Integrate LDAP User Management with Oracle Linux Automation Manager

Introduction

Oracle Linux Automation Manager allows administrators to integrate LDAP for user management alongside the existing internal RBAC (role-based access control) source. Once configured, users logging in with an LDAP account automatically generate an Oracle Linux Automation Manager account and get assigned to a standard user or administrator organization.

Objectives

In this tutorial, you'll learn how to:

Create and configure accounts and groups in LDAP
- bind account
- user account
- superuser group
- system_auditor group
Configure Oracle Linux Automation Manager to use LDAP
Verify LDAP access
Enable LDAPS

Prerequisites

A system with Oracle Linux Automation Manager installed.
An available LDAP server, such as the open-source FreeIPA identity management server.

Deploy Oracle Linux Automation Manager

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

Open a terminal on the Luna Desktop.

Clone the linux-virt-labs GitHub project.

git clone https://github.com/oracle-devrel/linux-virt-labs.git

Change into the working directory.

cd linux-virt-labs/olam

Install the required collections.

ansible-galaxy collection install -r requirements.yml

Update the Oracle Linux instance configuration.

cat << EOF | tee instances.yml > /dev/null
compute_instances:
  1:
    instance_name: "olam-node"
    type: "control"
  2:
    instance_name: "ipa-server"
    type: "server"
EOF

Deploy the lab environment.
```
ansible-playbook create_instance.yml -e ansible_python_interpreter="/usr/bin/python3.6" -e "@instances.yml" -e olam_single_host=true -e use_freeipa=true
    
```
The free lab environment requires the extra variable ansible_python_interpreter because it installs the RPM package for the Oracle Cloud Infrastructure SDK for Python. The location for this package's installation is under the python3.6 modules.
The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.
Important: Wait for the playbook to run successfully and reach the pause task. The Oracle Linux Automation Manager installation is complete at this stage of the playbook, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys.

Verify the IPA Server Exists

Open a terminal and connect via SSH to the ipa-server instance.

ssh oracle@<ip_address_of_node>

Verify the IPA service is running.
```
sudo systemctl status ipa.service
    
```
The ipa.service leverages the ipactl command, which simultaneously starts or stops all the individual components.

Set the terminal localization settings.

This setting is a requirement of the ipactl command.

export LC_ALL="C.UTF-8"

Check the status using the IPA server control interface.
```
sudo ipactl status
    
```
All the components listed must be running for the IPA server to work correctly.

Create a Bind Account

The bind account is a system account that allows read-only access to the entire LDAP structure. Using a bind account rather than a regular user account prevents access into any other systems, and it doesn't own any files. Further, the bind account has no special rights and cannot write any data in the IPA LDAP server.

Create an update file.

Per the ipa-ldap-updater manual page, the update file describes an LDAP entry to add or modify and a set of operations to perform on that entry.

tee olam-binddn.update << EOF 
dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=lv,dc=vcn,dc=oraclevcn,dc=com
default:objectclass:account
default:objectclass:simplesecurityobject
default:uid:olam-bind
only:userPassword:olamPassword123
only:passwordExpirationTime:20380101000000Z
only:nsIdleTimeout:0
EOF

Select a strong and secure password for the bind user account and a reasonable uid. The userPassword and uid above are for demonstration purposes only within the free lab environment.

Import the update file into the IPA server.

sudo ipa-ldap-updater olam-binddn.update

Verify the new bind account exists.

ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W

Enter the password for the Directory Manager account when prompted.

The password is DMPassword1 in the free lab environment.

Example Output:

[oracle@ipa-server ~]$ ldapsearch -D 'cn=Directory Manager' -x uid=olam-bind -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=lv,dc=vcn,dc=oraclevcn,dc=com> (default) with scope subtree
# filter: uid=olam-bind
# requesting: ALL
#
   
# olam-bind, sysaccounts, etc, lv.vcn.oraclevcn.com
dn: uid=olam-bind,cn=sysaccounts,cn=etc,dc=lv,dc=vcn,dc=oraclevcn,dc=co
 m
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: olam-bind
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFPTjJrZ295RVBRcmFtWkFydE5kRllNOVlkcmp
 UK2pVMkgwTm5qUUpxbHpJTUNxSUJOUXp4Z1F5emVqdk02Nk5jL2ZXMVNvelUyaGUwZDFJenFMN2Fk
 aExTaWFnc1kzVVFTbnBxL3RUdUo3VnBvU05GaXFpQWJTWktrcGZwR0REM0lNdCtKRWt1T2NBRk94d
 mFwS2tTUC9KS1FYUVprcGRjbzF0TlZDNHkzNEE4cFQ2UGtWM0pFcm4zdUNkdkVGZ2ZIM1Y4QWxiaG
 pQcm9HWU50aTdrMXRrM0ZkdFI0VlNGWW96SUcra2tUTkt1OE9tYVl3YXp6ZlV5VHBxeFFEMnBxRy9
 XYmxBdW02OURNcDA2RzVBZUJzRGlYOWpDWkZrenNwbllKQXdiQ015MTFXVXI0TFB5VzByejNac2V0
 SmE0dU9yS2NmOWhCZWpBV3NiRlNhQVR0MTU4V2FtN3Q2S21wNXU5em1yTm9oMVRCeEdqaG5Mb3dJN
 kdjcDF4a2p2VkNsYmhVSkQxZTRqS0lzTFJHc3JOclRKN3R0MitpbXZtSlRtR1FkRllsb1dr
   
# search result
search: 2
result: 0 Success
   
# numResponses: 2
# numEntries: 1

Create a User

Oracle Linux Automation Manager creates a default admin user during installation. You'll create an LDAP user, who will get assigned the same privileges.

