Stackato Authentication Using LDAP or Google Apps
by Andrew Cole

Andrew Cole, June 18, 2013

LDAP The Hard Way

Let's say you're running a private cloud application platform like Stackato or Cloud Foundry. Let's further say that you're running this Platform-as-a-Service (PaaS) inside your enterprise IT organization. This all sounds pretty reasonable, right? Enterprises are exactly the kind of customers who want private PaaS. What kind of features do enterprises expect from a PaaS?

We've found that one of the first things that enterprise customers want from Stackato is the ability to authenticate their users with an existing authentication system like LDAP. Before you can do almost anything else, your users need to be able to authenticate to the system. You'd think this would be a basic function of a private PaaS that was serious about the enterprise, yet this thread (Using LDAP with UAA) from the Cloud Foundry developers mailing list has been going on for more than a year with no resolution. Even if Cloud Foundry does get LDAP supported and documented some day, it will still require bogging your cluster down with two heavyweight Spring components on every node performing authentication.

The Better Way

Stackato supports LDAP out-of-the-box with minimal configuration, and has for several releases. Configuring your Stackato cluster to authenticate users with your LDAP server is simple. We'll go over configuring a basic LDAP setup using Stackato's lightweight, pluggable authentication component AOK. For complete documentation in sync with the current version of Stackato, check the AOK documentation.

First we enable AOK. It's disabled by default to provide the easiest out-of-box experience for folks just trying out Stackato. The following commands can be executed in the shell on a micro cloud VM or on any node in your cluster.

$ kato config set cloud_controller aok/enabled true

Tell AOK to use LDAP:

$ kato config set aok strategy/use ldap 

Set the details of your LDAP connection:

$ kato config set aok strategy/ldap/host ""
$ kato config set aok strategy/ldap/base "dc=example, dc=com"
$ kato config set aok strategy/ldap/bind_dn "your_bind_dn"
$ kato config set aok strategy/ldap/password "your_bind_password" 

Then restart the controller role on each of your controller nodes to make the changes take effect:

$ kato restart controller 

For a pretty normal ActiveDirectory setup, that should be all you need. There are additional settings available to deal with different setups or other LDAP servers.

Now anyone who can authenticate with your LDAP server has access to Stackato. Many enterprise LDAP servers have facilities for segmenting users if you only want some of your LDAP users to have access to Stackato.

Google login

The fun doesn't end there. Authentication with AOK is pluggable, so we'll continue to add more authentication methods. Stackato 2.10.6 adds support for logging in with your Google Apps for Business account. If your company uses Google for email, this is a really fast and easy way to set up Stackato so all of your users automatically have access. Again, find complete configuration information in the AOK documentation.

First enable AOK:

$ kato config set cloud_controller aok/enabled true 

Tell AOK to use Google Apps to log in:

$ kato config set aok strategy/use google_apps 

Tell AOK what your company's email domain is. Assuming your users have email addresses:

$ kato config set aok strategy/google_apps/domain "" 

Then restart the controller role on each of your controller nodes to make the changes take effect:

$ kato restart controller 

There you have it. In just 4 shell commands you've configured Stackato to log all of your users in with their company Google accounts.

Subscribe to ActiveState Blogs by Email

Share this post:

Category: stackato
About the Author: RSS

Andrew Cole, Software Developer, joined ActiveState in March 2012. He works on the Stackato authentication component AOK and the Cloud Controller. He lives in Seattle.