Configuring the RADIUS or LDAP server on Blue Planet

Blue Planet ships with standard primary and backup configuration files. To configure RADIUS or LDAP, update these configuration files to add specific Universal Unique Identifier (UUID) and enable or disable RADIUS or LDAP.

Configuring RADIUS

To configure your RADIUS server using the Blue Planet API:

  1. Create a token key for the Blue Planet server to communicate with the RADIUS server.

    curl -k -H "Content-Type:application/json" -d '{"username":"admin","password":"adminpw", "tenant":"master"}' -X POST https://10.205.33.106/tron/api/v1/tokens

    A response containing text similar to the following displays:

    {"token":"78b97d242d3bcac14b87","user":"4f04fde0-9752-438a-8589-b76c8049e51d","sessionId":"feac094a-f75d-4855-b66b-32cc1066d168","timeout":86400,"createdTime":"2016-05-02T22:31:53.150250Z","failedLoginAttempts":0,"lastSuccessIpAddress":"10.205.33.106","lastSuccessLogin":"2016-05-02 22:29:09+00:00"}

    where the Blue Planet server with IP address 10.205.33.106 creates the token “78b97d242d3bcac14b87”. You can replace the IP address in the command with the fully-qualified domain name (FQDN).

  2. Get the radius-config from Blue Planet using the token you created in step 1.

    curl -H "Accept: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87” -X GET https://10.205.33.106/tron/api/v1/radius-configs

    A list similar to the following displays:

    {"count":2,"previous":null,"results":[{"description":"","createdTime":"2016-05-02T20:59:15Z","modifiedTime":"2016-05-02T20:59:15Z","uuid":"88eebd1b-5496-4ba0-92c1-fc68eea51ce2/","name":"primary_config","enabled":false,"serverIp":"","enableSsl":false,"domainSearchUser":"","baseDn":"","userNameAttribute":"sAMAccountName","tenantAttribute":"tenant","groupNameAttribute":"cn","groupObjectFilter":"(objectClass=Group)","roleMap":"{}"},{"description":"","createdTime":"2016-05-02T20:59:15Z","modifiedTime":"2016-05-02T20:59:15Z","uuid":"4b7790c5-5f3d-4cf8-8f42-1547ac7d929c","name":"backup_config","enabled":false,"serverIp":"","enableSsl":false,"domainSearchUser":"","baseDn":"","userNameAttribute":"sAMAccountName","tenantAttribute":"tenant","groupNameAttribute":"cn","groupObjectFilter":"(objectClass=Group)","roleMap":"{}"}],"page":1,"next":null}

  3. To configure a primary server, enable RADIUS, set the server IP address and the tenant name, use the UUID from the returned code in the previous step to patch the primary_config or backup_config.

    curl -H "Accept: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87” -X PATCH -d "name=primary_config&enabled=True&server_ip= radius_server_ip&server_secret=radius_server_secret" http://<server_ip>/api/v1 /radius-configs/27245c3f-0c71-46a3-b129-db10948d9ca4/

    A list similar to the following displays:

    {"description":"","createdTime":"2016-04-28T00:28:26Z","modifiedTime":"2016-04-28T00:28:26Z","uuid":"a9d78c2c-faea-4b31-819b-c607c0ecbcf4","name":"primary_config","enabled":true,"serverIp":"radius_server_ip","enableSsl":false,"domainSearchUser":"Administrator@AD","baseDn":"cn","userNameAttribute":"sAMAccountName","tenantAttribute":"description","groupNameAttribute":"cn","groupObjectFilter":"(objectClass=Group)","roleMap":"{\"Administrators\": {\"uac_role_name\": \"admin\", \"app_name\": \"UAC\"}}"}

    Note: There is a space between the curl command and the URL. You can substitute details to create your command for the backup_config as needed.

