Skip to content

Setup LDAP Authorization for Spinnaker

LDAP Authorization Overview

  • Groups from an LDAP directory, one can use a manager’s username/password to bind and search a user’s group.

User DNs Pattern

  • While searching for a user’s groups, can use 'userDnPattern' to construct the user’s full distinguished name (DN). In the case below, the user would have a full DN of 'uid=,ou=users,dc=,dc=<.com/.net>'.
  • The search would be rooted at 'ou=groups,dc=,dc=net', looking for directory entries that include the attribute 'uniqueMember=uid=,ou=users,dc=,dc=<.com/.net>', which is the structure for the 'groupOfUniqueNames' group standard.
  • Group/rolename can be extracted by using the 'groupRoleAttribute'. For example, all entries that pass the filter will then have the cn (common name) attribute returned.

Configure LDAP Auth using Halyard

  • Use Halyard to Fiat, to setup the LDAP manager credentials and search patterns
    hal config security authz ldap edit \
    --url ldaps://<ldap.mydomain.net>:636/dc=mydomain,dc=net \
    --manager-dn uid=admin,ou=system \
    --manager-password \
    --user-dn-pattern uid={0},ou=users \
    --group-search-base ou=groups \
    --group-search-filter "(uniqueMember={0})" \
    --group-role-attributes cn
    
  • Now edit the security authorization type, using the below command
    hal config security authz edit --type ldap
    
  • Enable, LDAP authorization using the below command
    hal config security authz enable
    

Comments