Integrate LDAP User Management with Oracle Linux Automation Manager

Send lab feedback

Integrate LDAP User Management with Oracle Linux Automation Manager


Oracle Linux Automation Manager allows administrators to integrate LDAP for user management alongside the existing internal RBAC (role-based access control) source. Once configured, users logging in with an LDAP account automatically generate an Oracle Linux Automation Manager account that assigns to an organization as a standard user or administrator.

By the end of this tutorial, you'll have a configured Oracle Linux Automation Manager that allows users to log in using their LDAP credentials.


In this lab, you'll learn how to:

  • Create and configure accounts and groups in LDAP
    • bind account
    • user account
    • superuser group
    • system_auditor group
  • Configure Oracle Linux Automation Manager to use LDAP
  • Verify LDAP access
  • Enable LDAPS


  • A system with Oracle Linux Automation Manager installed.
  • An available LDAP server.

The free lab environment uses the open-source FreeIPA identity management server.

Create the LDAP Accounts in FreeIPA

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Information: The free lab environment deploys a running single-host Oracle Linux Automation Manager and a FreeIPA server. The deployment takes approximately 25-30 minutes to finish after launch. Therefore, you might want to step away while this runs and promptly return to complete the lab.

Verify the IPA Server Exists

  1. Open a terminal and connect via ssh to the ipa-server instance if not already connected.

    ssh oracle@<hostname or ip address>
  2. Verify the IPA service is running.

    sudo systemctl status ipa.service

    The ipa.service calls the command ipactl, which starts/stops all the individual components at once.

  3. Check the status using the IPA server control interface.

    The ipactl command requires setting the system encoding to UTF-8 to display its output.

    export LC_ALL="C.UTF-8"
    sudo ipactl status

    All the components listed must be running for the IPA server to work correctly.

Create a Bind Account

The bind account is a system account that allows read-only access to the entire LDAP structure. Using a bind account rather than a regular user account prevents access into any other systems, and it doesn't own any files. Further, the bind account has no special rights and cannot write any data in the IPA LDAP server.

  1. Create an update file.

    Per the ipa-ldap-updater manual page, the update file describes an LDAP entry to add or modify and a set of operations to perform on that entry.

    tee olam-binddn.update << EOF 
    dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com

    Select a strong and secure password for the bind user account and a reasonable uid. The password and uid above are for demonstration purposes only within this free lab environment.

  2. Import the update file into the IPA server.

    sudo ipa-ldap-updater olam-binddn.update
  3. Verify the new bind account exists.

    ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W 

    Enter the password for the Directory Manager account when prompted. The password is DMPassword1 in the free lab environment.

    Example Output:

    [oracle@ipa-server ~]$ ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W
    Enter LDAP Password: 
    # extended LDIF
    # LDAPv3
    # base <dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com> (default) with scope subtree
    # filter: uid=olam-bind
    # requesting: ALL
    # olam-bind, sysaccounts, etc,
    dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=co
    objectClass: account
    objectClass: simplesecurityobject
    objectClass: top
    uid: olam-bind
    userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFPTjJrZ295RVBRcmFtWkFydE5kRllNOVlkcmp
    # search result
    search: 2
    result: 0 Success
    # numResponses: 2
    # numEntries: 1

Create a User

Oracle Linux Automation Manager creates a default admin user during installation. We'll create an LDAP user which we'll assign the same privileges.

  1. Manually authenticate to the IPA server by obtaining a Kerberos ticket.

    kinit admin

    Enter the password for the IPA server's pre-defined admin account. The password is ADMPassword1 in the free lab environment.

  2. Create a user in the IPA server.

    ipa user-add olam_admin --first=OLAM --last=Administrator --password

    Pass the user login, the user's first name and last name to the ipa user-add command. When saving these details to the directory, IPA automatically converts the entire user login to lowercase, making mixed-case usernames impossible.

    Enter a password at the prompt for the olam_admin account.

  3. Verify the user exists by listing all the IPA server accounts.

    ipa user-find

    The results should show the default IPA server admin account and the newly created olam_admin.