  4. To verify successful configuration, log in to Blue Planet using your RADIUS user credentials.

  5. To disable the RADIUS server authentication, you must patch the specific-config file. For example, to change the enabled command to False, enter the following:

    curl -H "Accept: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87”-X PATCH -d "enabled=False" http://<server_ip>/tron/api/v1/radius-configs/ 27245c3f-0c71-46a3-b129-db10948d9ca4/

    Ensure this command string appears as a continuous string.

Configuring LDAP

The following list describes the required LDAP information you must set in the ldap-configs file in Blue Planet. To set attributes in the local ldap-configs file, use snake_case format (underscores between words such as server_ip). The response from Blue Planet uses CamelCase format between words, such as serverIP.

  • The IP address of the LDAP server.

  • Enabled state of the config is true.

  • The bind-DN username and bind-password to perform LDAP search operations. Most systems allow any regular LDAP user to perform search operation. Otherwise, you must request your company’s LDAP administrator to configure this step.

  • The bind-DN format uses comma-separated Relative Distinguished Names (RDNs) such as “cn=manager,dc=ciena,dc=com” or email address-like format such as “Administrator@AD” or [email protected]), depending on the LDAP server.

  • The base dn format uses comma-separated RDNs such as “dc=ciena,dc=com”, or “dc=ad,dc=cyaninc,dc=com”, or “cn=users,dc=cyanoptics,dc=com”, depending on the LDAP server setup.

  • The user naming attribute for the user account. For an Active Directory server, the attribute is sAMAccountName. For other types of servers/databases, the attribute is uid. It is critical to set this correctly.

  • If you have multiple tenants, to store Blue Planet tenant information use an attribute in the LDAP user account. Ciena recommends that you use the description attribute, but you can choose another attribute, if available. For step 2, the ldap-configs file has the value “tenant” for “tenantAttribute” attribute. Your LDAP user account may not have the attribute “tenant”. Therefore, you must replace this value with an available attribute from the LDAP user account (such as “description”).

 Ciena recommends that you gather the required LDAP information above, then manually perform an LDAP search to ensure your search is successful. Use any of the LDAP search tools available online. If your search is unsuccessful and the information is not retrieved from the LDAP server, in some cases one or more attributes are incorrect. It is also required that all users have valid email addresses in the LDAP server.

For example, search an existing user account on an Active Directory server using filter uid=<name> by entering:

ldapsearch -x -H ldap://10.205.33.106 -D “[email protected]" -LLL -b dc=ad,dc=cyaninc,dc=com -w NewPassword@ "(uid=user1)"
the server does not return an entry because the correct filter is “(sAMAccountName=user1).”

To configure your LDAP server using the Blue Planet API:

  1. Create a token key for the Blue Planet server to communicate with the LDAP server.

    curl -k -H "Content-Type:application/json" -d '{"username":"admin","password":"adminpw", "tenant":"master"}' -X POST https://10.206.30.107/tron/api/v1/tokens | python -m json.tool

    A response containing text similar to the following displays:

    {
"createdTime": "2016-05-11T17:30:05.812645Z",
"failedLoginAttempts": 0,
"lastSuccessIpAddress": "10.206.30.107",
"lastSuccessLogin": "2016-11-05 17:29:58+00:00",
"sessionId": "85f45768-7223-4bed-a9b6-92725208a3a5",
"timeout": 86400,
"token": "78b97d242d3bcac14b87",
"user": "5d5c14e2-96f4-45dd-9937-84d0d6cc9c40"
}

    where the Blue Planet server with IP address 10.206.30.107 creates the token “78b97d242d3bcac14b87”. You can also replace the IP address in the command with the fully-qualified domain name (FQDN).

