Kubernetes | 14 Dezember 2023
Customizing the Search Filter for LDAP Authentication
Prerequisites
- Helm version 3 is installed on your system.
- The Kubernetes command line tool kubectl is configured and has access to the target installation.
- You know the name and namespace of your Connectware installation. See Obtaining the name, namespace, and version of your Connectware installation.
- The values.yaml file is available.
- LDAP authentication configured.
Customizing the Search Filter for LDAP Authentication
There are scenarios where it is usefull to extend the default search filter of Connectware. For example:
- your users are not uniquely identifiable by their username, for example when there are users with the same RDN within the search base of your LDAP configuration.
- You have to give a search base that is very huge as your accounts a spreaded within the DIT but by filtering the search may be more efficient
The filter that will be used by Connectware is (<userRdn>=<username>) wheras userRdn is defined as environment variable in your values.yml and username is the name the user enters during login.
Any extension will result in a filter of the current format:
<code>(&(<userRdn>=<username>)(<your extension>)</code>
Code-Sprache: YAML (yaml)Info: You could test the filter by performing request with ldapsearch on your terminal (may require additional packages to be installed)
Example:
<code>ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=User 1)(objectclass=iNetOrgPerson))"</code>
Code-Sprache: YAML (yaml)Example
In the following example, we have two entries with an RDN cn=a.smith.
dc=example,dc=org
├ cn=customers
│ └ cn=a.smith
└ cn=employees
└ cn=a.smith
Code-Sprache: YAML (yaml)Both users are named a.smith, but they are different entries. In a case like this you will use cn=employees,dc=ecample,dc=org as search base and actually won’t have a problem. But lets use dc=example,dc=org in order to create a simple example case for the filter extention.
We want to modify the filter in order to search only for entries that have cn=employees in their DN.
The search command to test on the terminal will for the employee a.smith will look like this:
<code>ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=a.smith)(cn:dn:=employee))"</code>
Code-Sprache: YAML (yaml)To modify Connectware, we only add the extension itself (cn:dn:=employee) to the configuration:
global:
authentication:
ldap:
enabled: true
existingBindSecret: my-ldap-user
searchBase: CN=Users,DC=company,DC=tld
searchFilter: cn:dn:=employees
userRdn: cn
url: ldap://my-dc.company.tld:389
Code-Sprache: YAML (yaml)Important: Be aware the no surrounding brackets are used for the additional expression. Brackets within your expression could be used, e.g. &(objectClass=iNetOrgPerson)(cn:dn:=employees)