Create a Group

Oracle Linux Automation Manager has three user types, of which two translate to LDAP groups we need to create. These groups are for the System Administrator and System Auditor types.

  1. Create the administrator group.

    ipa group-add olam_administrators
  2. Create the auditor group.

    ipa group-add olam_auditors
  3. Add the new user to the administrator group.

    ipa group-add-member olam_administrators --users=olam_admin

That completes the minimally required steps on the IPA server, and we can close the open session to the IPA server by typing exit.

Now, let's jump over to the Oracle Linux Automation Manager server.

(Optional) Install the LDAP Client Tools

Oracle Linux Automation Manager does not install the suite of OpenLDAP applications and development tools by default. Administrators can use these tools to access and modify LDAP directories from the terminal to help test their configuration.

  1. Connect via ssh to the ol-node instance using the existing terminal.

    ssh oracle@<hostname or ip address>
  2. Install the OpenLDAP tools package.

    sudo dnf -y install openldap-clients
  3. Connect and search the LDAP server.

    ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com -W -H ldap://
    • -D: is the Distinguished Name (DN) to bind to the LDAP directory.
    • -W: prompts for simple authentication.
    • -H: specifies the LDAP server's URI consisting of the protocol, host, and port only.

    Enter the password for the olam_admin user at the prompt.

    The output returns the results of the search if the connection is successful.

  4. Close the terminal session.


Update the Authentication Settings

A user with the System Administrator privilege uses the Settings page of the Oracle Linux Automation Manager WebUI to add alternative Authentication settings such as LDAP.

Log in to the WebUI

  1. Open a terminal and configure an SSH tunnel to the deployed Oracle Linux Automation Manager instance.

    ssh -L 8444:localhost:443 oracle@<hostname or ip address>

    In the free lab environment, use the IP address of the ol-node VM as it runs the Oracle Linux Automation Manager deployment.

  2. Open a web browser and enter the URL.


    Note: Approve the security warning based on the browser used. For Chrome, click the Advanced button and then the Proceed to localhost (unsafe) link.

  3. Log in to Oracle Linux Automation Manager with the Username admin and the Password admin created during the free lab environnment automated deployment.


  4. After logging in, the WebUI displays.


Open the LDAP Settings

  1. Along the left-hand side of the WebUI, there is a navigation menu allowing quick access to Projects, Inventories, Templates, and Jobs.


  2. At the bottom of the navigation menu is the Settings menu item.


  3. Select this item to navigate to the Settings page.


    The Settings page gives access to alternative Authentication settings we'll use to configure access to the IPA Server.

  4. Click the LDAP settings link under the Authentication section.

    Clicking this link displays the Default LDAP server configuration page. Beyond the default LDAP server, Oracle Linux Automation Manager allows configuring five additional LDAP sources.


Edit the Default LDAP Setting

  1. Scroll to the bottom of the Default Details page and click the Edit button.


    The page refreshes and now allows editing of the different fields. We recommend using Ctrl+V when copying your entries into the different fields in the free lab environment.

  2. Enter the LDAP server address in the LDAP Server URI field.

  3. Enter the password for the bind user in the LDAP Bind Password field.

    The password is olamPassword123 in the free lab environment.


    Oracle Linux Automation Manager encrypts the password field after saving the configuration changes. The LDAP Bind Password field will be editable but will no longer show the password initially entered.

  4. Click and select the group type from the LDAP Group Type drop-down list of values.

    In the free lab environment, the LDAP Group Type defaults to MemberDNGroupType, which we'll use with our LDAP server.

    The LDAP Group Types that Oracle Linux Automation Manager supports uses the django-auth-ldap-library .

    Each LDAP Group Type may take different parameters, so look at the classes init django_auth_ldap upstream documentation to determine the expected parameters.

  5. Enter the Distinguished Name (DN) in the LDAP Bind DN field for the LDAP user that Oracle Linux Automation Manager uses to connect (Bind) to the LDAP server.

    This user is the olam-bind account created earlier.