  2. Get the lapd-configs from the Blue Planet UAC app using the token you created in step 1:

    curl -H "Content-Type: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87" -X GET https://10.205.33.106/tron/api/v1/ldap-configs | python -m json.tool

    A response similar to the following displays:

    {
"count": 2,
"next": null,
"page": 1,
"previous": null,
"results": [
{
"baseDn": "",
"createdTime": "2016-03-24T02:09:36Z",
"description": "",
"domainSearchUser": "",
"enableSsl": false,
"enabled": false,
"groupNameAttribute": "cn",
"groupObjectFilter": "(objectClass=Group)",
"modifiedTime": "2016-03-24T02:09:36Z",
"name": "primary_config",
"roleMap": "{}",
"serverIp": "",
"tenantAttribute": "",
"userNameAttribute": "sAMAccountName",
"uuid": "88eebd1b-5496-4ba0-92c1-fc68eea51ce2/"
},
{
"baseDn": "",
"createdTime": "2016-03-24T02:09:36Z",
"description": "",
"domainSearchUser": "",
"enableSsl": false,
"enabled": false,
"groupNameAttribute": "cn",
"groupObjectFilter": "(objectClass=Group)",
"modifiedTime": "2016-03-24T02:09:36Z",
"name": "backup_config",
"roleMap": "{}",
"serverIp": "",
"tenantAttribute": "",
"userNameAttribute": "sAMAccountName",
"uuid": "95051f1c-793d-4986-afb8-f3600e9d28d4"
}
]
}
    		 Many attributes in the ldap-configs file are empty or contain a default value; for example, enabled is false and serverIp is empty.

  3. Set the ldap config to match with those set on the ldap server. For details on attributes, see the list in Configuring LDAP.

    You can use one of the following three examples to help you determine the configuration that works best in your situation.

    		 There is a space between the curl command and the URL. You can substitute details to create your command for the backup_config as needed.

    Example 1.

    This multi-tenant example uses sAMAccountName for the user_name_attribute; Administrator@AD and My?Passwrd0 as the domain_search_user and domain_search_password for an LDAP search operation (which belongs to the LDAP server administrator); and the value of the description attribute on the user account to store tenant information on the Blue Planet server. The server_ip attribute must include the ldap:// prefix.

    Create the JSON file, then run your PATCH command.

    cat <<EOF > ldap-configs.json
{
"enabled":true,
"server_ip":"ldap://10.60.11.122",
"domain_search_user": "Administrator@AD",
"domain_search_password": " My?Passwrd0",
"base_dn": "dc=ad,dc=cyaninc,dc=com",
"user_name_attribute": "sAMAccountName",
"tenant_attribute":"description",
"group_name_attribute": "cn",
"role_map": "{}"
}
EOF

curl -H "Content-Type: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87" " -X PATCH -d @ldap-configs.json https://10.206.30.107/tron/api/v1/ldap-configs/ 88eebd1b-5496-4ba0-92c1-fc68eea51ce2/ | python -m json.tool

    A response similar to the following displays:

    {
"baseDn": "dc=ad,dc=cyaninc,dc=com",
"createdTime": "2016-03-24T02:09:36Z",
"description": "",
"domainSearchUser": "Administrator@AD",
"enableSsl": false,
"enabled": true,
"groupNameAttribute": "cn",
"groupObjectFilter": "(objectClass=Group)",
"modifiedTime": "2016-03-24T02:09:36Z",
"name": "primary_config",
"roleMap": "{}",
"serverIp": "ldap://10.60.11.122",
"tenantAttribute": "description",
"userNameAttribute": "sAMAccountName",
"uuid": "88eebd1b-5496-4ba0-92c1-fc68eea51ce2"
}

    Example 2.

    For a single host, use an existing regular LDAP user account for the LDAP search operation. Create the JSON file, then run your PATCH command.

    cat <<EOF > ldap-configs.json
{
"enabled":true,
"server_ip":"ldap://10.60.11.122",
"domain_search_user": "[email protected]",
"domain_search_password": "NewPassword@",
"base_dn": "dc=ad,dc=cyaninc,dc=com",
"user_name_attribute": "sAMAccountName",
"group_name enabled _attribute": "cn",
"role_map": "{}"
}
EOF

curl -H "Content-Type: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87" -X PATCH -d @ldap-configs.json https://10.206.30.107/tron/api/v1/ldap-configs/ 88eebd1b-5496-4ba0-92c1-fc68eea51ce2/ | python -m json.tool

