Product Documentation

Appearance

EE: All cloud platforms

LDAP Configuration for Yellowbrick Database

This document explains the LDAP configuration options for integrating external LDAP authentication and synchronization with a Yellowbrick instance. The configuration is managed via a ConfigMap and a Secret, both of which need to be properly set up in the corresponding Kubernetes namespace for the instance.

LDAP Configuration Overview

The LDAP integration for Yellowbrick supports two main features:

  • LDAP Authentication: Allows users to authenticate via an external LDAP server.
  • LDAP Synchronization: Synchronizes users and groups from the external LDAP server into Yellowbrick’s internal database.

These two features are configured using the following Kubernetes resources:

  1. ConfigMap: Stores general LDAP settings.
  2. Secret: Stores sensitive LDAP credentials.

Both resources must be deployed in the same namespace as the Yellowbrick instance and follow the naming convention (given you know the name of the Yellowbrick instance as $instanceName):

  • ConfigMap: ybinst-${instanceName}-ldap-config
  • Secret: ybinst-${instanceName}-ldap-secret

LDAP ConfigMap Configuration

The ConfigMap includes various options to enable and customize the LDAP setup. Here’s a breakdown of the main fields:

Common Configuration

  • name: Always set to "default", unless multiple configurations are needed (not covered by default).

  • ldapType: Specifies the LDAP authentication type.

    • Options: "none", "bind", or "search+bind"
    • "none": Disables LDAP authentication.
    • "bind": Uses simple bind for authentication.
    • "search+bind": Searches for the user, then binds.

  • ldapServers: The hostname of the LDAP server.

    • Example: "ldap.example.com"

  • ldapPort: Port number for the LDAP connection (leave empty for default).

  • ldapConnectionType: Specifies the connection security type.

    • Options: "ssl", "tls", or "unsecured"

Bind Authentication Configuration (for ldapType = "bind")

  • ldapSuffix: LDAP domain components, e.g., "dc=example,dc=com"
  • ldapPrefix: (Optional) Prefix used for the bind DN.

Search+Bind Authentication Configuration (for ldapType = "search+bind")

  • ldapBindDN: Distinguished Name used for binding to the LDAP server (admin user).

    • Example: "cn=admin,dc=example,dc=com"

  • ldapBaseDN: Base DN where searches for users will start.

  • ldapSearchAttribute: The LDAP attribute used to search for the user.

    • Default: "uid"

  • ldapSearchFilter: Filter for user search queries.

    • Default: "(objectClass=inetOrgPerson)"

LDAP Synchronization Settings

These settings control the synchronization of users and groups from LDAP:

  • ldapSyncEnabled: Enables or disables LDAP synchronization.

    • Options: "true" or "false"

  • ldapSyncInterval: Time interval (in seconds) for running sync jobs.

    • Default: "3600" (1 hour)

  • ldapSyncTrace: Enables verbose logging for synchronization.

    • Options: "true" or "false"

  • ldapSyncLowercase: Converts LDAP usernames to lowercase during synchronization.

    • Options: "true" or "false"

  • ldapSyncDrop: Removes users from Yellowbrick if they no longer exist in LDAP.

    • Options: "true" or "false"

LDAP Synchronization Connection Settings

  • ldapSyncServer: LDAP server address for synchronization.

    • Example: "ldapsync.example.com"

  • ldapSyncPort: Port number for LDAP synchronization (leave empty for default).

  • ldapSyncBindDN: DN used for binding to the LDAP sync server.

    • Example: "cn=sync,dc=example,dc=com"

  • ldapSyncSecure: Security setting for the synchronization connection.

    • Options: "ssl", "tls", or "unsecured"

User and Group Synchronization Filters

  • ldapSyncUsersFilter: Filter used to find users in LDAP.

    • Default: "(objectClass=person)"

  • ldapSyncUsersBaseDN: Base DN for searching users.

    • Example: "ou=Users,dc=example,dc=com"

  • ldapSyncUsersAttribute: The attribute used to identify users.

    • Default: "cn"

  • ldapSyncGroupsFiltering: Enables or disables group synchronization.

    • Options: "true" or "false"

  • ldapSyncGroupsFilter: Filter used to find groups in LDAP.

    • Default: "(objectClass=groupOfNames)"

  • ldapSyncGroupsBaseDN: Base DN for searching groups.

    • Example: "ou=Groups,dc=example,dc=com"

  • ldapSyncGroupsAttribute: The attribute used to identify groups.

    • Default: "cn"

LDAP Secret Configuration

Sensitive information such as passwords for LDAP bind and sync users must be stored securely in a Kubernetes Secret. The Secret is named: ybinst--ldap-secret

Required Fields

  • ldapBindPassword: Base64-encoded password for the LDAP bind DN.

  • ldapSyncBindPassword: Base64-encoded password for the LDAP sync bind DN.

Example Configuration

Here’s a sample YAML manifest for both the ConfigMap and Secret resources:

ConfigMap Example

yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ybinst-example-ldap-config
  namespace: your-namespace
data:
  name: "default"
  ldapType: "search+bind"
  ldapServers: "ldap.example.com"
  ldapConnectionType: "ssl"
  ldapBindDN: "cn=admin,dc=example,dc=com"
  ldapBaseDN: "dc=example,dc=com"
  ldapSearchAttribute: "uid"
  ldapSearchFilter: "(objectClass=inetOrgPerson)"
  ldapSyncEnabled: "true"
  ldapSyncServer: "ldapsync.example.com"
  ldapSyncBindDN: "cn=sync,dc=example,dc=com"
  ldapSyncUsersFilter: "(objectClass=person)"
  ldapSyncGroupsFilter: "(objectClass=groupOfNames)"

Secret Example

yaml
apiVersion: v1
kind: Secret
metadata:
  name: ybinst-example-ldap-secret
  namespace: your-namespace
type: Opaque
data:
  ldapBindPassword: "encoded-bindpassword"
  ldapSyncBindPassword: "encoded-syncpassword"