Changing the LDAP service account password in Kubernetes
If you are using an authenticated bind for LDAP, with a password that expires periodically, you'll need to update the LDAP bind credentials for Sametime clusters in Kubernetes with a new password.
About this task
The LDAP bind credentials are Base64 encoded and defined in the configuration as
secrets. When updating the password, you'll need to complete the following tasks:
- Find the Base64 encoded values of your credentials.
- Update the bind credentials in the Kubernetes secrets.The LDAP bind credentials are located in Kubernetes secrets:
sametime-global-secrets
extra-community-config
(optional)
There is an optional configuration to override the default settings for LDAP and for business cards in a secret called extra-community-config. If you have implemented this secret, the LDAP Bind credentials must be updated in the XML configuration files and the extra-community-config secret should be deleted and recreated
The changes in this task affect the following pods:
- Community
Procedure
-
Find the Base64 encoded values of your credentials.
-
Update the secret for
sametime-global-secrets
. - Optional:
Update the
extra-community-config
secret. - Create a new directory named extra-community-configs on the machine that is used to run kubectl commands.
- Change directories to the extra-community-configs you just created.
-
Locate the pod name of the Community pod to be used in the next step by running
following the command.
The name has hashes in it, for example:kubectl get pods
community-845d5d5755-z7zf7
. -
Pull a copy of the StCommunityConfigs.xml from the
Community pod by running the below command, where podname is
the Community pod name found in the previous step.
kubectl exec -it podname --container community -- cat /local/notesdata/StCommunityConfig >./StCommunityConfig.xml
For example, if the Community pod name is community-845d5d5755-z7zf7, the command to run iskubectl exec -it community-845d5d5755-z7zf7 --container community -- cat /local/notesdata/StCommunityConfig.xml >./StCommunityConfig.xml
-
Pull a copy of the UserInfoConfig.xml file from the
Community pod, by running the below command. Substitute the name of your
Community pod for podname.
podname: kubectl exec -it <podname> --container community -- cat /local/notesdata/UserInfoConfig.xml >./UserInfoConfig.xml
For example, if the Community pod name is community-845d5d5755-z7zf7, the command to run iskubectl exec -it community-845d5d5755-z7zf7 --container community -- cat /local/notesdata/UserInfoConfig.xml >./UserInfoConfig.xml
-
After adding the two files to your machine, the new LDAP DN and password must
be defined. Open the local copy of the
StCommunityConfig.xml file using a file editor.
Locate the parameters to be changed and set them to their actual unencoded values. Do not specify the base64 encode values.
- Set
BindEntryDn
= to the Bind DN - Set
BindEntryPwd=
set to the new Bind password
- Set
-
Open the UserInfoConfig.xml file. Next change the
UserEncodedAuth
value. -
Create the
extra-community-configs
secret by issuing the following command.kubectl create secret generic extra-community-config --from-file=./
-
Update the configuration files.
If you did not have an
extra-community-configs
secret before you must update the values.yaml file for Sametime to use the secret. -
Restart the pods with the changes. Use the kubectl scale
command to scale the pods to zero and then to one that have been changed. You
must run the commands for each pod that the change affects.