Authentication

To authenticate OpCenter users, use locally-configured usernames and passwords or an LDAP directory.

Methods

OpCenter maintains its own database of usernames and passwords for authenticating logins. You can add users (and associated passwords) by using the float user add CLI command or by opening the web interface's Users and Groups screen. This is the "built-in" method.

You can also authenticate users by querying a Lightweight Directory Access Protocol (LDAP) server. This is the LDAP method.

Note

LDAP authentication requires an operational LDAP server. Usually, the LDAP directory provides authentication services for an entire organization (not just OpCenter users) and is maintained by the IT department. Setting up an LDAP directory and server is beyond the scope of this document. Consult your IT or LDAP server administrator for guidance.

Note

Authentication using the OpCenter server's local /etc/passwd file is deprecated.

Operation

You must associate every OpCenter user with an authentication method. A user can only have one authentication method: built-in or LDAP. Authentication methods cannot be arranged hierarchically.

The default authentication method is the "built-in" method, in which case you must configure a username and a password. You can also configure a uid, gid, and group for the user or you can let the OpCenter configure these for you.

To apply LDAP authentication to a user, you must first populate the LDAP directory with the username, password, and group for that user. On the OpCenter, you (as an admin user) must configure the OpCenter with the credentials to access the LDAP server. Then you need only configure a username and associate it with the LDAP method (the uid and gid are automatically retrieved from the LDAP directory).

When a user logs in to the OpCenter, the OpCenter checks the authentication method associated with the username. If it is "built-in," the OpCenter authenticates the user against the OpCenter's own database. If it is LDAP, the OpCenter queries the LDAP server. The LDAP server returns an authentication succeeded or failed result.

Alternatively, you (as an admin user) can configure a group on the OpCenter and associate the entire group with LDAP authentication. If a user logs in with a username that is not configured on the OpCenter, the OpCenter queries the LDAP server to check whether the username is a member of any of the LDAP groups. If an authenticated match is found, the OpCenter retrieves the username, uid, and gid and adds the information to the OpCenter's list of usernames.

LDAP Directory Information Tree

LDAP is a protocol used to query, manage, and authenticate user information stored in an LDAP directory. Information in an LDAP directory is arranged hierarchically in a Directory Information Tree (DIT). The root is the base of the tree from which branches extend, subdivide, and terminate in leaves. Traditionally, the base is a country (for example, c=us) although it is common now to use a domain from the DNS schema (for example, dc=com). The figure shows an example of a DIT.

A user is located at a leaf and is uniquely identified by a Distinguished Name (DN). A DN is a series of comma-separated Relative Distinguished Names (RDNs) which, when read from right to left, trace the path from the root to the leaf identified by the DN. Each RDN has the form name=value. To disambiguate entries, for example, if two people in the same department have the same name, an RDN can have multiple values separated by a "+" sign (as in name=value_1+value_2). An example of a DN is the following (if there are multiple Person Does, you can disambiguate entries using an email address).

• cn=Person Doe (common name)
• ou=People (organizational unit)
• dc=example (domain component)
• dc=com (domain component)

LDAP Bind Operations

LDAP bind operations are used to authenticate clients to the LDAP directory server. In the MMCloud architecture, there are two types of clients.

• OpCenter
• Users logging in to the OpCenter

You must choose one of the following ways to authenticate the OpCenter to the LDAP server.

• Bind DN and password: the bind DN is the DN of a user who must at least have permission to query users and groups. The LDAP server authenticates the bind DN user with the supplied password.
• Anonymous binding: the bind DN and password are blank. Only use if the LDAP server is configured to allow read-only queries from anonymous clients.
• X.509 certificate and key: you can create self-signed X.509 certificates and keys for the OpCenter and LDAP server using the open source linux command line tool openssl, or you can obtain these from your LDAP server administrator.

When an user tagged with the LDAP authentication method logs in to the OpCenter, the OpCenter authenticates that user's DN against the LDAP directory. The password associated with the user's DN is included in clear text. For this reason, the use of TLS to encrypt communication between the OpCenter and LDAP server is recommended.

Configuring the OpCenter for LDAP using the CLI

Note

You must obtain the LDAP server's IP address and port used for LDAP from the LDAP server administrator. The default port for LDAP is 636. Ensure that any interposed firewall allows access to port 636.

Complete the following steps.

• Step 1: Choose an LDAP bind method.
  • Bind DN
  • Anonymous
  • X.509 certificate and key
• Step 2: Choose one of the following configuration methods.
  • float config ldap followed by configuration flags
  • float config ldap --conf ldap_conf.yaml where ldap_conf.yaml is a file containing the LDAP configuration parameters
• Step 3: Log in to the OpCenter as admin user.