Manually authenticate to the IPA server by obtaining a Kerberos ticket.

kinit admin

Enter the IPA server's pre-defined admin account password.
The password is ADMPassword1 in the free lab environment.
Create a user in the IPA server.
```
ipa user-add olam_admin --first=OLAM --last=Administrator --password
    
```
Pass the user's login, first name, and last name to the ipa user-add command. When saving these details to the directory, IPA automatically converts the entire user login to lowercase, making mixed-case usernames impossible.
Enter and verify a password of your choosing at the prompt for the olam_admin account.
Verify the user exists by listing all the IPA server accounts.
```
ipa user-find
    
```
The results show the default IPA server admin account and the newly created olam_admin.

Create a Group

Oracle Linux Automation Manager has three user types, of which two translate to LDAP groups you need to create. These groups are for the System Administrator and System Auditor types.

Create the administrator group.

ipa group-add olam_administrators

Create the auditor group.

ipa group-add olam_auditors

Add the new user to the administrator group.

ipa group-add-member olam_administrators --users=olam_admin

That completes the minimally required steps on the IPA server.

Close the open session to the IPA server.

exit

Install the LDAP Client Tools

Oracle Linux Automation Manager does not install the suite of OpenLDAP applications and development tools by default. Administrators can use these tools to access and modify LDAP directories from the terminal to help test their configuration.

Connect via SSH to the olam-node instance using the existing terminal.

ssh oracle@<ip_address_of_node>

Install the OpenLDAP tools package.

sudo dnf -y install openldap-clients

Connect and search the LDAP server.

ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com -W -H ldap://ipa-server.lv.vcn.oraclevcn.com:389

-D: is the Distinguished Name (DN) to bind to the LDAP directory
-W: prompts for simple authentication
-H: specifies the LDAP server's URI, which consists of the protocol, host, and port only

Enter the password for the olam_admin user at the prompt.
The output returns the results of the search if the connection is successful.

Close the terminal session.

exit

Log in to the Oracle Linux Automation Manager WebUI

Configure an SSH tunnel to the olam-node instance using the existing terminal.
```
ssh -o ExitOnForwardFailure=yes -f -L 8444:localhost:443 oracle@<ip_address_of_node> sleep 300
    
```
- -o ExitOnForwardFailure=yes: waits for all remote port forwards to establish successfully
- -f: runs the SSH tunnel in the background
- -L: creates the tunnel on port 8444 on the local system and 443 on the remote system
- sleep 300: keeps remote tunnel open for 5 minutes, waiting for an established connection before automatically closing
Open a web browser and enter the URL.
```
https://localhost:8444
    
```
Note: Approve the security warning based on the browser used. Click the Advanced button for the Chrome browser and then the Proceed to localhost (unsafe) link.
Log into Oracle Linux Automation Manager WebUI.
Use the Username admin and the Password admin in the free lab environment.
After logging in, the WebUI displays.

Open the LDAP Settings

A user with the System Administrator privilege uses the Settings page of the Oracle Linux Automation Manager WebUI to add alternative Authentication settings such as LDAP.

Click Settings at the bottom of the navigation menu to display the Settings page.
This page gives access to alternative Authentication settings you'll use to configure access to the LDAP server.
Click the LDAP settings link under the Authentication section.
Clicking this link displays the Default LDAP server configuration page. Beyond the default LDAP server, Oracle Linux Automation Manager allows configuring five additional LDAP sources.

Edit the Default LDAP Setting

Scroll to the bottom of the Default Details page and click the Edit button.
The page refreshes and now allows editing of the different fields. Using Ctrl+V is recommended when pasting your entries into the various fields in the free lab environment.

Enter the LDAP server address in the LDAP Server URI field.

ldap://ipa-server.lv.vcn.oraclevcn.com:389

Enter the password for the bind user in the LDAP Bind Password field.
The password is olamPassword123 in the free lab environment.
```
olamPassword123
    
```
Oracle Linux Automation Manager encrypts the password field after saving the configuration changes. You can still edit the LDAP Bind Password field, but the WebUI no longer shows the initial password entered.
Click and select the group type from the LDAP Group Type drop-down list of values.
In the free lab environment, the LDAP Group Type defaults to MemberDNGroupType, which you'll use with our LDAP server.
The LDAP Group Types that Oracle Linux Automation Manager supports uses the django-auth-ldap-library .
Each LDAP Group Type may take different parameters, so look at the init classes in the django_auth_ldap upstream documentation to determine the expected parameters.
Enter the Distinguished Name (DN) in the LDAP Bind DN field for the LDAP user that Oracle Linux Automation Manager uses to connect or bind to the LDAP server.
Use the previously created olam-bind user account.
```
uid=olam-bind,cn=sysaccounts,cn=etc,dc=lv,dc=vcn,dc=oraclevcn,dc=com
    
```

Enter the key that stores the user's name in the LDAP User DN Template field.

uid=%(user)s,cn=users,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com

Enter the group distinguish name in the LDAP Require Group field to allow users within that group access to Oracle Linux Automation Manager.
```
cn=olam_administrators,cn=groups,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com
    
```
The Edit Details page should look like the screenshot in the free lab environment at this stage.

Enter the location to search for users when authenticating in the LDAP User Search field.

[
   "cn=users,cn=accounts,dc=lv,dc=1inuxvirt,dc=oraclevcn,dc=com",
   "SCOPE_SUBTREE",
   "(uid=%(user)s)"
]

In the LDAP Group Search field, enter which groups to search and how to search them.

[
   "cn=groups,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com",
   "SCOPE_SUBTREE",
   "(objectClass=groupofNames)"
]

Enter the user attributes in the LDAP User Attribute Map text field.

{
   "email": "mail",
   "first_name": "givenName",
   "last_name": "sn"
}

When retrieving users, Oracle Linux Automation Manager will get the user by the last_name from the sn key.

olam2-ldap-user-attrib-map

Enter the user profile flags in the LDAP User Flags by Group field.

These profiles assign the LDAP users as Superusers and Auditors.

{
   "is_superuser": "cn=olam_administrators,cn=groups,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com",
   "is_system_auditor": "cn=olam_auditors,cn=groups,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com"
}

Oracle Linux Automation Manager alters the format of this field after saving the configuration to match the example shown.

olam2-ldap-user-flags-grp

Click the Save button when done.

Verify the Authentication Settings

After saving the LDAP settings, you should be able to log into Oracle Linux Automation Manager as an LDAP user.

Log out of Oracle Linux Automation Manager.
Click the admin user in the upper right corner of the WebUI and select Logout from the list of values.
Log in to Oracle Linux Automation Manager with the Username olam_admin.
Use the password you assigned to the user during account creation.
Click the Users menu item in the navigation menu.
Ensure the olam_admin exists in the list of users.
Important: Oracle Linux Automation Manager does not sync users automatically but creates and adds them during the user's initial login.

(Optional) Enable SSL/TLS

The IPA server installs a selfsign self-signed CA using certutil to generate certificates. These certificates allow testing SSL and TLS communication between the client and server. Production environments should use certificates signed by a trusted Certificate Authority (CA).

The IPA server's self-signed CA certificate is located in the /etc/ipa/ca.crt directory on the IPA server.

Switch to the open terminal session connected to the olam-node instance.
Copy the self-signed CA from the IPA server to Oracle Linux Automation Manager.
```
scp oracle@ipa-server:/etc/ipa/ca.crt ~/
    
```
Type oracle as the password and ENTER if the terminal presents a password prompt in the free lab environment.

Copy the self-signed CA certificate to the Oracle Linux Automation Manager server's Shared System Certificate directory.

sudo mv ~/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt

Change the ownership on the certificate file.

sudo chown root.root /etc/pki/ca-trust/source/anchors/ipa.crt

Update the system-wide trust store configuration.

sudo update-ca-trust

Test connecting to the LDAP server with SSL.

ldapsearch -D uid=olam_admin,cn=users,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com -W -H ldaps://ipa-server.lv.vcn.oraclevcn.com

Switch back to the browser and, if necessary, log in to Oracle Linux Automation Manager as the admin user.
Navigate to Settings and LDAP settings.
Scroll down and click the Edit button.
Either update the LDAP Server URI or LDAP Start TLS.
If you elect to update the LDAP Server URI, change the protocol from ldap:// to ldaps:// and the port from 389 to 636.
If updating LDAP Start TLS, toggle the switch to On.
Important: LDAPS with Oracle Linux Automation Manager only works when enabling one of these options, not both. Therefore, if you update the URI, do not enable the toggle, and vice versa.
Scroll to the bottom of the page and click the Save button.
Log out of the WebUI.
Log in to Oracle Linux Automation Manager with the Username olam_admin and the password you assigned during account creation.
Once logged in, you have confirmed the SSL/TLS communication between Oracle Linux Automation Manager and the LDAP server is working. If time permits, edit the LDAP settings again and try the other option.

Next Steps

Your Oracle Linux Automation Manager can now successfully authenticate its users against an external LDAP server, allowing central administration of the WebUI credentials and access control. Check out some of our other Oracle Linux Automation Manager training by visiting the Oracle Linux Training Station.