...
- Configure the LDAP Server
- Test the LDAP Server
- Configure ProVision for LDAP Authentication
Configure the LDAP Server
SSH into your openLDAP server and create a new 'ldif' file. Example:
dn: cn=JoeSmith,ou=people,dc=6connect,dc=com
cn: JoeSmith
sn: JoeSmith
objectclass: top
objectclass: person
objectclass: sixConnectPermissionsV2
sixConnGroup: "Global Admins"
sixConnGroup: "bonk"
sixConnGroup: "poof"
sixConnGroup: "grood"
userPassword: testpass
To create a new user, make a new ldif file and change all instances of "JoeSmith" to whatever username you wish to create and update the password. Keep all of the object class definitions as listed above. Add a sixConnGroup declaration for each ProVision user group a user is in.
After the file is created, run the following command to add the new user to LDAP server:
ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v
Example:
ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v
The user will now be active in openLDAP and can be used to login to ProVision.
Test the LDAP Server
To query the LDAP server, punch this line into any server which has openLDAP enabled, which is almost all of them.
...
Configure ProVision for LDAP Authentication
LDAP Enable: check
To configure the use of LDAP authentication with ProVision, follow the steps below.
- Log into 6connect ProVision
- Go to Admin -> General Settings -> Authentication
- Click the LDAP Enable checkbox.
- Fill in the hostname or ip address, authentication port, LDAP Security, Auth DN, and Fetch DN. An example is below:
LDAP Server Address: 50 52.240.195.129
...
12
LDAP Port: 389 ( or SSL/TLS port is 636, but is not enabled on ad.6connect.com)
...
LDAP Security: None
...
LDAP Auth DN: cn=%LOGIN%,ou=people,dc=6connect,dc=com
...
...
LDAP Fetch DN: cn=%LOGIN%
...
Right now the only configured user is:
...
...
Password: testpass
This user is part of the Global Admins group, as well as a few nonexistant groups.
Adding new users to LDAP is an incredible pain. You have to SSH into ad.6connect.com and create an 'ldif' file. Example:
dn: cn=MajorMiner,ou=people,dc=6connect,dc=com
cn: MajorMiner
sn: MajorMiner
objectclass: top
objectclass: person
objectclass: sixConnectPermissionsV2
sixConnGroup: "Global Admins"
sixConnGroup: "bonk"
sixConnGroup: "poof"
sixConnGroup: "grood"
userPassword: testpass
To create a new user, make a new ldif file and change all instances of "MajorMiner" to whatever username you wish to create. Do not remove any of the objectclass definitions. Change the userPassword to whatever the password is going to be. Yes, in plaintext. I KNOW. Add as many "sixConnGroup" declarations as groups the user is in.
After the file is created, run the following command to add the new user to LDAP server:
ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v
Example:
ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v
I'm just going to say straight-up that I don't know what the -x and -v flags do, but they sure do do it.
[SERVER] and [LDIF FILE] are self, explanitory, but "-D [ROOTDN]" is another spate of LDAP-speak tourettes. Just don't change it.
...