diff --git a/_posts/2021-10-27-apstra-web-ui-freeipa-integration.md b/_posts/2021-10-27-apstra-web-ui-freeipa-integration.md index 6a3d930..20e0442 100644 --- a/_posts/2021-10-27-apstra-web-ui-freeipa-integration.md +++ b/_posts/2021-10-27-apstra-web-ui-freeipa-integration.md @@ -16,9 +16,9 @@ tags: ## First Attempt (the correct one?) -Looking to provide multiple users sane access to Apstra 4.0.0, I found it supports LDAP based directories in the form of “Providers” in the “External Systems” section. +Looking to provide multiple users sane access to Apstra 4.0.0, I found it supports LDAP based directories in the form of “Providers” in the “External Systems” section: - +[Apstra Documentation](https://www.juniper.net/documentation/us/en/software/apstra/apstra4.0.0/providers.html#creating-ldap-provider) I happily adapted the default configuration to match the FreeIPA schema (tested with FreeIPA 4.6.8), I could authenticate users succesfully but authorization failed, not matter what parameter I change to modify the group lookup function. @@ -29,8 +29,9 @@ I happily adapted the default configuration to match the FreeIPA schema (tested | Bind DN | uid=sys.apstra,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com | | Password | you.wish | | Encryption | STARTTLS | +
-
Tested “Provider-specific Parameters” – Not working
+
Table 1 - Tested “Provider-specific Parameters” – Not working
@@ -51,7 +52,7 @@ I happily adapted the default configuration to match the FreeIPA schema (tested | Group Object Class Attribute Name | groupofnames\* | No |
-
Tested “Advanced configuration” – Not working
+
Table 2 - Tested “Advanced configuration” – Not working
@@ -59,11 +60,12 @@ Take into account that “Group Object Class Attribute Name” can take “group Looking at the logs, the attribute for user membership lookup seems to be hardcoded to UID, hence the lookup is: -`SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=john.doe)" attrs="cn"` + +> SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=john.doe)" attrs="cn" When it should be like: -`SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=uid=john.doe,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com)" attrs="cn"` +> SRCH base="cn=groups,cn=accounts,dc=ipa,dc=mydomain,dc=com" scope=2 filter="(member=uid=john.doe,cn=users,cn=accounts,dc=ipa,dc=mydomain,dc=com)" attrs="cn" ## The workaround @@ -90,7 +92,7 @@ As only the group lookup fails, we’ll use the compat view only for the groups. | Encryption | STARTTLS |
-
Tested “Provider-specific Parameters” – Working workaround
+
Table 3 - Tested “Provider-specific Parameters” – Working workaround
@@ -110,10 +112,12 @@ As only the group lookup fails, we’ll use the compat view only for the groups. | Group Member Attribute Name | entryDN | Yes | | Group Member Mapping Attribute Name | **memberUid** | **Yes** | | Group Object Class Attribute Name | **posixGroup** | **Yes** | +
-
Tested “Advanced configuration” – Working workaround
+
Table 4 - Tested “Advanced configuration” – Working workaround
+ Don’t forget to setup the “Provider Role Mapping” section to get authorization working. @@ -123,8 +127,9 @@ Don’t forget to setup the “Provider Role Mapping” section to get authoriza | device\_ztp | gapstra-device\_ztp | | user | gapstra-user | | viewer | gapstra-viewer | +
-
Role Mapping setup
+
Table 5 - Role Mapping setup
## Side note @@ -139,7 +144,7 @@ Even though I can get proper authentication & authorization, the “role”
my alt text -
Profile for LDAP backed user.
+
Image 1 - Profile for LDAP backed user.
@@ -149,5 +154,5 @@ Even though I can get proper authentication & authorization, the “role”
my alt text -
Profile for internal admin user.
+
Image 2 - Profile for internal admin user.