LDAP

This is an older version of the document. To view the most recent version of the document, click here.

Setup LDAP Authorization for Spinnaker

LDAP Authorization Overview

Groups from an LDAP directory, one can use a manager’s username/password to bind and search a user’s group.

User DNs Pattern

While searching for a user’s groups, can use 'userDnPattern' to construct the user’s full distinguished name (DN). In the case below, the user would have a full DN of 'uid=,ou=users,dc=,dc=<.com/.net>'.
The search would be rooted at 'ou=groups,dc=,dc=net', looking for directory entries that include the attribute 'uniqueMember=uid=,ou=users,dc=,dc=<.com/.net>', which is the structure for the 'groupOfUniqueNames' group standard.
Group/rolename can be extracted by using the 'groupRoleAttribute'. For example, all entries that pass the filter will then have the cn (common name) attribute returned.

Configure LDAP Auth using Halyard

Use Halyard to Fiat, to setup the LDAP manager credentials and search patterns

hal config security authz ldap edit \
--url ldaps://<ldap.mydomain.net>:636/dc=mydomain,dc=net \
--manager-dn uid=admin,ou=system \
--manager-password \
--user-dn-pattern uid={0},ou=users \
--group-search-base ou=groups \
--group-search-filter "(uniqueMember={0})" \
--group-role-attributes cn

Now edit the security authorization type, using the below command
```
hal config security authz edit --type ldap
```
Enable, LDAP authorization using the below command
```
hal config security authz enable
```

PreviousGitHub Teams NextSAML

Last updated 4 years ago