The first way is using the UAA Bulk Import Tool. The Pivotal site I referenced above has good documentation on how to use this process.
The second way is to have the user login to Apps Manager using their LDAP credentials. This login creates the LDAP account reference inside of PCF. This user will have no access to any org or space inside of the deployment until someone assigns them rights. While this gets someone access to your deployment, it does not provide a good user experience. A user wants to sign in and get to work. A user doesn't want to sign in and then call someone up to give them access.
In my experience, I found out using the UAAC curl command for importing a LDAP user as an easier alternative. Pivotal references the UAAC curl command on their site's documentation. Here is an example below.
[user@linux_prompt]$ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"LDAP-USERNAME", "emails":[{"value":"EMAIL@domain.com"}], "origin":"ldap","externalId":"cn=LDAP-USERNAME,ou=Users,dc=domain,dc=com"}'
If you are referencing an Active Directory LDAP source, here is the mapping of variable to AD attribute.
"LDAP-USERNAME" = sAMAccountName
"EMAIL@domain.com" = mail
"cn=LDAP-USERNAME,ou=Users,dc=domain,dc=com" = DN
The origin variable can either be ldap or saml. For this example, we are only worried about it being set to ldap.
This formatting for the JSON is great if you are manually typing in the command each time. The JSON formatting does NOT work when you are trying to use parameters and automating the process. Here is the formatting I found that works when using parameters
[user@linux_prompt]$ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d "{ \"userName\":\"$LDAP_USERNAME\", \"emails\":[{\"value\":\"$EMAIL\"}], \"origin\":\"ldap\",\"externalId\":\"cn=$CN,$OU\" }"
The differences between the two are the following:
- The double quotes around the JSON instead of the single quote.
- \" exit character placements instead of just the double quote.
Using the parameters in the command, now you can use those items for a form to fill out for importing a LDAP user. (One note if you have a \ inside of "LDAP-USERNAME", you will have to add another \. Otherwise, the JSON is escaped too early. Example is "Lastname\, Firstname". This example will need to be formatted like this; "Lastname\\, Firstname")
Using Jenkins, this task is completed easily. Here is a summary of steps to make this work with Jenkins.
- Make sure the UAAC client is installed on your Jenkins build server.
- Create a free style project inside of Jenkins.
- Create string parameters for each of the parameters inside of the curl command.
- Create a build step that executes a shell script.
- Inside of the shell script run these three commands
- Target your uaa server in your PCF deployment
- Get a client token for your admin user
- Perform your UAAC curl command with your string parameters
- Save the job
Once you are done, build this job with the parameters and input your values. Inside your build output, you should receive a response of "201 Created". This output identifies that the user was imported successfully.
With the user now being successfully imported, the user can be assigned to orgs and spaces inside of your deployment. In a future blog entry, I will go over using this job with another job which will assign rights to orgs and spaces.
~RRRII
No comments:
Post a Comment