Kubernetes | 14 Dezember 2023

Configuring Connectware to use LDAP authentication

Prerequisites

Configuring LDAP authentication

When configuring LDAP authentication, you need to match Connectware’s setting to the capabilities of your LDAP server. There are two fundamental decisions to make:

  1. Choosing between “group” and “attribute” mode.
  2. Whether to use a bind user.

Connectware LDAP modes

Connectware offers two modes for LDAP authentication:

  • Group mode
  • Attribute mode

You can read about them in the Connectware documentation. By default, “group” mode is activated.

Using a bind user

A bind user is common in LDAP setup that use a more complicated directory structure. It is a limited user you create in your LDAP directory, that is usually a read-only user with the permission to search through the LDAP directory tree.

It is used when users don’t share a single LDAP base DN (e.g. are not in the same group). If your users are spread among the directory tree, you will likely want to use a bind user.

Enabling LDAP authentication

To enable the LDAP feature in Connectware, you need to set the Helm value global.authentication.ldap.enabled to true.

Additionally, you always need to provide these Helm values within the global.authentication.ldap context:

ValueExampleDescription
bindDnCN=Users,DC=example,DC=orgbindDN contains either the LDAP base DN of users logging in, or the DN of a dedicated bind user that is able to search for the user trying to log in within the search base.
urlldap://dc.mycompany.tld:389URL of the LDAP server in format schema://hostname:port

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldap://my-dc.complany.tld:389

If you are using a bind user to search through the directory tree, you must specify the full DN of the bind user as bindDn, and also need to provide these values:

ValueExampleDescription
bindPasswordANc97WCO"!xcC=(bindPassword contains the password for the bind user as defined in your LDAP server.
searchBaseldap://dc.mycompany.tld:389URL of the LDAP server in format schema://hostname:port

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=connectwarebinduser,CN=Users,DC=company,DC=tld
      bindPassword: SuperS3cret!
      url: ldap://my-dc.complany.tld:389
      searchBase: CN=Users,DC=company,DC=tld

If you don’t want to provide the bind user and its password through your Helm values, for example because you follow a GitOps approach for your Connectware deployment, you can also provide the bind user through a manually created Kubernetes secret that is specified in existingBindSecret. You can find detailed instructions in this article.

By providing a bindPassword through one of these mechanisms, the nature of bindDn changes from being a single base DN that contains all users that are allowed to log into Connectware, to containing the DN of a single user – the bind user. In this scenario, searchBase takes the role of containing the base DN which all users share, acting as the root from which a search for valid users will be performed.

Configuring group mode

To configure Connectware to use LDAP in group mode, you need to specify the LDAP attribute of your user, that specifies what LDAP groups they are part of. This is done through the Helm value memberAttribute within the global.authentication.ldap context. Additionally, mode must be set to group.

The default value of memberOf is often the correct choice, but you may have to adapt this to your LDAP server.

These LDAP groups are then mapped to Connectware roles using the Connectware UI as described in the Connectware docs.

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldap://my-dc.complany.tld:389
      mode: group
      memberAttribute: memberOf

Configuring attribute mode

To configure Connectware to use LDAP in attribute mode, you need to specify the LDAP attribute of your user, that specifies the Connectware role that is associated with the user. This is done through the Helm value rolesAttribute within the global.authentication.ldap context. Additionally, mode must be set to attribute.

The default value of employeeType is often the correct choice, but you may have to adapt this to your LDAP server.

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldap://my-dc.complany.tld:389
      mode: attribute
      rolesAttribute: employeeType

Further LDAP topics

Enabling TLS for LDAP

Connectware supports connecting to LDAP servers that offer Transport Layer Security. You can find out how to configure this in this article.

Providing bind user through an existing Kubernetes secret

You can provide the bind user through a manually created Kubernetes secret that is specified in existingBindSecret. You can find detailed instructions in this article.

Customizing the search filter

By default the username trying to log in acts as the search filter, but there may be advanced situations where this is not enough, for example when that matches multiple users. Visit this article to learn how to customize the search filter.

Customizing the user RDN

The user RDN describes what LDAP attribute contains the username. By default this uses cn, but if this is not correct for your LDAP setup, you can customize this using the userRdn Helm value. Find out more in this article.

Ihr Browser unterstützt diese Webseite nicht.

Liebe Besucher:innen, Sie versuchen unsere Website über den Internet Explorer zu besuchen. Der Support für diesen Browser wurde durch den Hersteller eingestellt, weshalb er moderne Webseiten nicht mehr richtig darstellen kann.
Um die Inhalte dieser Website korrekt anzeigen zu können, benötigen Sie einen modernen Browser.

Unter folgenden Links finden Sie Browser, für die unsere Webseite optimiert wurde:

Google Chrome Browser herunterladen Mozilla Firefox Browser herunterladen

Sie können diese Website trotzdem anzeigen lassen, müssen aber mit erheblichen Einschränkungen rechnen.

Diese Website trotzdem anzeigen.