Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add feature to use saml and ldap groups in parallel #456

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

marcohelmerich
Copy link

Hello,
i opened a similar PR 2 years ago, but no new features were added at that time. We kept a fork of cf-mgmt for the last to yours and I recently saw that there were a lot of changes in cf-mgmt upstream. I just integrated the changes in our forkt and wanted to talk about a possible integration of our "feature" again. Maybe it is of interest now.

We are a user of VMware Tanzu Application Service and are using LDAP as well as SAML in a way that cf-mgmt does not support at the moment.

The problem:
We use ldap_groups to create our human users in uaa. When utilizing the ldap_groups attribute. The groups are read via ldap and users are created with saml origin, when we configure saml. This works well for human users as we need SAML and MFA there, but it does not work for our centrally managed service users (local uaa users no longer allowed due to compliance issues). It would be possible to add the service users via ldap_users attribute, but we wanted to use groups for our service users, too.

our solution:

we added a new attributes. ldapOrigin additonally to origin in the ldap config and saml_groups for spaceconfig/orgconfig.
If ldapOrigin ist given, cf-mgmt runs in ldap AND saml group mode. If not everything works downwards compatible.

ldap AND saml group mode makes it possible to provide saml_groups (groups are read via ldap but users are created with saml origin) and ldap_groups (groups are read via ldap and are created with ldap origin)

In addtion we added saml and ldap user filters. Basically a regex to determine which users in the group should be created.

Are you interested in adding this feature or is the use case too special ?

@cf-gitbot
Copy link
Collaborator

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

@calebwashburn
Copy link
Contributor

calebwashburn commented Nov 17, 2023

@marcohelmerich I'm interested to better understand the use case. cf-mgmt supports managing a group of Saml origin users with ldap group(s) but are you also wanting to manage a list of internal uaa users with ldap group(s) as well vs explicitly in the configuration under users array?

So essentially want to be able to have cf-mgmt use ldap groups for 2 different origins (saml and uaa) and indicate which ldap group would be used for saml users differently than from uaa internal users?

Might be helpful to use an example org/space configuration file and talk thru what the outcome you are expecting/wanting as well.

@marcohelmerich
Copy link
Author

marcohelmerich commented Nov 20, 2023

@calebwashburn
You got it nearly right. We want to use LDAP groups for 2 different origins (saml and ldap). no uaa internal users.
At the moment we can achieve that by using ldap_users: for individual users and ldap_groups: for saml users.
As we should use only groups due to compliance reasons we want to add ServiceUsers and human users to ldap groups and manage them via cf-mgmt.

I added some docs to the PR already, but here are some yaml configuration files from one of our foundations as real world example.

This is the example of an org config (spaces look similar):

---
org: COMPOSING
org-billingmanager:
  ldap_users: []
  users: []
  saml_groups: []
  saml_users: []
  ldap_groups: []
org-manager:
  ldap_users: []
  users: []
  saml_users: []
  ldap_groups: []
  saml_groups:
  - human_developer_groups
org-auditor:
  ldap_users: []
  users: []
  saml_users: []
  ldap_groups:
  - service_user_group
  saml_groups:
  - human_developer_group

We also added some filtering options to the config, so that we can filter out specific users if the groups contain mixed user types.

Example ldap.yaml:

---
enabled: true
...
ldapHost: foo
ldapPort: 636
use_tls: true
...
origin: adfs_prod <- saml origin
ldapOrigin: ldap <- ldap origin
ldapUserFilter: ServiceUsers
samlUserFilter: ServiceUsers
ldapUserFilterMode: include
samlUserFilterMode: exclude

Regards,
Marco

@marcohelmerich
Copy link
Author

@calebwashburn Do you have an opinion already? Would be nice to know if an integration is possible or if we need to run the fork in parallel for the future. Need to build some pipeline/process on my side to intgrate the updates here. There were a lot of changes/updates during the last months (which is great).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants