It is assumed that yarnman has been deployed and installed as per Yarnman Installation and Setup
Note that the authentication configuration requires some specific items for Yarngate
Yarngate Authentication setup
Yarngate MUST use a LDAP authentication policy, local DB authentication policy cannot be used and if configured the Yarngate service will not start
Authentication Database
Create an authentication database
Name the LDAP authentication database
Configure the required roles
Configure the required roles for yarngate it is expected that there would be both a Yarngate-Admin and Yarngate-User. These permissions control what options are availible in the yarngate application after a user is Authenticated and Authorised. Repease this process for as many roles as required
Authentication Policy
Create Authentication Policy
Name the authentication policy and select Authentication Method LDAP + Database with Roles
Select Linked authentication Database created previously for Yarngate
Configure LDAP authentication
The LDAP server address should be in the format LDAPS://<FQDN>:<port> - Note that LDAP:// can be used but passwords will not be encrytped in transit
Verify TLS/SSL certificates can be enabled - Note that the LDAPS server certificate or trusted root CA certificate must be uploaded via the administration app
LDAP username match regex can be used to match username formats - This is a generic username match regex that can be adjusted as needed(^[A-Za-z0-9]+(?:[ _-][A-Za-z0-9]+)*$)
LDAP replace regex allows to adding prefixes/suffices to suite the authentication requirements such as adding a domain suffix
Save the authentication policy - Note that new tabs will now become visable
Configure LDAP authorisation and roles
The LDAP interface field is optional - this can be used if an out of band check using another LDAP user is required for LDAP user group search on LDAP, If this option is not selected the LDAP groups are retreived using the authenticated LDAP user
Base DN - provide the base DN for LDAP searches
Username Match Field - this is the LDAP username field used typically sAMAccountName
LDAP group to role mapping - this provide a mapping from LDAP groups to the Autentication Database roles defined previously. The LDAP groups can be entered in as global group name of LDAP distingushed name
Configure Yarngate Service and Browser Access
It is recommended to add a local authentication administration app on a dedicated port if LDAP access will be used on the default HTTPS TCP/443 access - The process is described hereAdding Secondary Local Auth Administration Access as this provides access to yarnman incase of LDAP issues.
The following process assumes that LDAP authentication will be used for the default proxy and administration application
Add the yarngate application service
Configure the yarngate services
Configure service name
Select node/arm
Host should use localhost as yarngate will be behind the proxy service
HTTPS can remain default
Select Authentication policy configured previously for Yarngate
Open the Proxy Service
Select proxy service - service routing
Add the yarngate application and save
Test Access to Yarngate using the LDAP authentication policy
Copy the base path - this will be randomly generated /yarngate-app-16a85c5e89e142e5bebaa547bc5eeda5
Logout of yarnman
browse to the yarngate application https://<yarngate IP address>/<base url>
Example https://<yarngate IP address>/yarngate-app-16a85c5e89e142e5bebaa547bc5eeda5
The login prompt should appear
If login is sucessful
proceed to next step
If login is not sucessful refer to the following LDAP authentication troubleshooting guide LDAP Authentication and Authorisation Troubleshooting or raise a support case including the yarnman logs to resolve before proceeding
Finalise LDAP configuration
Update default administration application access policy - NOTE that this service will be named Standalone Yarnman Administration App by default
Optionally set the yarngate application to be the default application for the proxy so that when users browse to yarngate and login they will go directly to Yarngate
Yarngate Configuration
This section assumes that that Yarngate access has been configured and the user can login to Yarngate using LDAP credentials
This section assumes that Customers/Clusters/Interfaces have been added either manually via the administration application or via Bulk import of Customers/Cluster/Interfaces