Integrate LDAP User Management with Oracle Linux Automation Manager

Introduction

Oracle Linux Automation Manager allows administrators to integrate LDAP for user management alongside the existing internal RBAC (role-based access control) source. Once configured, users logging in with an LDAP account automatically generate an Oracle Linux Automation Manager account that assigns to an organization as a standard user or administrator.

By the end of this tutorial, you'll have a configured Oracle Linux Automation Manager that allows users to log in using their LDAP credentials.

Objectives

In this lab, you'll learn how to:

Create and configure accounts and groups in LDAP
- bind account
- user account
- superuser group
- system_auditor group
Configure Oracle Linux Automation Manager to use LDAP
Verify LDAP access
Enable LDAPS

Prerequisites

A system with Oracle Linux Automation Manager installed.
An available LDAP server.

The free lab environment uses the open-source FreeIPA identity management server.

Create the LDAP Accounts in FreeIPA

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Information: The free lab environment deploys a running single-host Oracle Linux Automation Manager and a FreeIPA server. The deployment takes approximately 25-30 minutes to finish after launch. Therefore, you might want to step away while this runs and promptly return to complete the lab.

Verify the IPA Server Exists

Open a terminal and connect via ssh to the ipa-server instance if not already connected.
```
ssh oracle@<hostname or ip address>
```
Verify the IPA service is running.
```
sudo systemctl status ipa.service
```
The ipa.service calls the command ipactl, which starts/stops all the individual components at once.
Check the status using the IPA server control interface.
The ipactl command requires setting the system encoding to UTF-8 to display its output.
```
export LC_ALL="C.UTF-8"
sudo ipactl status
```
All the components listed must be running for the IPA server to work correctly.

Create a Bind Account

The bind account is a system account that allows read-only access to the entire LDAP structure. Using a bind account rather than a regular user account prevents access into any other systems, and it doesn't own any files. Further, the bind account has no special rights and cannot write any data in the IPA LDAP server.

Create an update file.
Per the ipa-ldap-updater manual page, the update file describes an LDAP entry to add or modify and a set of operations to perform on that entry.
```
tee olam-binddn.update << EOF 
dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com
default:objectclass:account
default:objectclass:simplesecurityobject
default:uid:olam-bind
only:userPassword:olamPassword123
only:passwordExpirationTime:20380101000000Z
only:nsIdleTimeout:0
EOF
```
Select a strong and secure password for the bind user account and a reasonable uid. The password and uid above are for demonstration purposes only within this free lab environment.
Import the update file into the IPA server.
```
sudo ipa-ldap-updater olam-binddn.update
```

Verify the new bind account exists.

ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W

Enter the password for the Directory Manager account when prompted. The password is DMPassword1 in the free lab environment.

Example Output:

[oracle@ipa-server ~]$ ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com> (default) with scope subtree
# filter: uid=olam-bind
# requesting: ALL
#
   
# olam-bind, sysaccounts, etc, pub.linuxvirt.oraclevcn.com
dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=co
 m
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: olam-bind
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFPTjJrZ295RVBRcmFtWkFydE5kRllNOVlkcmp
 UK2pVMkgwTm5qUUpxbHpJTUNxSUJOUXp4Z1F5emVqdk02Nk5jL2ZXMVNvelUyaGUwZDFJenFMN2Fk
 aExTaWFnc1kzVVFTbnBxL3RUdUo3VnBvU05GaXFpQWJTWktrcGZwR0REM0lNdCtKRWt1T2NBRk94d
 mFwS2tTUC9KS1FYUVprcGRjbzF0TlZDNHkzNEE4cFQ2UGtWM0pFcm4zdUNkdkVGZ2ZIM1Y4QWxiaG
 pQcm9HWU50aTdrMXRrM0ZkdFI0VlNGWW96SUcra2tUTkt1OE9tYVl3YXp6ZlV5VHBxeFFEMnBxRy9
 XYmxBdW02OURNcDA2RzVBZUJzRGlYOWpDWkZrenNwbllKQXdiQ015MTFXVXI0TFB5VzByejNac2V0
 SmE0dU9yS2NmOWhCZWpBV3NiRlNhQVR0MTU4V2FtN3Q2S21wNXU5em1yTm9oMVRCeEdqaG5Mb3dJN
 kdjcDF4a2p2VkNsYmhVSkQxZTRqS0lzTFJHc3JOclRKN3R0MitpbXZtSlRtR1FkRllsb1dr
   
# search result
search: 2
result: 0 Success
   
# numResponses: 2
# numEntries: 1

Create a User

Oracle Linux Automation Manager creates a default admin user during installation. We'll create an LDAP user which we'll assign the same privileges.