  6. Enter the key that stores the user's name in the LDAP User DN Template field.

  7. Enter the group distinguish name in the LDAP Require Group field to allow users within that group access to Oracle Linux Automation Manager.


    In the free lab environment, the Edit Details page should look like the following screenshot after these initial entries.


  8. Enter the location to search for users when authenticating in the LDAP User Search field.



  9. In the LDAP Group Search field, enter which groups to search and how to search them.



  10. Enter the user attributes in the LDAP User Attribute Map text field.

       "email": "mail",
       "first_name": "givenName",
       "last_name": "sn"

    When retrieving users, Oracle Linux Automation Manager will get the user by the last_name from the key sn.


  11. Enter the user profile flags in the LDAP User Flags by Group field.

    These profiles assign the LDAP users as Superusers and Auditors.

       "is_superuser": "cn=olam_administrators,cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com",
       "is_system_auditor": "cn=olam_auditors,cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com"

    Oracle Linux Automation Manager alters the format of this field after saving the configuration to match the example shown.


  12. Click the Save button when done.

Verify the Authentication Settings

After saving the LDAP settings, we should be able to log into Oracle Linux Automation Manager as an LDAP user.

  1. Log out of Oracle Linux Automation Manager.

    Click the admin user in the upper right corner of the WebUI and select Logout from the list of values.


  2. Log in to Oracle Linux Automation Manager with the Username olam_admin and the password we assigned during account creation.


  3. In the navigation menu, click the Users menu item.


  4. Ensure the olam_admin exists in the list of users.


    Important: Oracle Linux Automation Manager does not sync users automatically but creates and adds them during the user's initial login.

(Optional) Enable SSL/TLS

The IPA server installs a selfsign self-signed CA using certutil to generate certificates. These certificates allow testing SSL and TLS communication between the client and server. Production environments should use certificates signed by a trusted Certificate Authority (CA).

The IPA server's self-signed CA certificate is located in the /etc/ipa/ca.crt directory on the IPA server.

  1. Switch to the open terminal session connected to the Oracle Linux Automation Manager (ol-node).

  2. Copy the self-signed CA from the IPA server to Oracle Linux Automation Manager.

    scp oracle@ipa-server:/etc/ipa/ca.crt ~/

    Type oracle and ENTER if the terminal presents a password prompt in the free lab environment.

  3. Copy the self-signed CA certificate to the Oracle Linux Automation Manager server's Shared System Certificate directory.

    sudo mv ~/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
  4. Change the ownership on the certificate file.

    sudo chown root.root /etc/pki/ca-trust/source/anchors/ipa.crt
  5. Update the system-wide trust store configuration.

    sudo update-ca-trust
  6. Test connecting to the LDAP server with SSL.

    ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com -W -H ldaps://
  7. Switch back to the browser and, if necessary, log in to Oracle Linux Automation Manager as the admin user.

  8. Navigate to Settings and LDAP settings.

  9. Scroll down and click the Edit button.

  10. Either update the LDAP Server URI or LDAP Start TLS.

    If you choose to update the LDAP Server URI, then change the protocol from ldap:// to ldaps:// and the port from 389 to 636.


    If you choose to update the LDAP Start TLS, then toggle the switch to On.


    Important: LDAPS with Oracle Linux Automation Manager only works when enabling one of these options, not both. Therefore if you choose to update the URI, do not enable the toggle, and vice versa.

  11. Scroll to the bottom of the page and click the Save button when done.

  12. Log out of the WebUI.

  13. Log in to Oracle Linux Automation Manager with the Username olam_admin and the password we assigned during account creation.


    Once logged in, that confirms the SSL/TLS communication between Oracle Linux Automation Manager and the IPA server is working. If time permits, edit the LDAP settings again, and try the other option.


The ability to log in to Oracle Linux Automation Manager with an LDAP user confirms we have a successful and working LDAP configuration.

For More Information

Oracle Linux Automation Manager Installation Guide Install FreeIPA Server on Oracle Linux Oracle Linux Automation Manager Documentation Oracle Linux Automation Manager Training Oracle Linux Training Station