Setup LDAP Authorization for Spinnaker

LDAP Authorization Overview

• Groups from an LDAP directory, one can use a manager’s username/password to bind and search a user’s group.

User DNs Pattern

• While searching for a user’s groups, can use 'userDnPattern' to construct the user’s full distinguished name (DN). In the case below, the user would have a full DN of 'uid=,ou=users,dc=,dc=<.com/.net>'.

• The search would be rooted at 'ou=groups,dc=,dc=net', looking for directory entries that include the attribute 'uniqueMember=uid=,ou=users,dc=,dc=<.com/.net>', which is the structure for the 'groupOfUniqueNames' group standard.

• Group/rolename can be extracted by using the 'groupRoleAttribute'. For example, all entries that pass the filter will then have the cn (common name) attribute returned.

Configure LDAP Auth using Halyard

• Use Halyard to Fiat, to setup the LDAP manager credentials and search patterns

  Copy

  hal config security authz ldap edit \
  --url ldaps://<ldap.mydomain.net>:636/dc=mydomain,dc=net \
  --manager-dn uid=admin,ou=system \
  --manager-password \
  --user-dn-pattern uid={0},ou=users \
  --group-search-base ou=groups \
  --group-search-filter "(uniqueMember={0})" \
  --group-role-attributes cn

• Now edit the security authorization type, using the below command

  Copy

  hal config security authz edit --type ldap

• Enable, LDAP authorization using the below command

  Copy

  hal config security authz enable