Manually authenticate to the IPA server by obtaining a Kerberos ticket.
```
kinit admin
```
Enter the password for the IPA server's pre-defined admin account. The password is ADMPassword1 in the free lab environment.
Create a user in the IPA server.
```
ipa user-add olam_admin --first=OLAM --last=Administrator --password
```
Pass the user login, the user's first name and last name to the ipa user-add command. When saving these details to the directory, IPA automatically converts the entire user login to lowercase, making mixed-case usernames impossible.
Enter a password at the prompt for the olam_admin account.
Verify the user exists by listing all the IPA server accounts.
```
ipa user-find
```
The results should show the default IPA server admin account and the newly created olam_admin.

Create a Group

Oracle Linux Automation Manager has three user types, of which two translate to LDAP groups we need to create. These groups are for the System Administrator and System Auditor types.

Create the administrator group.
```
ipa group-add olam_administrators
```
Create the auditor group.
```
ipa group-add olam_auditors
```

Add the new user to the administrator group.

ipa group-add-member olam_administrators --users=olam_admin

That completes the minimally required steps on the IPA server, and we can close the open session to the IPA server by typing exit.

Now, let's jump over to the Oracle Linux Automation Manager server.

(Optional) Install the LDAP Client Tools

Oracle Linux Automation Manager does not install the suite of OpenLDAP applications and development tools by default. Administrators can use these tools to access and modify LDAP directories from the terminal to help test their configuration.

Connect via ssh to the ol-node instance using the existing terminal.
```
ssh oracle@<hostname or ip address>
```
Install the OpenLDAP tools package.
```
sudo dnf -y install openldap-clients
```
Connect and search the LDAP server.
```
ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com -W -H ldap://ipa-server.pub.linuxvirt.oraclevcn.com:389
```
- -D: is the Distinguished Name (DN) to bind to the LDAP directory.
- -W: prompts for simple authentication.
- -H: specifies the LDAP server's URI consisting of the protocol, host, and port only.
Enter the password for the olam_admin user at the prompt.
The output returns the results of the search if the connection is successful.
Close the terminal session.
```
exit
```

Update the Authentication Settings

A user with the System Administrator privilege uses the Settings page of the Oracle Linux Automation Manager WebUI to add alternative Authentication settings such as LDAP.

Log in to the WebUI

Open a terminal and configure an SSH tunnel to the deployed Oracle Linux Automation Manager instance.
```
ssh -L 8444:localhost:443 oracle@<hostname or ip address>
```
In the free lab environment, use the IP address of the ol-node VM as it runs the Oracle Linux Automation Manager deployment.
Open a web browser and enter the URL.
```
https://localhost:8444
```
Note: Approve the security warning based on the browser used. For Chrome, click the Advanced button and then the Proceed to localhost (unsafe) link.
Log in to Oracle Linux Automation Manager with the Username admin and the Password admin created during the free lab environnment automated deployment.
After logging in, the WebUI displays.

Open the LDAP Settings

Along the left-hand side of the WebUI, there is a navigation menu allowing quick access to Projects, Inventories, Templates, and Jobs.
At the bottom of the navigation menu is the Settings menu item.
Select this item to navigate to the Settings page.
The Settings page gives access to alternative Authentication settings we'll use to configure access to the IPA Server.
Click the LDAP settings link under the Authentication section.
Clicking this link displays the Default LDAP server configuration page. Beyond the default LDAP server, Oracle Linux Automation Manager allows configuring five additional LDAP sources.

Edit the Default LDAP Setting

Scroll to the bottom of the Default Details page and click the Edit button.
The page refreshes and now allows editing of the different fields. We recommend using Ctrl+V when copying your entries into the different fields in the free lab environment.
Enter the LDAP server address in the LDAP Server URI field.
```
ldap://ipa-server.pub.linuxvirt.oraclevcn.com:389
```
Enter the password for the bind user in the LDAP Bind Password field.
The password is olamPassword123 in the free lab environment.
```
olamPassword123
```
Oracle Linux Automation Manager encrypts the password field after saving the configuration changes. The LDAP Bind Password field will be editable but will no longer show the password initially entered.
Click and select the group type from the LDAP Group Type drop-down list of values.
In the free lab environment, the LDAP Group Type defaults to MemberDNGroupType, which we'll use with our LDAP server.
The LDAP Group Types that Oracle Linux Automation Manager supports uses the django-auth-ldap-library .
Each LDAP Group Type may take different parameters, so look at the classes init django_auth_ldap upstream documentation to determine the expected parameters.
Enter the Distinguished Name (DN) in the LDAP Bind DN field for the LDAP user that Oracle Linux Automation Manager uses to connect (Bind) to the LDAP server.
This user is the olam-bind account created earlier.
```
uid=olam-bind,cn=sysaccounts,cn=etc,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com
```
Enter the key that stores the user's name in the LDAP User DN Template field.
```
uid=%(user)s,cn=users,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com
```
Enter the group distinguish name in the LDAP Require Group field to allow users within that group access to Oracle Linux Automation Manager.
```
cn=olam_administrators,cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com
```
In the free lab environment, the Edit Details page should look like the following screenshot after these initial entries.

