Integration : VMware Enterprise PKS with external LDAP

In this blog post, we will discuss about how to connect VMware Enterprise PKS to an external LDAP. Connecting PKS to a LDAP external user store allows the User Account and Authentication (UAA) server to delegate authentication to existing enterprise user stores.

Note: When integrating with an external identity provider such as LDAP, authentication within the UAA becomes chained. That means, UAA first attempts to authenticate with a user’s credentials against the UAA user store before reaching out to the external provider, LDAP

Update PKS Tile on OpsMan :

To integrate UAA with one or more LDAP servers, configure Enterprise PKS with your LDAP endpoint information as follows:

Click on the PKS tile > Settings > UAA and select LDAP Server.

Server URL : Enter the URLs that point to your LDAP server.
LDAP Credentials : LDAP Distinguished Name (DN) and password for binding to the LDAP server
User Search Base : Enter the location in the LDAP directory tree where LDAP user search begins
User Search Filter : Enter a string to use for LDAP user search criteria. Use cn={0} to return all LDAP objects with the same common name as the username.

Note: To use UPN instead of CN, use userPrincipalName= {0} instead of cn={0} in the user search filter

Group Search Base : Enter the location in the LDAP directory tree where the LDAP group search begins
Group Search Filter : Enter a string that defines LDAP group search criteria. The standard value is member={0}

Once the LDAP endpoint information is updated in the tile, click on save, go to the home page of OpsMan and click on REVIEW PENDING CHANGES.

Make sure Enterprise PKS tile is selected and then click on APPLY CHANGES.

Once the changes are applied successfully, you will get a confirmation message as below.

Configure UAA Group Mapping :

Note: You should already have Installed UAAC CLI on the client machine.

Step 1: Target your UAA server

Target the UAA server by running the uaac target command as below.

rkamalon@PKSClient:~$ uaac target --skip-ssl-validation
Step 2: Get the UAA token

Retrieve UAA admin password by going to the Ops Manager home page → PKS Tile → Credentials → Pks Uaa Management Admin Client → Link to credential.

Make a note of the secret (as below) that appears in the window


Run the uaac token client get command to get UAA token

rkamalon@PKSClient:~$ uaac token client get admin -s Uxwnzv_tJYsqgr6Wy-IsFLBeRTFj-p0q
 Successfully fetched token via client credentials grant.
 Context: admin, from client admin
Step 3: Grant PKS access to an external LDAP

To grant PKS access to an external LDAP group, perform the following steps:

UAA Scopes :

You can assign the following UAA scopes to users or external LDAP groups

  • pks.clusters.manage: Accounts with this scope can create and access their own clusters.
  • pks.clusters.admin: Accounts with this scope can create and access all clusters.
Grant permission to an LDAP group

Run the below command to give permission to an LDAP group.


In the below example, I am giving permission to an AD group named ‘pksadmin’

For this lab exercise, I have created the below AD users and group.

  • Roshan Kamalon(User)
  • pksuser1(User)
  • pksadmin(Group)
 rkamalon@PKSClient:~$ uaac group map --name pks.clusters.admin CN=pksadmin,CN=users,DC=gsslabs,DC=org
 Successfully mapped pks.clusters.admin to CN=pksadmin,CN=users,DC=gsslabs,DC=org for origin ldap

Run the uaac group mapping command to review the mapping

rkamalon@PKSClient:~$ uaac group mappings
       organizations.acme: cn=test_org,ou=people,o=springsource,o=org
       pks.clusters.admin: cn=pksadmin,cn=users,dc=gsslabs,dc=org
   schemas: urn:scim:schemas:core:1.0
   startindex: 1
   itemsperpage: 2
   totalresults: 2

Run the below command to give access to the above AD users.

rkamalon@PKSClient:~$ pks login -a -u 'Roshan kamalon' --skip-ssl-validation
 Password: **
 API Endpoint:
 User: Roshan Kamalon
rkamalon@PKSClient:~$ pks login -a -u pksuser1 --skip-ssl-validation
 Password: **
 API Endpoint:
 User: pksuser1

Verify the LDAP user added to UAA by running uaac user get command

rkamalon@PKSClient:~$ uaac user get pksuser1
id: 46c847b4-f449-486d-ac60-99fe76575da7
version: 0
created: 2019-08-14T06:59:53.000Z
lastmodified: 2019-08-14T06:59:53.000Z
givenname: pksuser1
primary: false
value: a2656317-2c42-4426-b132-6e11bb8f1226
display: pks.clusters.admin
type: DIRECT
value: dc4c188c-f758-4493-b33b-e9a2271f63b9
type: DIRECT
value: 7d7b254e-8521-4e11-b36c-d1d5b789fc81
display: user_attributes
type: DIRECT
value: 1d9995ad-2166-40e2-a447-1bec58a03e4e
display: cloud_controller.write
type: DIRECT
value: 552a7a71-0fcc-4f71-b086-de06406e5818
display: roles
type: DIRECT
value: 28e1efc9-0293-46ba-a207-a0b8c1006c3a
type: DIRECT
value: 44fe4405-1036-4394-a737-868e5c2d8965
display: profile
type: DIRECT
value: 9ad2f1fc-6558-4a2c-bff6-0e2d66b14233
display: openid
type: DIRECT
value: f45b460c-4b91-4fbd-94f9-9a063e966ef3
display: password.write
type: DIRECT
value: b7cb5e1b-255f-42f9-93a2-07bdff617202
type: DIRECT
value: 3191d3b7-f937-4723-bea1-e1beb36ccd97
display: oauth.approvals
type: DIRECT
value: eb1d15d7-fbad-409c-8e2c-750ca28192af
type: DIRECT
value: dc56a459-0e99-4e8e-a582-77578b17a62a
type: DIRECT
value: 7b0d1ce5-b146-4f6d-946a-2c6ff120f482
display: uaa.offline_token
type: DIRECT
value: 05eadf0b-23de-4821-b439-7949147183dd
display: notification_preferences.write
type: DIRECT
value: 3a397130-b928-41ff-b761-05a0f7d3309a
display: uaa.user
type: DIRECT
active: true
verified: false
origin: ldap
schemas: urn:scim:schemas:core:1.0
externalid: cn=pksuser1,cn=Users,dc=gsslabs,dc=org
username: pksuser1
zoneid: uaa
passwordlastmodified: 2019-08-14T06:59:53.000Z
lastlogontime: 1565765993455

Run the following command to log in to PKS client using LDAP user account and credentials

rkamalon@PKSClient:~$ pks login -a -u pksuser1 -k
 Password: **
 API Endpoint:
 User: pksuser1

Now you should be able to run pks commands

rkamalon@PKSClient:~$ pks clusters
 Name     Plan Name  UUID                                  Status     Action
 testing  small      3093e08d-f803-4944-9ded-3324a2479012  succeeded  CREATE
 minion   small      5f36db4d-3a95-4e17-a1f0-7a96916831aa  succeeded  CREATE

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: