editor and paste the following content into the file:

    #!/bin/bash 
    
    set -e
    
    # Create working directories 
    echo ""
    echo "Creating Working Directory to unpack SSO config template. Note: This directory will be cleaned up after the task runs..."
    echo ""
    echo "Working DIR 1 Location: ~/working-directory"
    mkdir -p ~/working-directory 
    echo ""
    echo "Working DIR 2 Location: ~/existing-customization-data"
    mkdir ~/existing-customization-data
    
    # Create backup of current Core 
    echo ""
    echo "Creating a backup of existing authentication configuration data..."
    kubectl get secret -n kinetic \
      core-customization-secrets \
      -o yaml \
      > ~/existing-customization-data/core-customization-secrets.backup
    echo "Backup Completed"
    
  5. Run the init.sh script using the following command:

    ./init_backup.sh
    
  6. Return to the working directory using the cd command.

    cd ~/working-directory
    

Retrieving the Helm Chart

Follow these steps to download the helm chart required for the configuration process:

kinetic-core-customizations-job            kinetic-platform-application
kinetic-core-customizations-job-5.0.0.tgz
  1. Navigate to your Installer Dashboard.

  2. From the Application tab, select View Files.

  3. Click Need to edit these files? Click here to learn how.

  4. Click Copy command under Step 1, then paste the command into your CLI and run it.

  5. Run the ls command to see the kinetic-platform directory

    ls
    

    You should receive the response below. If you do not, contact Kinetic Support.

    kinetic-platform-application
    
  6. Run the cd command to navigate to the core-customizations folder:

    cd ~/working-directory/kinetic-platform-application/upstream
    
  7. Run the ls command to find the "kinetic-core-customizations-job-5.0.0.tgz" .tar file.

    ls
    
  8. Copy the .tar file to your working directory.

    cp kinetic-core-customizations-job-5.0.0.tgz ~/working-directory
    
  9. Run the following commands to relocate to the working directory and untar the file:

    cd ~/working-directory && tar xvf kinetic-core-customizations-job-5.0.0.tgz
    
  10. Run the ls command to confirm the kinetic-core-customizations-job folder was created.

    ls
    

    You should receive the response below. If you do not, contact Kinetic Support.

    kinetic-core-customizations-job            kinetic-platform-application
    kinetic-core-customizations-job-5.0.0.tgz
    
  11. Run the following command to move the "core-customizations" folder to your working directory.

    cp -R ~/working-directory/kinetic-core-customizations-job/files/core-customizations ~/working-directory
    
  12. Run the ls command to confirm the kinetic-core-customizations-job folder was moved correctly.

    ls
    

    You should receive the response below. If you do not, contact Kinetic Support.

    core-customizations              kinetic-core-customizations-job-5.0.0.tgz
    kinetic-core-customizations-job  kinetic-platform-application
    
  13. Run the following command to remove the existing configuration files from the core customization folder:

    rm -rf ~/working-directory/core-customizations/files/secrets/*
    
  14. Run the following command to create the chart .yaml file:

    mv ~/working-directory/core-customizations/Secret.yaml ~/working-directory/core-customizations/Chart.yaml
    

Retrieve Existing Configuration Files from the Environment

  1. Run the command below to create get_files.sh. This script retrieves the existing configuration files from your environment.

    touch ~/existing-customization-data/get_files.sh
    chmod u+x ~/existing-customization-data/get_files.sh
    
    vi ~/existing-customization-data/get_files.sh
    
  2. Copy the following text into get_files.sh:

    #!/bin/bash 
    
    set -e 
    
    #Retrive secrets from backup file
    echo ""
    echo "Retreive secrets in the environment"
    echo ""
    
    
    kubectl get secret -n kinetic core-customization-secrets -o json > core-customization-secrets.json
    
    file='core-customization-secrets.json'
    cat "$file" | jq -r '.data | keys[]' | 
    while IFS= read -r value; do
        echo "$value"
        kubectl get secret -n kinetic \
            core-customization-secrets \
            -o jsonpath="{.data.${value//./\\.}}" \
            | base64 -d \
            > ~/working-directory/core-customizations/files/secrets/"$value"
    done
    
    
    kubectl get secret -n kinetic core-customization-secrets -o jsonpath="{.data.security\.servicecatalog-test\.properties}" | base64 -d > ~/working-directory/core-customizations/files/secrets/security.servicecatalog-test.properties
    kubectl get secret -n kinetic core-customization-secrets -o jsonpath="{.data.security\.servicecatalog-dev\.properties}" | base64 -d > ~/working-directory/core-customizations/files/secrets/security.servicecatalog-dev.properties
    kubectl get secret -n kinetic core-customization-secrets -o jsonpath="{.data.security\.properties}" | base64 -d > ~/working-directory/core-customizations/files/secrets/security.properties
    kubectl get secret -n kinetic core-customization-secrets -ojsonpath="{.data.keystore\.jks}" | base64 -d > ~/working-directory/core-customizations/files/secrets/keystore.jks
    
    # Check  and View the newly created files 
    echo ""
    echo "Check created files"
    ls ~/working-directory/core-customizations/files/secrets
    echo ""
    echo "Catting files to view files"
    for element in "${secrets[@]}"
    do
     echo ""
     file name: "$element"
     echo " "
     cat ~/working-directory/core-customizations/files/secrets/"$element" 
    done
    
    echo "File copy complete"
    echo "Your next steps are: "
    echo " "
    echo "1. Update security.properties as seen in the LDAP Configuration section of your guide."
    echo ""
    echo "2. Create secret.space-sug.properites for each Space slug you wish to integrate SAML in. Ensure you have the correct values set up. See setup-ldap.md for more information."
    