Enter the location to search for users when authenticating in the LDAP User Search field.

[
   "cn=users,cn=accounts,dc=pub,dc=1inuxvirt,dc=oraclevcn,dc=com",
   "SCOPE_SUBTREE",
   "(uid=%(user)s)"
]

In the LDAP Group Search field, enter which groups to search and how to search them.

[
   "cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com",
   "SCOPE_SUBTREE",
   "(objectClass=groupofNames)"
]

Enter the user attributes in the LDAP User Attribute Map text field.
```
{
   "email": "mail",
   "first_name": "givenName",
   "last_name": "sn"
}
```
When retrieving users, Oracle Linux Automation Manager will get the user by the last_name from the key sn.
Enter the user profile flags in the LDAP User Flags by Group field.
These profiles assign the LDAP users as Superusers and Auditors.
```
{
   "is_superuser": "cn=olam_administrators,cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com",
   "is_system_auditor": "cn=olam_auditors,cn=groups,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com"
}
```
Oracle Linux Automation Manager alters the format of this field after saving the configuration to match the example shown.
Click the Save button when done.

Verify the Authentication Settings

After saving the LDAP settings, we should be able to log into Oracle Linux Automation Manager as an LDAP user.

Log out of Oracle Linux Automation Manager.
Click the admin user in the upper right corner of the WebUI and select Logout from the list of values.
Log in to Oracle Linux Automation Manager with the Username olam_admin and the password we assigned during account creation.
In the navigation menu, click the Users menu item.
Ensure the olam_admin exists in the list of users.
Important: Oracle Linux Automation Manager does not sync users automatically but creates and adds them during the user's initial login.

(Optional) Enable SSL/TLS

The IPA server installs a selfsign self-signed CA using certutil to generate certificates. These certificates allow testing SSL and TLS communication between the client and server. Production environments should use certificates signed by a trusted Certificate Authority (CA).

The IPA server's self-signed CA certificate is located in the /etc/ipa/ca.crt directory on the IPA server.

Switch to the open terminal session connected to the Oracle Linux Automation Manager (ol-node).
Copy the self-signed CA from the IPA server to Oracle Linux Automation Manager.
```
scp oracle@ipa-server:/etc/ipa/ca.crt ~/
```
Type oracle and ENTER if the terminal presents a password prompt in the free lab environment.
Copy the self-signed CA certificate to the Oracle Linux Automation Manager server's Shared System Certificate directory.
```
sudo mv ~/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
```

Change the ownership on the certificate file.

sudo chown root.root /etc/pki/ca-trust/source/anchors/ipa.crt

Update the system-wide trust store configuration.
```
sudo update-ca-trust
```

Test connecting to the LDAP server with SSL.

ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=pub,dc=linuxvirt,dc=oraclevcn,dc=com -W -H ldaps://ipa-server.pub.linuxvirt.oraclevcn.com

Switch back to the browser and, if necessary, log in to Oracle Linux Automation Manager as the admin user.
Navigate to Settings and LDAP settings.
Scroll down and click the Edit button.
Either update the LDAP Server URI or LDAP Start TLS.
If you choose to update the LDAP Server URI, then change the protocol from ldap:// to ldaps:// and the port from 389 to 636.
If you choose to update the LDAP Start TLS, then toggle the switch to On.
Important: LDAPS with Oracle Linux Automation Manager only works when enabling one of these options, not both. Therefore if you choose to update the URI, do not enable the toggle, and vice versa.
Scroll to the bottom of the page and click the Save button when done.
Log out of the WebUI.
Log in to Oracle Linux Automation Manager with the Username olam_admin and the password we assigned during account creation.
Once logged in, that confirms the SSL/TLS communication between Oracle Linux Automation Manager and the IPA server is working. If time permits, edit the LDAP settings again, and try the other option.

Summary

The ability to log in to Oracle Linux Automation Manager with an LDAP user confirms we have a successful and working LDAP configuration.

For More Information

Oracle Linux Automation Manager Installation Guide Install FreeIPA Server on Oracle Linux Oracle Linux Automation Manager Documentation Oracle Linux Automation Manager Training Oracle Linux Training Station