LogoLogo
StackState.comDownloadSupportExplore playground
StackState v5.1
StackState v5.1
  • Welcome to the StackState docs!
  • StackState self-hosted v5.1 docs
  • Getting Started
  • 🚀Setup
    • Install StackState
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Required Permissions
        • Non-high availability setup
        • Override default configuration
        • Configure storage
        • Configure Ingress
        • Install from custom image registry
        • Migrate from Linux install
      • Linux
        • Before you install
        • Download
        • Install StackState
        • Install with production configuration
        • Install with development configuration
        • Install with POC configuration
        • Set up a reverse proxy
        • Set up TLS without reverse proxy
      • Initial run guide
      • Troubleshooting
    • Upgrade StackState
      • Steps to upgrade
      • Version specific upgrade instructions
      • StackPack versions
      • StackState release notes
    • StackState Agent
      • About StackState Agent V3
      • Docker
      • Kubernetes / OpenShift
      • Linux
      • Windows
      • Advanced Agent configuration
      • Use an HTTP/HTTPS proxy
      • Agent V1 (legacy)
      • Migrate Agent V1 to Agent V2
        • Linux
        • Docker
    • StackState CLI
      • CLI: sts
      • CLI: stac (deprecated)
      • Comparison between CLIs
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Linux backup
        • Configuration backup
      • Data retention
      • Clear stored data
  • 👤Use
    • Concepts
      • The 4T data model
      • Components
      • Relations
      • Health state
      • Layers, Domains and Environments
      • Perspectives
      • Anomaly detection
      • StackState architecture
    • StackState UI
      • Explore mode
      • Filters
      • Views
        • About views
        • Configure the view health
        • Create and edit views
        • Visualization settings
      • Perspectives
        • Topology Perspective
        • Events Perspective
        • Traces Perspective
        • Metrics Perspective
      • Timeline and time travel
      • Analytics
      • Keyboard shortcuts
    • Checks and monitors
      • Checks
      • Add a health check
      • Anomaly health checks
      • Monitors
      • Manage monitors
    • Problem analysis
      • About problems
      • Problem lifecycle
      • Investigate a problem
      • Problem notifications
    • Metrics
      • Telemetry streams
      • Golden signals
      • Top metrics
      • Add a telemetry stream
      • Browse telemetry
      • Set telemetry stream priority
    • Events
      • About events
      • Event notifications
      • Manage event handlers
    • Glossary
  • 🧩StackPacks
    • About StackPacks
    • Add-ons
      • Autonomous Anomaly Detector
      • Health Forecast
    • Integrations
      • About integrations
      • 💠StackState Agent V2
      • 💠AWS
        • AWS
        • AWS ECS
        • AWS X-ray
        • StackState/Agent IAM role: EC2
        • StackState/Agent IAM role: EKS
        • Policies for AWS
        • AWS (legacy)
        • Migrate AWS (legacy) to AWS
      • 💠Dynatrace
      • 💠Kubernetes
      • 💠OpenShift
      • 💠OpenTelemetry
        • About instrumentations
        • AWS NodeJS Instrumentation
        • Manual Instrumentation
          • Prerequisites
          • Tracer and span mappings
          • Relations between components
          • Span health state
          • Merging components
          • Code examples
      • 💠ServiceNow
      • 💠Slack
      • 💠Splunk
        • Splunk
        • Splunk Events
        • Splunk Health
        • Splunk Metrics
        • Splunk Topology
      • 💠VMWare vSphere
      • Apache Tomcat
      • Azure
      • Cloudera
      • Custom Synchronization
      • DotNet APM
      • Elasticsearch
      • Humio
      • Java APM
      • JMX
      • Logz.io
      • MySQL
      • Nagios
      • OpenMetrics
      • PostgreSQL
      • Prometheus
      • SAP
      • SCOM
      • SolarWinds
      • Static Health
      • Static Topology
      • Traefik
      • WMI
      • Zabbix
    • Develop your own StackPacks
  • 🔧Configure
    • Topology
      • Component actions
      • Identifiers
      • Topology naming guide
      • Topology sources
      • Create a topology manually
      • Configure topology synchronizations
      • Enable email event notifications
      • Send topology data over HTTP
      • Set the topology filtering limit
      • Use a proxy for event handlers
      • Use tags
      • Tune topology synchronization
      • Debug topology synchronization
    • Telemetry
      • Add telemetry during topology synchronization
      • Data sources
        • Elasticsearch
        • Prometheus mirror
      • Send events over HTTP
      • Send metrics data over HTTP
      • Set the default telemetry interval
      • Debug telemetry synchronization
    • Traces
      • Set up traces
      • Advanced configuration for traces
    • Health
      • Health synchronization
      • Send health data over HTTP
        • Send health data
        • Repeat Snapshots JSON
        • Repeat States JSON
        • Transactional Increments JSON
      • Debug health synchronization
    • Anomaly Detection
      • Export anomaly feedback
      • Scale the AAD up and down
      • The AAD status UI
    • Security
      • Authentication
        • Authentication options
        • File based
        • LDAP
        • Open ID Connect (OIDC)
        • KeyCloak
        • Service tokens
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
        • Subjects
      • Secrets management
      • Self-signed certificates
      • Set up a security backend for Linux
      • Set up a security backend for Windows
    • Logging
      • Kubernetes logs
      • Linux logs
      • Enable logging for functions
  • 📖Develop
    • Developer guides
      • Agent checks
        • About Agent checks
        • Agent check API
        • Agent check state
        • How to develop Agent checks
        • Connect an Agent check to StackState
      • Custom functions and scripts
        • StackState functions
        • Check functions
        • Component actions
        • Event handler functions
        • ID extractor functions
        • Mapping functions
        • Monitor functions
        • Propagation functions
        • Template functions
        • View health state configuration functions
      • Custom Synchronization StackPack
        • About the Custom Synchronization StackPack
        • How to customize elements created by the Custom Synchronization StackPack
        • How to configure a custom synchronization
      • Integrate external services
      • Mirroring Telemetry
      • Monitors
        • Create monitors
        • Monitor STJ file format
      • StackPack development
        • How to create a StackPack
        • Packaging
        • How to get a template file
        • How to make a multi-instance StackPack
        • Prepare a multi-instance provisioning script
        • Upload a StackPack file
        • Prepare a shared template
        • Customize a StackPack
        • Prepare instance template files
        • Prepare a StackPack provisioning script
        • Resources in a StackPack
        • StackState Common Layer
      • Synchronizations and templated files
    • Reference
      • StackState OpenAPI docs
      • StackState Template JSON (STJ)
        • Using STJ
        • Template functions
      • StackState Markup Language (STML)
        • Using STML
        • STML Tags
      • StackState Query Language (STQL)
      • StackState Scripting Language (STSL)
        • Scripting in StackState
        • Script result: Async
        • Script result: Streaming
        • Time in scripts
        • Script APIs
          • Async - script API
          • Component - script API
          • HTTP - script API
          • Prediction - script API
          • StackPack - script API
          • Telemetry - script API
          • Time - script API
          • Topology - script API
          • UI - script API
          • View - script API
    • Tutorials
      • Create a simple StackPack
      • Push data to StackState from an external system
      • Send events to StackState from an external system
      • Set up a mirror to pull telemetry data from an external system
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Configure StackState for LDAP
  • Kubernetes
  • Linux
  • See also
  1. Configure
  2. Security
  3. Authentication

