search

concourse / concourse-bosh-deployment

A toolchain for deploying Concourse with BOSH.
Apache License 2.0
86 stars 155 forks source link

add LDAP Integration #112

Closed brightzheng100 closed 5 years ago

brightzheng100 commented 6 years ago

LDAP Integration

Setup Testing LDAP Server, like OpenLDAP (if required)

For a quick but complete setup of OpenLDAP, please refer to my blog here

Below assumes that you have set up LDAP Server with exact users, groups data and exposed as "ldap://192.168.50.1:10389".

Spin Up Cluster

$ bosh -e lite deploy  --no-redact -d concourse4 concourse.yml \
  -l ../versions.yml \
  --vars-store cluster-creds.yml \
  -o operations/static-web.yml \
  -o operations/tls-vars.yml \
  -o operations/tls.yml \
  -o operations/privileged-https.yml \
  -o operations/add-local-users.yml \
  -o operations/ldap.yml \
  -v web_ip=10.244.0.104 \
  -v external_url=https://10.244.0.104 \
  -v external_host=10.244.0.104 \
  -v network_name=default \
  -v web_vm_type=small \
  -v db_vm_type=small \
  -v db_persistent_disk_type=10GB \
  -v worker_vm_type=small \
  -v deployment_name=concourse4 \
  -v main_team_local_users='["bright"]' \
  -v add_local_users='["bright:CHANGEME"]' \
  \
  -v ldap_host="192.168.50.1:10389" \
  -v ldap_bind_dn="cn=admin,dc=bright,dc=com" \
  -v ldap_bind_pw="secret" \
  -v ldap_insecure_no_ssl="true" \
  -v ldap_insecure_skip_verify="true" \
  -v ldap_ca_cert=" " \
  -v ldap_start_tls="false" \
  -v ldap_user_search_base_dn="ou=people,dc=bright,dc=com" \
  -v ldap_user_search_filter="(objectClass=person)" \
  -v ldap_user_search_username="cn" \
  -v ldap_user_search_id_attr="DN" \
  -v ldap_user_search_name_attr="cn" \
  -v ldap_user_search_email_attr="mail" \
  -v ldap_user_search_scope=" " \
  -v ldap_group_search_base_dn="ou=groups,dc=bright,dc=com" \
  -v ldap_group_search_filter="(objectClass=groupOfNames)" \
  -v ldap_group_search_group_attr="member" \
  -v ldap_group_search_user_attr="DN" \
  -v ldap_group_search_name_attr="cn" \
  -v ldap_group_search_scope=" "

Note: tune accordingly to adapt to your env.

Login to main Team

$ fly login -t concourse4 -c https://10.244.0.104 -k -u bright -p CHANGEME
$ fly -t concourse4 teams -d
name  users         groups
main  local:bright  none

Create New Team(s)

Create different teams with --ldap-user and/or --ldap-group:

$ fly -t concourse4 set-team -n ldap-user --ldap-user=admin1 --non-interactive && \
  fly -t concourse4 set-team -n ldap-group --ldap-group=admins --non-interactive && \
  fly -t concourse4 set-team -n ldap-user-and-both --ldap-user=admin1 --ldap-group=admins --non-interactive

$ fly -t concourse4 teams -d
name                users         groups
ldap-group          none          ldap:admins
ldap-user           ldap:admin1   none
ldap-user-and-both  ldap:admin1   ldap:admins
main                local:bright  none

SIT

Overall conclusions:

User Which team to log into Teams can be viewed Operations eababled?
admin1 ldap-user all 3 teams Yes
admin1 ldap-group all 3 teams Yes
admin2 ldap-group ldap-group and ldap-user-and-both only Yes
admin1 ldap-user-and-both all 3 teams Yes
admin2 ldap-user-and-both ldap-group and ldap-user-and-both only Yes

TL;DR -- you may simply ignore the rest as it really works as expected :)

Do the necessary preparation:

$ wget https://raw.githubusercontent.com/brightzheng100/concourse-demo/master/pipeline-ring.yml

Note: better use Chrome Incognito window to perform each of below login steps to avoid potential token/session pollution.

Login To Team ldap-user And Test It Out

Login using the test account: admin1/secret.

$ fly -t concourse4 login -n ldap-user -k
$ fly -t concourse4 teams -d
name                users        groups
ldap-group          none         ldap:admins
ldap-user           ldap:admin1  none
ldap-user-and-both  ldap:admin1  ldap:admins

Test:

$ fly -t concourse4 sp -p pipeline-ring -c pipeline-ring.yml && \
  fly -t concourse4 up -p pipeline-ring && \
  fly -t concourse4 trigger-job -j pipeline-ring/job-ring -w && \
  fly -t concourse4 dp -p pipeline-ring -n

started pipeline-ring/job-ring #1

initializing
...
running sh -exc date
echo "I love Concourse!"
+ date
Thu Oct 18 05:39:34 UTC 2018
+ echo 'I love Concourse!'
I love Concourse!
succeeded
...

Conclusion:

  1. As admin1 is explicitly specified in ldap-user and ldap-user-and-both and also belongs to group admins, so it displays all 3 teams as its teams;
  2. User admin1 can do the expected operations.

Login To Team ldap-group And Test It Out

Login using both test accounts: admin1/secret and admin2/secret.

Login as admin1/secret

$ fly -t concourse4 login -n ldap-group -k
$ fly -t concourse4 teams -d
name                users        groups
ldap-group          none         ldap:admins
ldap-user           ldap:admin1  none
ldap-user-and-both  ldap:admin1  ldap:admins

Test:

$ fly -t concourse4 sp -p pipeline-ring -c pipeline-ring.yml && \
  fly -t concourse4 up -p pipeline-ring && \
  fly -t concourse4 trigger-job -j pipeline-ring/job-ring -w && \
  fly -t concourse4 dp -p pipeline-ring -n

started pipeline-ring/job-ring #1

initializing
...
running sh -exc date
echo "I love Concourse!"
+ date
Thu Oct 18 05:39:34 UTC 2018
+ echo 'I love Concourse!'
I love Concourse!
succeeded

Conclusion:

  1. As admin1 is explicitly specified in teams ldap-user and ldap-user-and-both and also belongs to group admins, so it displays all 3 teams as its teams;
  2. User admin1 can do the expected operations.

Login as admin2/secret

$ fly -t concourse4 login -n ldap-group -k
$ fly -t concourse4 teams -d
name                users        groups
ldap-group          none         ldap:admins
ldap-user-and-both  ldap:admin1  ldap:admins

Test:

$ fly -t concourse4 sp -p pipeline-ring -c pipeline-ring.yml && \
  fly -t concourse4 up -p pipeline-ring && \
  fly -t concourse4 trigger-job -j pipeline-ring/job-ring -w && \
  fly -t concourse4 dp -p pipeline-ring -n

started pipeline-ring/job-ring #1

initializing
...
running sh -exc date
echo "I love Concourse!"
+ date
Thu Oct 18 05:39:34 UTC 2018
+ echo 'I love Concourse!'
I love Concourse!
succeeded

Conclusion:

  1. As admin2 belongs to group admins, so it displays 2 related teams as its teams;
  2. User admin2 can do the expected operations.

Login To Team ldap-user-and-both And Test It Out

Login using both test accounts: admin1/secret and admin2/secret.

Login as admin1/secret

$ fly -t concourse4 login -n ldap-user-and-both -k
$ fly -t concourse4 teams -d
name                users        groups
ldap-group          none         ldap:admins
ldap-user           ldap:admin1  none
ldap-user-and-both  ldap:admin1  ldap:admins

Test:

$ fly -t concourse4 sp -p pipeline-ring -c pipeline-ring.yml && \
  fly -t concourse4 up -p pipeline-ring && \
  fly -t concourse4 trigger-job -j pipeline-ring/job-ring -w && \
  fly -t concourse4 dp -p pipeline-ring -n

started pipeline-ring/job-ring #1

initializing
...
running sh -exc date
echo "I love Concourse!"
+ date
Thu Oct 18 05:39:34 UTC 2018
+ echo 'I love Concourse!'
I love Concourse!
succeeded

Conclusion:

  1. As admin1 is explicitly specified in teams ldap-user, ldap-user-and-both and also belongs to group admins, so it displays all 3 teams as its teams;
  2. User admin1 can do the expected operations.

Login as admin2/secret

$ fly -t concourse4 login -n ldap-group -k
$ fly -t concourse4 teams -d
name                users        groups
ldap-group          none         ldap:admins
ldap-user-and-both  ldap:admin1  ldap:admins

Test:

$ fly -t concourse4 sp -p pipeline-ring -c pipeline-ring.yml && \
  fly -t concourse4 up -p pipeline-ring && \
  fly -t concourse4 trigger-job -j pipeline-ring/job-ring -w && \
  fly -t concourse4 dp -p pipeline-ring -n

started pipeline-ring/job-ring #1

initializing
...
running sh -exc date
echo "I love Concourse!"
+ date
Thu Oct 18 05:39:34 UTC 2018
+ echo 'I love Concourse!'
I love Concourse!
succeeded

Conclusion:

  1. As admin2 belongs to group admins, so it displays 2 related teams as its teams;
  2. User admin2 can do the expected operations.

All done!

aad commented 5 years ago

would be nice if this pr could be reviewed and merged.

its quite useful in our local (along with a ldap-auth.yml ops file based on the style of other providers)

vito commented 5 years ago

thanks! sorry for the delay.