Knowledge Base

Configure LDAP Authentication for OneFuse

Sid Smith

13 Apr 2021 • 3 min read

This guide will go over how to configure LDAP Authentication for the OneFuse Platform via the command line. This is a temporary/backup solution until the LDAP Integration has been added to the OneFuse UI.

Considerations

OneFuse supported versions: v1.2+
*Note: For v1.3, there is a known issue – please refer to the section: Manually Add Users
The initial configuration starts with a .sh script that is contained within the /opt/cloudbolt/initialize/ path on the appliance. Additional commands can be executed via the shell to see/manage the setup.
All user settings in the OneFuse UI, such as password, membership, etc will be reverted back to the original LDAP mappings if changed in the OneFuse UI.

Procedure

Run the setup.sh script

Establish an SSH session to the OneFuse Platform
Navigate to /opt/cloudbolt/initialize/
Command: cd /opt/cloudbolt/initialize/
Run the setup_fuse_domain.sh script
Command: ./setup_fuse_domain.sh
Configure the options as prompted
Domain: domain.com
FQDN or IP of Directory Server: ad.domain.com
Protocol [ldap or ldaps]: ldapor ldaps
Port: 389 or 686 or custom port
Domain Authentication Account [user@domain]: [email protected]
Domain Authentication Password: ***********
Base DN: DC=domain,DC=com
1. Note: This base DN is used for user and group search. It is recommended to keep it closer to the root DN
Username [sAMAccountName]: sAMAccountName or other attribute
First Name [givenName]: givenName or other attribute
Last Name [sn]: sn or other attribute
Email [mail]: mail or other attribute
Group DN for Workspace Admins: CN=Workspace_Admins, OU=Group,DC=domain,DC=com
1. Note: To skip this option, leave the field blank
Group DN for Workspace Members: CN=Workspace_Members, OU=Group,DC=domain,DC=com
1. Note: To skip this option, leave the field blank
Group DN for Workspace Executors: CN=Workspace_Executors, OU=Group,DC=domain,DC=com
1. Note: To skip this option, leave the field blank
Group DN for Workspace Viewers: CN=Workspace_Viewers, OU=Group,DC=domain,DC=com
1. Note: To skip this option, leave the field blank
After filling in all fields, the logs will show LDAP configuration complete
This script can be ran additional times for either different domains or run against the same domain to update/modify the variables or attributes

Test the login to the UI using the following format for the username: [email protected]

*If on OneFuse v1.3, refer to the Manually Add Users section.

Additional commands for LDAP configuration validation or modification

SSH into the OneFuse appliance and run the following command to open the python shell

/opt/cloudbolt/manage.py shell_plus

Prerequisite command for all sub-commands

The below command must be ran to determine and map the LDAP connection for all subsequent commands

Command Description	Code	Example Return
List all LDAP Configurations	`LDAPUtility.objects.all()`	`In [1]: LDAPUtility.objects.all() ...: ...: Out[1]: <QuerySet [<LDAPUtility: domain.com>]>`
Map to the LDAP Configuration based on domain name	`ldap = LDAPUtility.objects.get(ldap_domain="domain.com")`	N/A

Subsequent Commands

With the ldap variable mapped to the LDAP Configuration, the below commands can be executed to query/submit an action against the LDAP Configuration

Command Description	Code	Example Return
Search Username in LDAP configuration	`ldap.runUserSearch("username")`	`In [7]: ldap.runUserSearch("username") Out[7]: [('CN=username,OU=Group,DC=domain,DC=com', {})]`
Delete LDAP configuration	`ldap.delete()`	N/A

Manually Add Users

*Only perform the steps below for OneFuse v1.3.

Have the user(s) log in with their Domain Account - This will add them to the OneFuse Users list
Have the OneFuse Administrator log in with “admin” and perform the following steps:
Click on Workspace Admin > User Management from the left navigation menu
Click on [+ Add]
Select the user from the list and select the appropriate role.
Repeat for all Users