Import users from existing LDAP

[It4lik]

Hi, I'm using the integrated Lightwave that comes with Photon Controller. Lightwave is here primarily used to provide an authorization/authentication system. I wanted to know if there's any way to import existing users from an external LDAP service (AD or OpenLDAP). And for example, putting them in a generic/non-privileged security group by default.

Or maybe, use another LDAP service as backend ?

My problem is the following : we already got a functional LDAP, containing our users, and I don't want to script something ugly to replicate users (without their passwords...) or just ask to every user to create a new account at first connection on Lightwave.

[kganugapati]

Hi, you can simply use the STS UI to configure your LDAP server/AD Domain Controller as an Identity Source, You don't have to use Lightwave as your user and group store. The OAuth service will reach out to your external LDAP server and query for user and group information and use that in the OAuth token. If you have an Active Directory platform, you can use IWA - you can join the Lightwave server to your AD domain controller and we will use the Kerberos PAC to compute your user group closure

[It4lik]

Correct me if I'm wrong but STS is only a vCenter service isn't it ? Here, I only have ESXis with Photon Controller, not vCenter. You said that I "don't have" to use Lightwave users and groups but Photon Controller seems to only work with these. About joining the Lightwave server to my AD domain, I will consider it once we have really tested Photon Controller, and once we'll be looking forward to use it in production environment, if this ever happens.

[snambakam]

VMware open sourced the STS that is used in vCenter, as Lightwave. Photon Controller relies on Lightwave for OIDC support. Photon Controller can be configured to authorize users and groups from Active Directory.