Kubernetes | 14 Dezember 2023
Enabling TLS for LDAP Authentication
Prerequisites
- Helm version 3 is installed on your system.
- The Kubernetes command line tool kubectl is configured and has access to the target installation.
- You know the name and namespace of your Connectware installation. See Obtaining the name, namespace, and version of your Connectware installation.
- The values.yaml file is available.
- LDAP authentication configured.
Enabling TLS for LDAP Authentication
To use TLS for LDAP you only need to set a valid ldaps:// URL for the Helm value url in the global.authentication.ldap context. Remember to also adjust the TCP port number. By default LDAPS uses port 636.
Connectware will verify that the LDAP server presents a valid certificate before using it as authentication backend. Unless you have a certificate for your LDAP server that is signed by a valid root CA, you will need to provide the CA certificate that signed your LDAP server’s certificate. Alternatively you can disable certificate validation.
Providing the CA Certificate through Helm Values
You can simply provide the CA certificate in the Helm value caChain.cert in the global.authentication.ldap context. Provide the complete certificate chain necessary to validate the LDAP server’s certificate.
Example
global:
authentication:
ldap:
enabled: true
bindDn: CN=Users,DC=company,DC=tld
url: ldaps://my-dc.complany.tld:636
caChain:
cert: |
-----BEGIN CERTIFICATE-----
MIIFpTCCA40CFGFL86145m7JIg2RaKkAVCOV1H71MA0GCSqGSIb3DQEBCwUAMIGN
[skipped for brevity - include whole certificate]
SKnBS1Y1Dn2e
-----END CERTIFICATE-----
Code-Sprache: YAML (yaml)As an alternative, you can provide the CA certificate through a manually create Kubernetes ConfigMap.
Providing the CA Certificate through a Kubernetes ConfigMap
To provide the CA certificate necessary to validate the certificate used by your LDAP server, you can manually create a Kubernetes ConfigMap that contains the certificate as a file named ca.crt. You will then provide the name of that ConfigMap in the Helm value caChain.existingConfigMap in the global.authentication.ldap context.
Example
Create the Kubernetes ConfigMap from a file named ca.crt in your current directory:
<code>kubectl -n <namespace> create cm cw-ldap-ca-cert --from-file ca.cr</code>
Code-Sprache: YAML (yaml)Specify the name of the ConfigMap:
global:
authentication:
ldap:
enabled: true
bindDn: CN=Users,DC=company,DC=tld
url: ldaps://my-dc.complany.tld:636
caChain:
existingConfigMap: cw-ldap-ca-cert
Code-Sprache: YAML (yaml)Disabling Certificate Validation
While we do not recommend skipping certificate validation for production use, it is possible to tell Connectware to accept any certificate the LDAP server presents. To do so, simply set the Helm value caChain.trustAllCertificates in the global.authentication.ldap context to true.
Example
global:
authentication:
ldap:
enabled: true
bindDn: CN=Users,DC=company,DC=tld
url: ldaps://my-dc.complany.tld:636
caChain:
trustAllCertificates: true
Code-Sprache: YAML (yaml)