  3. Run the cd command to navigate to the "existing-customization-data" directory.

    cd ~/existing-customization-data
    
  4. Run the following command to execute the "get_existing_configuration_files.sh" script:

    ./get_existing_configuration_files.sh
    

Update the Configuration File to Enable LDAP Strategy

  1. Run the following command to navigate to the core customization configuration folder and view the files in the folder:

    cd ~/working-directory/core-customizations/files/secrets && ls
    
  2. Modify the security.properties file in the configuration folder to enable the LDAP strategy by uncommenting the specified properties.

    ℹ️

    Adding line one is what enables the LDAP strategy.

    security.strategy=com.kineticdata.core.web.security.strategies.ldap.LdapSecurityStrategy
    security.keystore.path=/keystore.jks
    security.keystore.password=*******
    security.keystore.defaultKey=defaultkey
    
  3. Create a Space-level configuration file for the Space where you want to enable the LDAP strategy. Replace the word "EXAMPLE" with the space slug of the space you want to configure in the below command:

    cp security.SPACESLUG.properties security.EXAMPLE.properties
    
  4. Open the security.space-slug.properties file to meet your organization's specifications by following the pattern in the example below.
    IMPORTANT: The following code is only an example of the security.space-slug.properties file and must be edited for your Space. If you need assistance configuring this file, contact Kinetic Support with your LDAP resource available for assistance.

    security.ldap.enabled=true
    security.autocreate=true
    security.autoupdate=true
    security.ldap.context.url=ldap://fake_ldap:389
    security.ldap.context.baseDN=DC=corp,DC=fake_ldap_dc,DC=io
    security.ldap.context.bindDN=CN=Admin,OU=Users,OU=CORP,DC=corp,DC=fake_ldap_dc,DC=io
    security.ldap.context.bindPswd=rdWJL-YaGY2pzRns-G2*
    security.ldap.user_search_base=
    security.ldap.user_search_filter=(sAMAccountName={0})
    #security.ldap.group_search_base=
    #security.ldap.group_search_subtree=true
    security.ldap.group_search_filter=(uniqueMember={0})
    # security.ldap_group_role_prefix=ROLE_ # defaults to blank.
    # security.ldap.group_role_attribute=ou # defaults to 'cn'
    ## These Attributes are used to map users looked up to the user table.
    security.ldap.attributes.email=mail
    security.ldap.attributes.displayName=displayName
    #security.ldap.mappings.userAttribute.0.name=LDAP Department
    #security.ldap.mappings.userAttribute.0.mapping=department
    #security.ldap.mappings.userAttribute.0.regexMatch=
    #security.ldap.mappings.userAttribute.0.regexReplace=
    #security.ldap.mappings.userAttribute.1.name=LDAP Country
    #security.ldap.mappings.userAttribute.1.mapping=co
    #security.ldap.mappings.userAttribute.1.regexMatch=
    #security.ldap.mappings.userAttribute.1.regexReplace=
    #security.ldap.mappings.userAttribute.2.name=LDAP Manager Name
    #security.ldap.mappings.userAttribute.2.mapping=manager
    #security.ldap.mappings.userAttribute.2.regexMatch=CN=(.*?),(CN|OU)=.*
    #security.ldap.mappings.userAttribute.2.regexReplace=$1
    #security.ldap.mappings.profileAttribute.0.name=LDAP Phone number
    #security.ldap.mappings.profileAttribute.0.mapping=ipPhone
    #security.ldap.mappings.profileAttribute.0.regexMatch=
    #security.ldap.mappings.profileAttribute.0.regexReplace=
    

Configure Core Customization Using configure.sh

  1. From your CLI, run the following command:

    touch ~/working-directory/configure.sh
    chmod u+x ~/working-directory/configure.sh
    vi ~/working-directory/configure.sh
    
  2. Run the following command to update the configure.sh file:

    #!/bin/bash 
    
    # Perform upgrade of core customizations 
    echo ""
    echo "Running the helm upgrade command..."
    echo ""
    helm upgrade core-customizations ~/working-directory/core-customizations -n kinetic 
    
    # Restart core deployment to apply new changes
    echo ""
    echo "Roll out Restart Core"
    kubectl rollout restart deployment core -n kinetic
    kubectl rollout status deployment core -n kinetic -w
    
  3. Run the following command:

    cd ~/working-directory/
    ./configure.sh
    

Test Your Configuration and Clean Up

  1. Open your Kinetic login page. You should be signed in automatically if your LDAP SSO connection was configured correctly.
  2. If the test is successful, run the following command to clean up the working directory you created:
    rm -rf ~/working-directory
    
  3. If the test is unsuccessful, contact Kinetic Support for assistance.