Using LDAP registry on Mobile Foundation deployed on IBM Cloud Private (ICP)
When Mobile Foundation (MFP) Server Helm chart is deployed on IBM Cloud Private it uses basicRegistry along with various other configuration details. This user registry is good enough for basic development and testing environments, but for production scenarios LDAP registry is used.
This blog focuses on how to use Apache Directory Server as an LDAP registry against the Mobile Foundation server that is deployed on IBM Cloud Private (or IBM Cloud Kubernetes Service, IKS).
This blog post focuses on how to use the Apache Directory Server as an LDAP Registry with Mobile Foundation Server on ICP and assumes the following:
a) User has an MFP setup on IBM Cloud Private loaded with IBM Mobile Foundation Passport Advantage Archive on ICP.
b) User has the knowledge of LDAP Registry.
- [Optional] Make sure the configured LDAP Registry works with MFP devkit and the MFP console is accessible to the ldap users instead of basic users that comes Out-of-box.
From the Apache Directory Studio, make sure that the LDAP is configured correctly. For instance this article uses the following ldap setting.
Create registry.xml as follows
[root@masternode1 ~]# mkdir -p usr-mfpf-server/config [root@masternode1 ~]# cd usr-mfpf-server/config
This creates the following directory structure that can be used to customize the image on the ICP for modifying the registry.xml
icp-kubernetes/usr-mfpf-server ├── config │ └── registry.xml
Create a Dockerfile to overwrite jvm.options as follows
FROM mycluster.icp:8500/default/mfpf-server:126.96.36.199 COPY jvm.options /opt/ibm/wlp/usr/servers/config/registry.xml
Create a file registry.xml with LDAP registry configuration as follows:
<?xml version="1.0" encoding="UTF-8"?> <server> <featureManager> <feature>appSecurity-2.0</feature> <feature>ldapRegistry-3.0</feature> </featureManager> <ldapRegistry id="ldap" host="yathendra.local" port="10389" ignoreCase="true" baseDN="dc=ibm,dc=com" ldapType="Custom" recursiveSearch="true" sslEnabled="false" bindDN="uid=admin,ou=system" bindPassword="secret"> <customFilters userFilter="(&(uid=%v)(objectclass=inetOrgPerson))" groupFilter="(&(member=uid=%v (objectclass=groupOfNames))" userIdMap="*:uid" groupIdMap="*:cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;groupOfUniqueNames:uniqueMember;groupOfNames:member"/> <group name="mfpadmingroup"> <member name="adminuser"/> </group> <group name="mfpconfiggroup"> <member name="configUser_mfpadmin"/> </group> <member name="MfpRESTUser"/> <member name="Push_MFPLDAPPOC"/> <member name="Admin_MFPLDAPPOC"/> </ldapRegistry> </server>
Note: Make sure the right user and group details are used according to your own LDAP server settings.
Build docker image with a new tag name (say 188.8.131.52)
# docker build . -t mfpf-server:184.108.40.206
This updates the existing mfp-server docker image with the customized registry.xml.
Log in to the ICP cluster and docker registry via commandline:
# bx pr login -a https://<icp_cluster_ip>:8443 --skip-ssl-validation -u admin -p xxxx -c <mycluster-account> # docker login mycluster.icp:8500 -u admin -p xxxx
Push the new image to the ICP container repository as follows:
# docker tag mfpf-server:220.127.116.11 mycluster.icp:8500/default/mfpf-server:18.104.22.168 # docker push mycluster.icp:8500/default/mfpf-server:22.214.171.124
Check the available Mobile Foundation Server deployment on Kubernetes as follows:
kubectl get deployments NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE mfpserver-ibm-mfpf-server-prod 2 2 2 2 5d
Now update Mobile Foundation Server kubernetes deployment mfpserver-ibm-mfpf-server-prod to use the customized image.
kubectl edit deployments mfpserver-ibm-mfpf-server-prod
Replace - image: mycluster.icp:8500/default/mfpf-server:126.96.36.199 with - image: mycluster.icp:8500/default/mfpf-server:188.8.131.52
Once the image is updated in the kube configuration, the mfp server pods are deleted and recreated automatically using the new configuration. Make sure that all the pods are running and ready using the command below:
kubectl get pods
- Log in to the ICP Console with one of the configured LDAP user (here adminuser) and make sure the login is successful and all the services are up and running from the Mobile First Server Operations Console.
The above set of instructions are applicable for using any other LDAP servers like IBM Directory Server, Microsoft Active Directory Server etc.
For more details on Configuring LDAP user registries in Liberty, refer to the documentation