Configuring additional LDAP servers on Kubernetes
You can configure the Sametime Community pod to connect to two or more LDAP servers.
Before you begin
- Configure the cluster for the first LDAP server. This must be done when the cluster was installed.
- You must know the host name, port and optional bind credentials for each LDAP server.
- If you are using a secure connection to LDAP, the LDAP server’s certificate for each server must be stored in the same .p12 trust store file. You must create a secret containing the trust store that holds each LDAP server’s certificate. Follow the step for creating a secret that contains your certificate in the Securing LDAP on Kubernetes topic.
About this task
When more than one LDAP is defined in an environment, they are searched in the order defined in the StCommunityConfig.xml file. When you define each LDAP server, the order in which they are listed in the configuration is the same order in which they are searched.
The process described in this procedures involves creating a new secret called extra-community-configs. This secret overrides the LDAP configuration settings in the values.yaml file. The extra-community-configs secret contains a copy of the configuration files used by the Community pod. The LDAP servers are defined within each configuration file. For more information on secrets, see Managing secrets in Kubernetes.
kubectl commands are used to pull the existing file from the Community pod to your local machine. Modify these files locally with the required settings, then create the secret containing the files.
This procedure is to configure Sametime to connect to two or more separate LDAP servers that have unique names.
- community
Procedure
- Create a directory on your machine called extra-community-config at the root of where the Sametime installation package was decompressed.
- Change to the extra-community-config directory.
-
Find the Community pod name by running the get pods
command.
The pod name has hashes in it. For example: community-77d4695988-2bzrx.
kubectl get pods
-
Pull a copy of the StCommunityConfig.xml from the
community pod by running the below command, where podname is
the pod name found in the previous step.
kubectl exec -it podname --container community -- cat /local/notesdata/StCommunityConfig.xml >./StCommunityConfig.xml
For example, if the Community pod name is community-845d5d5755-z7zf7, the command to run iskubectl exec -it community-845d5d5755-z7zf7 --container community -- cat /local/notesdata/StCommunityConfig.xml >./StCommunityConfig.xml
-
Pull a copy of the UserInfoConfig.xml file from the
Community pod, by running the below command. Substitute the name of your
Community pod for podname.
kubectl exec -it podname --container community -- cat /local/notesdata/UserInfoConfig.xml >./UserInfoConfig.xml
-
Find the base64 encoded value of your bind credentials. If you are using an
authenticated bind, issue the following command in a Linux shell that contains
your user name and password separated by a colon.
The resulting value is used in a later step.
echo -n “username:password” | base64 -d
If the Bind DN is CN=bind,O=Example and the password is password, then the command is:echo -n “CN=bind,O=Example:password” | base64 -d
- Use a text editor to open your local copy of UserInfoConfig.xml in edit mode.
-
Duplicate the line that begins with
StorageDetails
. -
The order in which you list your
StorageDetails
statement is the search order to be used.Configure your second LDAP server by completing the fields:- HostName
- The fully qualified host name or IP address of the second LDAP server.
- Port
- If using unsecured LDAP, specify the port number used by LDAP. If you are using secure LDAP, you don't need to modify this field.
- UserName
- Set this field to empty double-quotes ( “” ).
- Password
- Set this field to empty double-quotes (“”). If using an authenticated bind, add a new parameter after UserName and Password called UserEncodedAuth= and set it to the value that was determined in a previous step.
- BaseDN
- Define a base DN for searching the directory. If left blank, the entire directory is searched.
- SearchFilter
- Modify the search filter if needed. The defaults work well with Domino LDAP.
You can make other changes to the business cards configuration if needed at this time. When finished, save and close the file. -
Edit the StCommunityConfig.xml file with a text editor and
make the following changes.
-
Within the
<LDAP>
section, duplicate the line that begins with<Connection Hostname
. - Modify the new line to contain the details of the second LDAP server.
- Modify the SearchOrder parameter for the additional LDAP server to a unique number. This must match the search order you selected for UserInfoConfig.xml.
- Save and close the file.
-
Within the
-
Change to the extra-community-config directory that was
created earlier. Run the following command to create the secret.
kubectl create secret generic extra-community-config --from-file=./
If you have a namespace dedicated to Sametime add the -n argument with your namespace to ensure it is created in the correct namespace. - Change to the helm directory where the Sametime installation package was decompressed.
-
Open the values.yaml file and place in edit mode. Add the
following line.
Save and close the file.overrideCommunityConfigSecret: extra-community-config
-
Apply your changes to the environment.
Verify that you are in the helm directory and run the following command to apply changes. Specify the Sametime deployment name for your environment. The default for Sametime Premium version 12 is sametime.
helm upgrade sametime_deployment_name .
Note: Be sure to include the dot at the end. It is part of the command.If you are unsure of your deployment name, issue the helm list command to find the name. If you upgraded from an earlier Sametime release, the default name is sametime-meetings. -
Restart the pods with the changes. Use the kubectl scale
command to scale the pods to zero and then to one that have been changed. You
must run the commands for each pod that the change affects.