LDAP connectivity from IS

Product/components used and version/fix level:

10.15

Detailed explanation of the problem:

Trying to configure LDAP in IS and not to use MWS. Is this possible? And do I need to map the alias “CentralUsers” still in IS?

I see in documentation which says how to configure LDAP in IS, but not mentioned about prerequisite or post dependency steps.

Thanks,

Yes.

If you don’t set the alias you need to configure all servers one by one. If you set the CentralUsers pool, they will share configuration. This also includes ACL configurations. If you set a permission to a user or a group, it will be shared across the cluster.

Hi,

not sure if CentralUsers pool has any meaning when not working with MWS as it relates to the CommonDirectory (CDS) part of the MWS database schema.

Please provide more details about your requirement for further analysis & suggestions.

Also refer to the IS Administrators Guide for further informations.

Regards,
Holger

Thanks.

I’m able to achieve the IS with LDAP configuration.

For the second one, since it is container I’m able to achieve LDAP configure through K8S config map. But still the CentralUser pool, I will look into it.

Thanks Again.

Hi Holger,

Currently we are running on On-prem, where IS and MWS is running, and MWS is configured with LDAP and DB. In IS same DB is configured to use CentralUser pool.

This LDAP we are using only to authenticate developers or support, where Developers are allowed to login only in DEV and Support allowed to login in all environments(So it’s more controlled in LDAP)

Now we are moving to Container, and not planning to use MWS. I’m moving this LDAP to IS and not to have any dependency with MWS.

So, please let me know if any issues I need to consider with this setup in container? Again, we are not using LDAP for authenticating any clients (Frontend)

If you don’t use MWS you can’t use service resubmission. You should be able to configure central users if you set central user db properly(though I am not sure, I never used without MWS). It may be useful depending on how you plan to manage users. If you are pushing user configuration file to a remote repository it shouldn’t be necessary.

I am also working on a similar architecture in my company, but my plan is to keep MWS for service resubmission and central users configurations. Your entire architecture can be on containers but MWS can stay on prem. I don’t need automatic scaling for MWS, hence I am keeping it on prem.

1 Like

Hello Vikas and Engin,
It is possible to use IS independently of MWS to connect to CDS Central Users schema and configure to connect to a LDAP.
Refer this article to read some info about how to manage CDS cluster - CDS cluster

Regards
Senthil

You can connect to CDS directly from IS using the CDS API within a Java service. I must admit, though, that I have always done that in a setup where there was also MWS installed. So I am not sure this is what you meant with “independently”.

Hi,

when using IS with CDS without MWS you might want to check for the package WmCDS in IS in combination with the pub.client.ldap:*-services in the WmPublic package to maintain the data in the LDAP behind the CDS.

Using MWS on prem will ease this as the MWS contains the UI to do so in a Browser.

Regards,
Holger

Hi Senthil,

Yes I was gone through this article and came to know that it is possible :slight_smile:

Just to give more details on our current setup(I gave already above),

Currently we are running on On-prem, where IS and MWS is running, and MWS is configured with LDAP and DB. In IS same DB is configured to use CentralUser pool.

This LDAP we are using only to authenticate developers or support, where Developers are allowed to login only in DEV and Support allowed to login in all environments(So it’s more controlled in LDAP)

Now we are moving to Container, and not planning to use MWS. I’m moving this LDAP to IS and not to have any dependency with MWS.

So, please let me know if any issues I need to consider with this setup in container? Again, we are not using LDAP for authenticating any clients (Frontend). One last thing, if we LDAP in IS, the “Central User Management” will still show as not configured and that is how it should be correct?

Thanks,
Vikas

Basically it depends on how you manage your environment. SoftwareAG provides helm charts, everything you need to configure can be stored in values.yaml files. So if you don’t want to use central users db you can use the helm charts. There is no right or wrong answers to your question. It can be either depending on your configuration.

Check the link below, I think you will also find it useful.

What I did and/or plan to reduce the manual configurations is, I mirrored this repo to our own repo. I created branch for each environment and planing to use these helm charts to install and configure my environment. The second part is still not finished though. If you have something like this or if you are pushing the configuration files into a repo, you don’t need to set it.

1 Like

oh, I meant IS independently of MWS

This setup is correct given the way how CDS works and I really don’t see any problem with that.

Your another query, that it shows Central users not configured in the status, i believe that is because IS uses the MWS URL that is mentioned. When you click the Run button in IS admin > Central users and if it says connected, CDS component has access to write information to the Central users tables.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.