From 61786f3028b6924a6ac795fb2e6b2e5735ee63d8 Mon Sep 17 00:00:00 2001 From: Julia Longtin Date: Fri, 26 Aug 2022 12:40:31 +0100 Subject: [PATCH] improve documentation for the ldap scim bridge. (#576) --- offline/ldap-scim-bridge.md | 70 ++++++++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 9 deletions(-) diff --git a/offline/ldap-scim-bridge.md b/offline/ldap-scim-bridge.md index 5b320d7b0..e438e8c11 100644 --- a/offline/ldap-scim-bridge.md +++ b/offline/ldap-scim-bridge.md @@ -1,8 +1,60 @@ # How to deploy the ldap-scim-bridge -Copy your values and charts folders into the `wire-server` directory you're using. +Note: the LDAP Scim bridge is in a separate package at the moment. the docker container is available from: + +https://temp-rhc-jun.s3.eu-west-1.amazonaws.com/ldap-scim-bridge%3A0.4.tar.bz2 + +the helm chart is in wire-server. + +Create a values file +mkdir values/ldap-scim-bridge_team-0 +the values file looks like the following: +``` +# one a minute. +schedule: "*/5 * * * *" +# https://github.com/wireapp/ldap-scim-bridge +config: + logLevel: "Debug" # one of Trace,Debug,Info,Warn,Error,Fatal; Fatal is least noisy, Trace most. + ldapSource: + tls: true + host: "dc1.example.com" + port: 636 + dn: "CN=Read Only User,CN=users,DC=example,DC=com" + password: "READONLYPASSWORD" + search: + base: "DC=example,DC=com" + objectClass: "person" + memberOf: "CN=VIP,OU=Engineering,DC=example,DC=com" + codec: "utf8" +# deleteOnAttribute: # optional, related to delete-from-directory. +# key: "deleted" +# value: "true" +# deleteFromDirectory: # optional; ok to use together with delete-on-attribute if you use both. +# base: "ou=DeletedPeople,DC=example,DC=com" +# objectClass: "account" + scimTarget: + tls: false + host: "spar" + port: 8080 + path: "/scim/v2" + token: "Bearer " + mapping: + displayName: "displayName" + userName: "mailNickname" + externalId: "mail" + email: "mail" +``` + +When you get the package: + +Copy your values and charts folders into the `Wire-Server` directory you're using. + +Copy the container image to all of the kubernetes hosts in your cluster. Pre-seed the docker container for `ldap-scim-bridge` onto all of your kubernetes hosts. +``` +sudo bash -c "cat ldap-scim-bridge:0.4.tar.bz2 | docker load" +``` ## Get the Active Directory root authority's public certificate @@ -10,14 +62,12 @@ Ask the remote team to provide this. ## Create a configmap for the Public Certificate -First, see if there's a configmap already in place. - +See if there's a configmap already in place. ``` d kubectl get configmaps ``` If not, create a configmap for this certificate. - ``` d kubectl create configmap ca-ad-pemstore ad-public-root.crt ``` @@ -51,10 +101,15 @@ spec: name: ca-ad-pemstore ``` +the cronjob may have run between the time you installed it, and the time you patched it. +in these cases, you will get a "Error_Protocol (\"certificate has unknown CA\",True,UnknownCA)" in the kubectl logs + ## Copy the values Since the `ldap-scim-bridge` needs to be configured at least once per team, we must copy the values. - +``` +cp values/ldap-scim-bridge/ values/ldap-scim-bridge-team- +``` Edit the values. Set the schedule to `"*/10 * * * *"` for every 10 minutes. @@ -85,8 +140,7 @@ search: ### Pick the user mapping -An example mapping for AD is: - +An example mapping for Active Directory is: ``` DisplayName: "displayName~ userNome: "mailNickname" @@ -100,13 +154,11 @@ Add a `Bearer ` token for ScimTarget's target attribute. ### Deploy the sync engine - ``` d helm install ldap-scim-bridge-team-1 charts/ldap-scim-bridge/ --values values/ldap-scim-bridge_team-1/values.yaml ``` ### Patch the sync engine. - ``` d kubectl patch cronjob ldap-scim-bridge-team-1 -p "$(cat add_ad_ca.patch)" ```