Configure IAM With LDAPS With Few Customizations

Document ID : KB000117059
Last Modified Date : 27/02/2019
Show Technical Document Details
Needing to configure IAM with LDAPS.

I am able to authenticate the connection, but it says my bind credentials are wrong when I know they are right.
When connecting to LDAP over SSL, the SSL certificates should be imported to the trust store used by IAM. 

Here are the steps to add the certificates to the trust store and make it available to IAM. 

1. Use keytool to create a new truststore file or add trusted host certificates to an existing one: 
$ keytool -import -alias HOSTDOMAIN -keystore truststore.jks -file host-certificate.cer 

2. In the standalone.xml located in <INSTALL_DIR>/vscatalog/IdentityAccessManager/standalone/configuration/standalone.xml, search for <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">. Couple of lines down you will find multiple spi tags, add the below xml before <spi name="eventsStore">. 

<spi name="truststore"> 
<provider name="file" enabled="true"> 
<property name="file" value="path to your .jks file containing public certificates, that was created in before using the keytool"/> 
<property name="password" value="password for the truststore"/> 
<property name="hostname-verification-policy" value="WILDCARD"/> 
<property name="disabled" value="false"/> 

3. Restart IAM. 

After the above steps are complete , you would also have to configure the mapper 
To create a mapper to assign a default role to a user or set of users: 
By default, read only access is granted to a valid LDAP user. 
Click Create in the Mappers tab. 
Enter default_role_mapper as the mapper name. 
Choose hardcoded-ldap-role-mapper as the mapper type. 
Enter virtual-service-catalog.service_catalog_user as the role. 

Based on the below changes, you are now able to login to IAM and VS Catalog with your LDAP credentials: 

1. Used Apache Directory Studio to look at how your account is setup in your Active Directory. 
2. Bring up IAM and login with admin. 
On the LDAP Settings tab: 
3. Set Username LDAP attribute to a value of sAMAccountName. 
4. Set RDN LDAP attribute to sAMAccountName. 
5. Set Users DN to OU=Office,OU=User Accounts,DC=corpaa,DC=aa,DC=com
6. Set Search Scope to Subtree 
On the Mappers Tab: 
7. Set the LDAP Attribute for username to sAMAccountName 
8. Logout from IAM. 
9. Login to IAM with your LDAP credentials. 
10. Error displays you do not have permissions. 
11. Login back in to IAM with admin. 
12. Choose Users. 
13. Edit your LDAP user, it now shows up in the list. 
14. Chose Groups tab. 
15. Join admin and vsc-admin groups. 
16. Logout from IAM. 
17. Login with your LDAP credentials . 
18. Able to login.