Monday, August 19, 2013

Setting up LDAP with vFabric Application Director and a 2008 AD Domain Controller

Hopefully this will save you some time in setting up - the documentation provides pretty good overview of how to do this, but some details are left out.  This guide should get you up and running for a basic configuration.

First, you will need to run the darwin-cli either remotely or from the AppD appliance.  I decided to run it from my Windows 7 PC for convenience (you will need JRE 1.6 installed, although it did run fine on my PC with JRE 1.7).

I copied the /home/darwin/tools/darwin-cli.jar on the AppD appliance using WinSCP  and using the darwin_user credentials.

To run the client, simply open a command prompt, navigate to the directory where you copied the file and run java -jar darwin-cli.jar and you should be presented with the "roo" interface as in the screen shot below -




Now you can connect to your AppD instance by issuing the following command at the "roo" prompt:

login --serverUrl https://ip-or-fqdn-of-appd-appliance:8443/darwin --username admin
And you will be prompted for the admin password.

Once logged in you can now create an LDAP config.  I used the following command:

create-ldap-config
Then I answered the prompts as follows:

Server Attributes
Use SSL to communicate to LDAP server (ldaps)? [y/N]: n
* Server name/IP: 192.168.1.200
* Server port: 3268 (note, use port 3269 for SSL LDAP)
* Server base DN (eg: dc=example,dc=com): dc=mylab,dc=dias
Does your LDAP server support anonymous query? [Y/n]: n
* Username to use when querying for users: administrator@mylab
* Password to use when querying for users: ********
        Please re-enter the value: ********

User Attributes
  Base DN of user sub-tree (blank to search from root):
* Username attribute: sAMAccountName
* User UID attribute: objectGUID
* User's group membership attribute: memberOf
  User's first name attribute:
  User's last name/surname attribute:
  User's email address attribute:

Group Attributes
  Base DN of group sub-tree (blank to search from root):
* Group name attribute: cn
* Group UID attribute: objectGUID
* Group's member list attribute: member

LDAP Configuration Name
* Enter the name for this LDAP configuration:
A value is required, please try again.
* Enter the name for this LDAP configuration: mylab-ldap
NOTE that I used 3268 for the "Server port" - if you use the default of 389 the test will work, but you will not be able to login using those AD accounts.  As noted, 3269 can be used for an SSL LDAP connection (Thanks, Chris Lennon).

Also note that I did not use SSL for this configuration.  If you want/need to use a secure connection for LDAP, you will need to install the AD server certificate in the keystore on the AppDirector server.  Instructions can be found in the Application Director 5.2 documentation here.

BEFORE you make this active, you should test it as follows:

test-named-ldap-config --configname mylab-ldap --name gfreeman

Of course, replace "mylab-ldap" and "gfreeman" with the name of the configuration you just created and a valid AD login ID.  If all is good, you should see output similar to this:


Now you can activate your LDAP config as follows (THIS IS NOT REQUIRED if you are running AppD 6.0 and have created only one LDAP config):

activate-ldap-config --configname mylab-ldap
 Again, replacing "mylab-ldap" with your configuration name.

Now you are ready to add AD users and groups to your AppD instance.  I won't go into the roles and groups here, that is pretty well documented in the product guide I linked above.  However, here's an example of adding an AD group "Domain Admins" to the "Default" group so that I can log in with my AD user name instead of the local "admin" account (I'm going to assign all roles to the group):

import-ldap-group --name "Domain Admins" --group Default --roles ROLE_CATALOG_ADMIN,ROLE_DEPLOYER,ROLE_SYSTEM_INTEGRATOR,ROLE_APP_ARCHITECT,ROLE_CLOUD_ADMIN --configname mylab-ldap
Again, use your configuration name in place of "mylab-ldap" as before.

4 comments:

  1. Hey Mr Storage Gumbo you have a typo in your import-ldap-group for the ROLE_CLOUD_ADMIN (extra comma).
    import-ldap-group --name "Domain Admins" --group Default --roles ROLE_CATALOG_ADMIN,ROLE_DEPLOYER,ROLE_SYSTEM_INTEGRATOR,ROLE_APP_ARCHITECT, ROLE_CLOUD_ADMIN --configname mylab-ldap

    ReplyDelete
    Replies
    1. Ah nice catch Chris! Corrected it. Hopefully didn't create too many problems for people.

      Delete
    2. great walk through, really helped a lot. Thank you.

      minor suggestions

      1. on import-ldap-group, you have an extra space between ROLE_APP_ARCHITECT, ROLE_CLOUD_ADMIN
      ^
      ----------------------------------|

      if you remove it it'll make cut/paste easier

      2. I was getting an error about being unauthorized. Turned out to be because I reinstalled appdir and you need to get a new darwin-app.jar instead of using the old one. was an easy fix but took a bit to figure it out.

      Delete
    3. Thanks - I corrected the post as you suggested.

      Delete