    A response similar to the following displays:

    {
"baseDn": "dc=ad,dc=cyaninc,dc=com",
"createdTime": "2016-03-24T02:09:36Z",
"description": "",
"domainSearchUser": "[email protected]",
"enableSsl": false,
"": true,
"groupNameAttribute": "cn",
"groupObjectFilter": "(objectClass=Group)",
"modifiedTime": "2016-03-24T02:09:36Z",
"name": "primary_config",
"roleMap": "{}",
"serverIp": "ldap://10.60.11.122",
"tenantAttribute": "",
"userNameAttribute": "sAMAccountName",
"uuid": "88eebd1b-5496-4ba0-92c1-fc68eea51ce2"
}

    Example 3.

    For a multi-tenant system, use the user naming attribute, uid, the LDAP server is not an Active Directory server, and the bind-dn and bind-password for an LDAP search operation are cn=manager,dc=ciena,dc=com and secret and belong to the LDAP server administrator. Create the JSON file, then run your PATCH command.

    {
"enabled":true,
"server_ip":"ldap://10.15.3.80",
"domain_search_user": "cn=manager,dc=ciena,dc=com",
"domain_search_password": "secret",
"base_dn": "dc=ciena,dc=com",
"user_name_attribute": "uid",
"tenant_attribute":"description",
"group_name_attribute": "cn",
"role_map": "{}"
}
EOF

curl -H "Content-Type: application/json" -k -H "Authorization: token 78b97d242d3bcac14b87" -X PATCH -d @ldap-configs.json https://10.206.30.107/tron/api/v1/ldap-configs/ 88eebd1b-5496-4ba0-92c1-fc68eea51ce2/| python -m json.tool

    A response similar to the following displays:

    {
"baseDn": "dc=ciena,dc=com",
"createdTime": "2016-03-24T02:09:36Z",
"description": "",
"domainSearchUser": "cn=manager,dc=ciena,dc=com",
"enableSsl": false,
"enabled": true,
"groupNameAttribute": "cn",
"groupObjectFilter": "(objectClass=Group)",
"modifiedTime": "2016-03-24T02:09:36Z",
"name": "primary_config",
"roleMap": "{}",
"serverIp": "ldap://10.15.3.80",
"tenantAttribute": "description",
"userNameAttribute": "uid",
"uuid": "88eebd1b-5496-4ba0-92c1-fc68eea51ce2"
}

  4. Restart the Blue Planet tron container to load the new settings.

    1. Connect to your Blue Planet server using a secure shell terminal such as PuTTY or Tera Term.

    2. List the tron container.

      $ docker ps -a | grep tron

      A response similar to the following displays:

      cbb858bb4619 bpdr.io/blueplanet/tron:3.2.6 "/bp2/src/run_tron" 26 hours ago Up 13 minutes tron_x.x.x_0

    3. Restart the tron container.

      $ docker restart cbb858bb4619

      A response similar to the following displays:

      cbb858bb4619

    4. Verify tron is running.

      $ docker ps -a | grep tron

      A response similar to the following displays:

      cbb858bb4619 bpdr.io/blueplanet/tron:3.2.6  "/bp2/src/run_tron" 26 hours ago Up 7 seconds tron_x.x.x_0

    5. Wait a few minutes for tron to be ready for operation.

  5. Set the LDAP user account.

    1. Ensure the user account for the LDAP user has the following attributes set correctly.

      • An attribute with a “tenant” value in which the user belongs. For ldap-configs, our previous example used the attribute called description.

      • A unique email address. A non-unique email-address or empty email address causes issues.

        You may need to consult with your company LDAP administrator to set these attributes.