• Step 4: Reset the current LDAP configuration by entering the following.

  float config ldap --reset
  

• Step 5: Based on your choices in Steps 1 and 2, configure the OpCenter for LDAP by selecting one of the following cases.

  • Case 1a: Bind DN and float config ldap with flags

    float config ldap
    --addr LDAP_IP:PORT          
    --adminGroup ADMIN_GROUP      
    --anonymous=false           
    --base BASE_DN           
    --bindDN BIND_DN        
    --bindPW BIND_PW        
    --groupOU GROUP_OU        
    --network "tcp"        
    --peopleOU PEOPLE_OU   
    --useTLS=true
    

    Replace (enclose all strings in quotes):

    • LDAP_IP:PORT: IP address of LDAP server and PORT used for LDAP connections
    • ADMIN_GROUP: group that bind DN belongs to
    • BASE_DN: the point in the DIT where all queries start
    • BIND_DN: the admin user that acts as the bind DN for authentication purposes
    • BIND_PW: password used to authenticate bind DN
    • GROUP_OU: the name of the organizational unit to which all groups belong
    • PEOPLE_OU: the name of the organizational unit to which all users belong

    Example

    $ float config ldap --addr 54.91.91.20:636 --adminGroup "admins" \
        --anonymous=false --base "dc=mmcus,dc=lab" --bindDN "cn=admin,dc=mmcus,dc=lab" \
        --bindPW "secret123" --groupOU "groups" \
        --network "tcp" --peopleOU "people" --useTLS=true
    Set ldap configuration successfully
    ---
    enable: true
    network: tcp
    addr: 54.91.91.20:636
    useTLS: true
    anonymous: false
    bindDN: cn=admin,dc=mmcus,dc=lab
    bindPW: '*******'
    base: dc=mmcus,dc=lab
    adminGroup: admins
    peopleOU: ou=people
    groupOU: ou=groups
    connTimeout: 10s
    

  • Case 1b: Bind DN and ldap configuration file

    float config ldap --conf ldap_conf.yaml
    

    where the contents of ldap_conf.yaml are as follows.

    network: tcp
    addr: LDAP_IP:PORT 
    adminGroup: ADMIN_GROUP
    anonymous: false
    baseDN: BASE_DN
    bindDN: BIND_DN
    bindPW:  BIND_PW
    groupOU: GROUP_OU
    network: tcp
    peopleOU: PEOPLE_OU
    useTLS: true
    

    Replace LDAP_IP:PORT, ADMIN_GROUP and so on, as described previously.

    Example

    $ cat ldap_conf.yaml
    addr: 54.91.91.20:636
    adminGroup: admins
    anonymous: false
    base: dc=mmcus,dc=lab
    bindDN: cn=admin,dc=mmcus,dc=lab
    bindPW: secret123
    groupOU: groups
    network: tcp
    peopleOU: people
    useTLS: true
    

  • Case 2a: Anonymous and float config ldap with flags

    Use the same flags as for the bind DN case except for the following changes.

    • Use --anonymous=true
    • Remove --bindDN flag
    • Remove --bindPW flag

  • Case 2b: Anonymous and ldap configuration file

    Use the same configuration file as for the bind DN case except for the following changes.

    • Use anonymous: true
    • Delete bindDN entry
    • Delete bindPW entry

  • Case 3a: X.509 and float config ldap with flags

    float config ldap
    --addr LDAP_IP:PORT 
    --adminGroup ADMIN_GROUP
    --anonymous=false           
    --base BASE_DN 
    --bindDN BIND_DN
    --cert PATH_TO_CERT
    --groupOU GROUP_OU
    --key PATH_TO_KEY
    --network "tcp"        
    --peopleOU PEOPLE_OU   
    --useTLS=true
    

    Replace (enclose all strings in quotes):

    • LDAP_IP:PORT: IP address of LDAP server and PORT used for LDAP connections
    • ADMIN_GROUP: group that admin users belong to
    • BASE_DN: the point in the DIT where all queries start
    • BIND_DN: DN of admin user
    • PATH_TO_CERT: path to file (ends in .crt) containing X.509 certificate
    • GROUP_OU: the name of the organizational unit to which all groups belong
    • PATH_TO_KEY: path to file (ends in .key) containing key for X.509 certificate
    • PEOPLE_OU: the name of the organizational unit to which all users belong

