Configuring Auth

Generating an Auth File

Ops Manager's authentication system can be configured several ways. The format of the configuration file varies according to the authentication method to be used.

configure-authentication:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
username: username
password: password
decryption-passphrase: decryption-passphrase

# Optional
# http-proxy-url:           # proxy for outbound HTTP network traffic
# https-proxy-url:          # proxy for outbound HTTPS network traffic
# no-proxy:                 # comma-separated list of hosts that do not go
                            # through the proxy
# precreated-client-secret: # create a UAA client on the Ops Manager vm.
                            # this will be client-secret in env.yml
                            # client ID is precreated-client

configure-ldap-authentication:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
decryption-passphrase: some-passphrase
server-url: ldap://example.com
ldap-username: cn=admin,dc=opsmanager,dc=com
ldap-password: some-password
user-search-base: ou=users,dc=opsmanager,dc=com
user-search-filter: cn={0}
group-search-base: ou=groups,dc=opsmanager,dc=com
group-search-filter: member={0}
ldap-rbac-admin-group-name: cn=opsmgradmins,ou=groups,dc=opsmanager,dc=com
email-attribute: mail
ldap-referrals: follow

# Optional
# http-proxy-url:                 # proxy for outbound HTTP network traffic
# https-proxy-url:                # proxy for outbound HTTPS network traffic
# no-proxy:                       # comma-separated list of hosts that do not go
                                  # through the proxy
# precreated-client-secret:       # create a UAA client on the Ops Manager vm.
                                  # this will be client-secret in env.yml
                                  # client ID is precreated-client
# server-ssl-cert:                # the server certificate when using ldaps://
# skip-create-bosh-admin-client:  # do not create a UAA client on the BOSH
                                  # director. The client is required to execute
                                  # BOSH commands from the BOSH CLI

configure-saml-authentication:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
---
decryption-passphrase: decryption-passphrase
saml-idp-metadata: https://saml.example.com:8080
saml-bosh-idp-metadata: https://bosh-saml.example.com:8080
saml-rbac-admin-group: opsman.full_control
saml-rbac-groups-attribute: myenterprise

# Optional
# http-proxy-url:                 # proxy for outbound HTTP network traffic
# https-proxy-url:                # proxy for outbound HTTPS network traffic
# no-proxy:                       # comma-separated list of hosts that do not go
                                  # through the proxy
# precreated-client-secret:       # create a UAA client on the Ops Manager vm.
                                  # this will be client-secret in env.yml
                                  # client ID is precreated-client                                  
# server-ssl-cert:                # the server certificate when using ldaps://
# skip-create-bosh-admin-client:  # do not create a UAA client on the BOSH
                                  # director. The client is required to execute
                                  # BOSH commands from the BOSH CLI

Managing Configuration, Auth, and State Files

To use all these files with the Concourse tasks that require them, you need to make them available as Concourse Resources. They’re all text files. There are many resource types that can work for this. In our examples, we use a git repository. As with the tasks and image, you’ll need to declare a resource in your pipeline for each repo you need.