Skip to main content
Skip table of contents

Configure an External LDAP Directory

How to connect your cluster to an external LDAP directory

This guide shows you how to configure your DKP cluster so that users can log in with the credentials stored in an external LDAP directory service.

Add LDAP connector

Each LDAP directory is set up in its own specific manner, so these steps are important. The LDAP authentication mechanism can be added using the CLI or the UI.

The following example does not cover all possible configurations. Refer to the Dex LDAP connector reference documentation for more details.

The example below configures a DKP cluster to connect to the Online LDAP Test Server and for demonstration purposes, the configuration shown uses insecureNoSSL: true. In production, you should protect LDAP communication with a properly-configured transport layer security (TLS). When using TLS, the admin can add insecureSkipVerify: true to spec.ldap to skip server certificate verification, if needed.

Choose whether to establish an external LDAP globally, or for a specific workspace.

Global LDAP - identity provider serves all workspaces

Create and apply the following objects:

CODE 
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: ldap-password
  namespace: kommander
type: Opaque
stringData:
  password: password
---
apiVersion: dex.mesosphere.io/v1alpha1
kind: Connector
metadata:
  name: ldap
  namespace: kommander
spec:
  enabled: true
  type: ldap
  displayName: LDAP Test
  ldap:
    host: ldap.forumsys.com:389
    insecureNoSSL: true
    bindDN: cn=read-only-admin,dc=example,dc=com
    bindSecretRef:
      name: ldap-password
    userSearch:
      baseDN: dc=example,dc=com
      filter: "(objectClass=inetOrgPerson)"
      username: uid
      idAttr: uid
      emailAttr: mail
    groupSearch:
      baseDN: dc=example,dc=com
      filter: "(objectClass=groupOfUniqueNames)"
      userMatchers:
      - userAttr: DN
        groupAttr: uniqueMember
      nameAttr: ou
EOF

The value for the LDAP connector spec:displayName (here LDAP Test) appears on the login button for this identity provider in the DKP UI. Choose a name that is meaningful for users.

Workspace LDAP - identity provider serves a specific workspace

Establish LDAP for a specific workspace in the scope of Multi-Tenancy in DKP.

Create and apply the following objects:

  1. Obtain the workspace name for which you are establishing an LDAP authentication server:

    CODE 
    kubectl get workspaces

    Note down the value under the WORKSPACE NAMESPACE column.

  2. Set the WORKSPACE_NAMESPACE environment variable to that namespace:

    CODE 
    export WORKSPACE_NAMESPACE=<your-namespace>

  3. Create and apply the following objects on that workspace:

    CODE 
    cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: ldap-password
  namespace: ${WORKSPACE_NAMESPACE}
type: Opaque
stringData:
  password: password
---
apiVersion: dex.mesosphere.io/v1alpha1
kind: Connector
metadata:
  name: ldap
  namespace: ${WORKSPACE_NAMESPACE}
spec:
  enabled: true
  type: ldap
  displayName: LDAP Test
  ldap:
    host: ldap.forumsys.com:389
    insecureNoSSL: true
    bindDN: cn=read-only-admin,dc=example,dc=com
    bindSecretRef:
      name: ldap-password
    userSearch:
      baseDN: dc=example,dc=com
      filter: "(objectClass=inetOrgPerson)"
      username: uid
      idAttr: uid
      emailAttr: mail
    groupSearch:
      baseDN: dc=example,dc=com
      filter: "(objectClass=groupOfUniqueNames)"
      userMatchers:
      - userAttr: DN
        groupAttr: uniqueMember
      nameAttr: ou
EOF

The value for the LDAP connector spec:displayName (here LDAP Test) appears on the login button for this identity provider in the DKP UI. Choose a name that is meaningful for users.

Test the LDAP Connector

  1. Retrieve a list of connectors:

    CODE 
    kubectl get connector.dex.mesosphere.io -A

  2. Run the following command to verify that the LDAP connector was created successfully:

    CODE 
    kubectl get Connector.dex.mesosphere.io -n kommander <LDAP-CONNECTOR-NAME> -o yaml

Log In

Global LDAP - identity provider serves all workspaces

  1. Visit https://<YOUR-CLUSTER-HOST>/token and initiate a login flow.

  2. On the login page, choose the Log in with <ldap-name> button.

  3. Enter the LDAP credentials, and log in.

UI - While LDAP authentication has been enabled, additional access rights will need to be configured through the Add Identity Provider screen in the UI using the documentation for Granting Access to Kubernetes and Kommander Resources.

Workspace LDAP - identity provider serves a specific workspace

  1. Generate a Dedicated URL Login for Each Tenant.

  2. On the login page, choose the Log in with <ldap-name> button.

  3. Enter the LDAP credentials, and log in.

UI - While LDAP authentication has been enabled, additional access rights will need to be configured through the Add Identity Provider screen in the UI using the documentation for Granting Access to Kubernetes and Kommander Resources.

Next Step:

LDAP Troubleshooting

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close