Logo

Configure LDAPS Authentication for OneFuse/CMP

Overview

This guide will go over how to configure LDAPS Authentication for the OneFuse/CMP Platform. This is a temporary/backup solution until the LDAP Integration has been added to the OneFuse UI.

Considerations

OneFuse Supported Versions: v1.2+

We will assume that OneFuse/CMP is already setup and configured, and that you have a certificate that will be used for LDAPS

OneFuse

LDAPS Setup Script

  1. Establish an SSH session to the OneFuse Platform

  2. Navigate to /opt/cloudbolt/initialize/

    1. Command: cd /opt/cloudbolt/initialize/

  3. Run the setup_fuse_domain.sh script

    1. Command: ./setup_fuse_domain.sh

  4. Configure the options as prompted

    1. Domain: domain.com

    2. FQDN or IP of Directory Server: ad.domain.com

    3. Protocol [ldap or ldaps]: ldaps

    4. Port: 636 or custom port

    5. Domain Authentication Account [user@domain]: serviceaccount@domain.com

    6. Domain Authentication Password: ***********

    7. Base DN: DC=domain,DC=com

      1. Note: This base DN is used for user and group search. It is recommended to keep it closer to the root DN

    8. Username [sAMAccountName]: sAMAccountName or other attribute

    9. First Name [givenName]: givenName or other attribute

    10. Last Name [sn]: sn or other attribute

    11. Email [mail]: mail or other attribute

    12. Group DN for Workspace Admins: CN=Workspace_Admins, OU=Group,DC=domain,DC=com

      1. Note: To skip this option, leave the field blank

    13. Group DN for Workspace Members: CN=Workspace_Members, OU=Group,DC=domain,DC=com

      1. Note: To skip this option, leave the field blank

    14. Group DN for Workspace Executors: CN=Workspace_Executors, OU=Group,DC=domain,DC=com

      1. Note: To skip this option, leave the field blank

    15. Group DN for Workspace Viewers: CN=Workspace_Viewers, OU=Group,DC=domain,DC=com

      1. Note: To skip this option, leave the field blank

  5. After filling in all fields, the logs will show LDAP configuration complete

  6. This script can be ran additional times for either different domains or run against the same domain to update/modify the variables or attributes

Copy Certificate to Appliance

  1. Make sure you have the text formatted certificate (BEGIN Certificate / END Certificate)

    1. If you don’t have the certificate, you can pull it by using this command

      openssl s_client -showcerts -verify 5 -connect domain.com:636 < /dev/null

    2. Copy the cert content from the output and paste into a text document

  2. Now that we have our cert, we’re going to copy it over to the Proserv directory (/var/opt/cloudbolt/proserv) on the server

  3. Once you have the cert copied over, we will move onto the Modify Customer_Setting.py step.

Modify Customer_Setting.py

  1. In the proserv directory, there will be a customer_settings.py script that we will need to modify

  2. Open the file in a text editor and add these lines to the top of the file.
    Note: Replace the file name in line 2 with your cert file

    from settings import *
LDAP_CACERTFILE = '/var/opt/cloudbolt/proserv/cert.txt'

  3. Now that you’ve added those line, save the file

  4. Run systemctl restart httpd to restart the Apache engine

  5. Once the Apache engine has been restarted, move onto the Verification step

Verification

  1. Open the OneFuse UI and verify that you can login with your domain account

    1. If you are able to login, you are all set

      1. Note: You may need to login with the Admin account to add the user to the workspace

    2. If you can’t login, please go to the Troubleshooting section for assistance


CMP

LDAPS Configuration

1.

Modify Customer_Setting.py

  1. In the proserv directory, there will be a customer_settings.py script that we will need to modify

  2. Open the file in a text editor and add these lines to the top of the file. 

    from utilities.helpers import get_ssl_verification
LDAP_CACERTFILE = get_ssl_verification()

  3. Now that you’ve added those line, save the file

  4. Run systemctl restart httpd to restart the Apache engine

  5. Once the Apache engine has been restarted, move onto the Verification step

Verification

  1. Open the CMP UI and verify that you can login with your domain account

    1. If you are able to login, you are all set

    2. If you can’t login, please go to the Troubleshooting section for assistance

Troubleshooting

If you have problems logging in with your domain account, please check the authentication.log and application.log files for more information. The logs can be found in /var/log/cloudbolt

No such file or directory

The certificate is in the wrong format. Please make sure the cert file is .txt and the contents are correct

TLS: hostname does not match CN in peer certificate

Make sure your LDAP congfig IP/Name matches the certificate

Additional information

https://support.cloudbolt.io/hc/en-us/articles/360057377151-Configure-LDAP-Authentication-for-OneFuse-via-Command-Line

https://support.cloudbolt.io/hc/en-us/articles/360058658912-OneFuse-LDAP-Troubleshooting

Bolty McBoltFace -
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.