    Example

    $ float config ldap --addr ec2-52-39-200-111.us-west-2.compute.amazonaws.com:636 \
    > --base dc=memverge,dc=com --cert ./ldapclient.crt --key ./ldapclient.key  --useTLS
    Set ldap configuration successfully
    ---
    enable: true
    network: tcp
    addr: ec2-52-39-200-111.us-west-2.compute.amazonaws.com:636
    useTLS: true
    anonymous: false
    base: dc=memverge,dc=com
    adminGroup: ""
    peopleOU: ou=People
    groupOU: ou=Group
    connTimeout: 10s
    

  • Case 3b: X.509 and ldap configuration file combined with certificate-related command flags

    float config ldap --conf ldap_conf.yaml --cert PATH_TO_CERT --key PATH_TO_KEY
    

    where the contents of ldap_conf.yaml are as follows.

    network: tcp
    addr: LDAP_IP:PORT 
    adminGroup: ADMIN_GROUP
    anonymous: false
    baseDN: BASE_DN
    bindDN: BIND_DN
    groupOU: GROUP_OU
    network: tcp
    peopleOU: PEOPLE_OU
    useTLS: true
    

    Replace LDAP_IP:PORT, ADMIN_GROUP and so on, as described previously.

• Step 6: Confirm LDAP settings by entering the following.

  float config get ldap
  

• Step 7 (Optional): Temporarily disable LDAP authentication by entering the following.

  float config ldap --enable=false
  

  Restore by using --enable=true.

Configuring the OpCenter for LDAP using the web interface

Note

You must obtain the LDAP server's IP address and port used for LDAP from the LDAP server administrator. The default port for LDAP is 636. Ensure that any interposed firewall allows access to port 636.

Complete the following steps.

• Step 1: Choose an LDAP bind method.
  • Bind DN
  • Anonymous
  • X.509 certificate and key
• Step 2: Log in as admin user.
• Step 3: From the left-hand panel, click System Settings.
• Step 4: On the System Settings screen, click LDAP.
• Step 5: On the LDAP screen, complete the following steps.
  • Check the Enable LDAP box.
  • Under Server Information, enter the IP address of the LDAP server and the port used for LDAP connections.
  • Under Communication Protocol, click TCP and check the box to enable TLS.
  • Under Authentication, click Credentials, Anonymous or Certificate based on the choice you made in Step 1. Fill in the required information (see the section on configuring LDAP using the CLI for descriptions of these fields).
  • Under Connection Settings, fill in the Base DN, Group OU, and People OU (see the section on configuring LDAP using the CLI for descriptions of these fields).
• Step 6: On the bottom right-hand corner, click Save.

Associating LDAP with Users and Groups

To associate a username with LDAP using the CLI, you must enter the following.

$ float user add USERNAME --ldap` <---replace USERNAME, for example, user-one
username: user-one
uid: 2008
gid: 2001
role: normal
group: ""
email: ""
type: ldap
enabled: true
ownGroup: ""

If the username does not appear in the LDAP directory, you get an error. For example,

$ float user add user-two --ldap
Error: Resource not found, cannot find user 'user-two' (code: 1002)

To add an LDAP user with the web interface, you must complete the following steps.

• Log in as an admin user
• Go to the Users and Groups screen.
• Select the Users tab.
• On the top, right-hand side, click Add User
• In the pop-up screen, click LDAP
• Fill in the Username field
• Click Add

To associate a group with LDAP using the CLI, you must enter the following.

float group add GROUP_NAME --ldap

Replace GROUP_NAME with the name of the group configured in the LDAP directory.

For example,

$ float user info user-five
Error: Resource not found, cannot find user 'user-five' (code: 1002) <---user-five not configured on OpCenter
$ float group add group-five --ldap
name: group-five
gid: 2010
admins: ""
users: ""
type: ldap
$float login -u user-five -p *** <---user-five authenticated because a member of group-five in LDAP directory
Login Succeeded!
$float user ls
+-----------+------+------+--------+------------+-------+------+---------+---------+
| USERNAME  | UID  | GID  |  ROLE  |   GROUP    | EMAIL | TYPE | ENABLED | MANAGES |
+-----------+------+------+--------+------------+-------+------+---------+---------+
| user-five | 2012 | 2010 | normal | group-five |       | ldap | true    |         |
+-----------+------+------+--------+------------+-------+------+---------+---------+

To add an LDAP group with the web interface, you must complete the following steps.

• Log in as an admin user
• Go to the Users and Groups screen.
• Select the Groups tab.
• On the top, right-hand side, click Add Group
• In the pop-up screen, click LDAP
• Fill in the Group Name field
• Click Add