    2. Use the following LDAP user account examples to correctly set your attribute values:

      Example 1.
      Where the LDAP server is an Active Directory server and the administrator has created a tenant named tenant3 on the Blue Planet server.

      dn: CN=user7,CN=Users,DC=ad,DC=cyaninc,DC=com
objectClass: top
objectClass: user
description: tenant3
sAMAccountName: user7
mail: [email protected]

      The user, user7, can log in to tenant3 of Blue Planet Orchestrate as long as there are no other users with the email address [email protected] on tenant3.

      Example 2.
      Where the LDAP server is not an Active Directory server and the administrator has created a tenant named tenant1 on the Blue Planet server.

      dn: cn=Nelson User1,ou=people,dc=ciena,dc=com
objectClass: inetOrgPerson
objectClass: top
uid: user1
mail: [email protected]
ou: Tester
description: tenant1

      The user, user1, can log in to tenant1 of Blue Planet Orchestration as long as there are no other users with the email address [email protected] on tenant1.

  6. To assign a UAC role to the user that logs in using an LDAP password, configure the LDAP user to be a member of a specific group on the LDAP server, and then use the role_map attribute of ldap-configs to map the group into a UAC role. For example, configure the LDAP user to be a member of Administrators group, and then map the Administrators group to the UAC role "admin" using the role_map attribute.

    		 Role mapping into other apps in Blue Planet, such as Orchestrate, is not currently supported. The UAC app does not assign the user with any role in Blue Planet Orchestration. However, you can still perform operations in Orchestration normally, since roles are not enforced in the current release.

    Create the JSON file, then run your PATCH command.

    cat <<EOF > ldap-configs.json
{
 "enabled":true, "server_ip":"ldap://10.60.11.122", "domain_search_user": "[email protected]", "domain_search_password": "NewPassword@", "base_dn": "dc=ad,dc=cyaninc,dc=com", "user_name_attribute": "sAMAccountName", "tenant_attribute":"description", "group_name_attribute": "cn", "role_map": "{\"Administrators\": {\"uac_role_name\": \"admin\",\"app_name\": \"UAC\"}}"
}
EOF

    The following example command sets the ldap-configs role_map attribute (use snake_case format for “role_map”).

    curl -H "Content-Type: application/json" -k -H "Authorization: token efaba9a98a97f82d97dd" -X PATCH d @ldap-configs.json https://10.206.30.107/tron/api/v1/ldap-configs/ 88eebd1b-5496-4ba0-92c1-fc68eea51ce2/ | python -m json.tool

    A response similar to the following displays:

    {
  "baseDn": "dc=ciena,dc=com",
  "createdTime": "2016-03-24T02:09:36Z",
  "description": "",
  "domainSearchUser": "cn=manager,dc=ciena,dc=com",
  "enableSsl": false,
  "enabled": true,
  "groupNameAttribute": "cn",
  "groupObjectFilter": "(objectClass=Group)",
  "modifiedTime": "2016-03-24T02:09:36Z",
  "name": "primary_config",
  "roleMap": "{}",
  "serverIp": "ldap://10.15.3.80",
  "tenantAttribute": "description",
  "userNameAttribute": "uid",
  "uuid": "88eebd1b-5496-4ba0-92c1-fc68eea51ce2"
}

    You must configure your user to be a member of the Administrators group in the LDAP system so UAC can assign the UAC role “admin”; for example:

    dn: CN=user10,CN=Users,DC=ad,DC=cyaninc,DC=com
objectClass: top
objectClass: user
description: tenant3
sAMAccountName: user10
mail: [email protected]
memberOf: CN=Administrators

  7. To verify successful configuration, log in to Blue Planet using your LDAP user credentials.

  8. To disable the LDAP server authentication, you must patch the ldap-configs file. For example, to change the enabled command to false enter the following:

    curl -H "Content-Type: application/json" -k -H "Authorization: token efaba9a98a97f82d97dd" -X PATCH -d '{"enabled":false}' http://<server_ip>/tron/api/v1/ldap-configs/ 88eebd1b-5496-4ba0-92c1-fc68eea51ce2/

    Ensure this command string appears as a continuous string with a space before the URL.

results matching ""

    No results matching ""