This content is associated with a legacy version of the Replicated product. For the current Replicated product documentation, see docs.replicated.com.
Advanced LDAP integration can be used to integrate with more complicated LDAP models with multiple user search DNs or multiple organizational units. Additionally it can be configured to authenticate with multiple domains.
Configuration
To enable the identity services in your application, a top level key in your release yaml must be present:
identity:
enabled: '{{repl if ConfigOptionNotEquals "auth_source" "auth_type_internal"}}true{{repl else}}false{{repl end}}'
provisioner: 'http://{{repl NodePrivateIPAddress "MyContainerName" "Container Image Name"}}:6006'
sources:
- source: ldap
enabled: '{{repl if ConfigOptionEquals "auth_source" "auth_type_ldap"}}true{{repl else}}false{{repl end}}'
- source: ldap_advanced
enabled: '{{repl if ConfigOptionEquals "auth_source" "auth_type_ldap_advanced"}}true{{repl else}}false{{repl end}}'
- name: auth
title: Authentication
description: Where will user accounts be provisioned
items:
- name: auth_source
default: auth_type_internal
type: select_one
items:
- name: auth_type_internal
title: Built In
- name: auth_type_ldap
title: LDAP
- name: auth_type_ldap_advanced
title: LDAP Advanced
- name: ldap_settings
title: LDAP Server Settings
when: auth_source=auth_type_ldap
test_proc:
# Optional.
# When defined, the Test button will be shown on the LDAP settings section which will allow validating
# the supplied credentials. When this is enabled ldap_login_username and ldap_login_password must be defined.
display_name: Test Credentials
command: ldap_auth
arg_fields:
- ldap_type
- ldap_hostname
- ldap_port
- ldap_encryption
- ldap_search_user
- ldap_search_password
- ldap_base_dn
- ldap_usersearch_dn
- ldap_restricted_user_group
- ldap_username_field
- ldap_login_username
- ldap_login_password
- ldap_advanced_search
- ldap_user_query
- ldap_restricted_group_query
items:
- name: ldap_type
# LDAP server type. All standard LDAP implementations are supported.
# In order to use Provisioning API, the LDAP server (AD being an exception) must support the Content Sync feature.
title: LDAP Server Type
type: select_one
value: '{{repl LdapCopyAuthFrom "ServerType"}}'
default: ldap_type_openldap
items:
- name: ldap_type_openldap
title: OpenLDAP
- name: ldap_type_ad
title: Active Directory
- name: ldap_type_other
title: Other
- name: ldap_hostname
# LDAP host name without port or protocol. Example: ad.bigbank.com
title: Hostname
type: text
value: '{{repl LdapCopyAuthFrom "Hostname"}}'
required: true
- name: ldap_port
# LDAP port number. This can be different for different encryption types.
title: Port
type: text
value: '{{repl LdapCopyAuthFrom "Port"}}'
default: 389
required: true
- name: label_encryption_label
# Encryption type. Self-signed certificates are not supported at this time when LDAPS or StartTLS is selected.
title: Encryption Type
type: label
- name: ldap_encryption
type: select_one
default: ldap_encryption_plain
items:
- name: ldap_encryption_plain
title: Plain
- name: ldap_encryption_starttls
title: StartTLS
- name: ldap_encryption_ldaps
title: LDAPS
- name: ldap_search_user
# DN of the user with search privileges.
title: Search user
type: text
value: '{{repl LdapCopyAuthFrom "SearchUsername"}}'
required: true
- name: ldap_search_password
# The password to use to login as the Search User.
title: Search password
type: password
value: '{{repl LdapCopyAuthFrom "SearchPassword"}}'
required: true
- name: ldap_schema
type: heading
title: LDAP schema
- name: ldap_base_dn
# Base DN for user search. Example: DC=ad,DC=bigbank,DC=com
title: Base DN
type: text
value: '{{repl LdapCopyAuthFrom "BaseDN"}}'
required: true
- name: ldap_usersearch_dn
# User search DN. Together with Base DN, it should form a valid search DN: <User Search DN>,<Base DN>
title: User search DN
type: text
value: '{{repl LdapCopyAuthFrom "UserSearchDNFirst"}}'
default: ou=users
required: true
- name: ldap_advanced_search
# This option must be selected in order to use advanced search features. Otherwise, it can be omitted.
title: Show Advanced Search Options
help_text: Enable this option if you need to write a custom LDAP search query.
type: bool
value: 0
- name: ldap_restricted_user_group
# Group name that the user must belong to. This string must only contain the group name
# without an LDAP search query.
title: Restricted User Group
type: text
value: '{{repl LdapCopyAuthFrom "RestrictedGroupCNFirst"}}'
required: false
when: ldap_advanced_search=0
- name: ldap_user_query
# LDAP query that should be used to lookup users. The query should contain a {{username}} placeholder that
# will be replaced with the actual user name that is being looked up.
# Example: (sAMAccountName={{username}})
title: User Query
type: text
value: '{{repl LdapCopyAuthFrom "UserQuery"}}'
required: false
when: ldap_advanced_search=1
- name: ldap_restricted_group_query
# LDAP query that should be used to validate user group membership.
# The query can container two placeholders:
# {{userdn}} - this placeholder will be replaced with the user's DN value.
# {{username}} - this placeholder will be replaced with the user name
# Example: (|(&(cn=Accounting)(memberuid={{username}})))
title: Restricted User Group Query
type: text
value: '{{repl LdapCopyAuthFrom "RestrictedGroupQuery"}}'
required: false
when: ldap_advanced_search=1
- name: ldap_username_field
# The LDAP field that will contain the user name. Typically it will be uid.
# Active Directory uses sAMAccountName.
title: Username field
type: text
value: '{{repl LdapCopyAuthFrom "FieldUsername"}}'
default: uid
required: true
- name: ldap_login_username
# Optional user name filed. This can be used with test_proc to validate credentials before saving.
title: Test username
type: text
required: false
- name: ldap_login_password
# Optional password filed. This can be used with test_proc to validate credentials before saving.
title: Test password
type: password
required: false
- name: ldap_settings_advanced
title: LDAP Advanced Server Settings
description: |
Upload a file below for advanced integration configuration. This file must conform to the
[Advanced LDAP Configuration Specification](https://help.replicated.com/docs/packaging-an-application/ldap-integration/#advanced-ldap-configuration-specification).
when: auth_source=auth_type_ldap_advanced
test_proc:
# Optional.
# When defined, the Test button will be shown on the LDAP settings section which will allow validating
# the supplied file.
display_name: Validate Config
command: ldap_config_validate
run_on_save: true
arg_fields:
- ldap_config_file
items:
- name: ldap_config_file
# LDAP server type. All standard LDAP implementations are supported.
# In order to use Provisioning API, the LDAP server (AD being an exception) must support the Content Sync feature.
title: LDAP Config File
type: file
required: true
Identity API
See Identity API for information on how to authenticate and sync with LDAP server. It is important to note that an identity source is required when authenticating and syncing with the LDAP server in a multi-domain configuration.
Advanced LDAP Configuration Specification
See the Advanced LDAP Specification for more details.