LDAP

StackState Self-hosted v5.1.x

Overview

StackState can use an LDAP server (including AD) to authenticate against and to get roles/groups from. It does require a running LDAP server that's accessible to StackState.

The LDAP main directory and all subdirectories will be checked for user files. The bind credentials in the StackState configuration are used to authenticate StackState on the LDAP server. After authentication, StackState passes the top LDAP directory name for the user that wants to log in to StackState.

Configure StackState for LDAP

Kubernetes

To configure StackState to authenticate using an LDAP authentication server on Kubernetes, LDAP details and user role mapping needs to be added to the file authentication.yaml. For example:

stackstate:
  authentication:
    ldap:
      host: sts-ldap
      port: 10389 # For most LDAP servers 389 for plain, 636 for ssl connections
      #ssl:
      #  sslType: ssl
      #  trustStore: <see below>
      #  trustCertificates <see below>
      bind:
        dn: "cn=admin,ou=employees,dc=acme,dc=com"
        password: "password"
      userQuery:
        parameters:
          - ou: employees
          - dc: acme
          - dc: com
        usernameKey: cn
        emailKey: mail
      groupQuery:
        parameters:
          - ou: groups
          - dc: acme
          - dc: com
        rolesKey: cn
        groupMemberKey: member
        # to return all nested groups, use:
        # groupMemberKey: "member:1.2.840.113556.1.4.1941:"

    # map the groups from LDAP to the
    # 4 standard subjects in StackState (guest, powerUser, admin and platformAdmin)
    roles:
      guest: ["ldap-guest-role-for-stackstate"]
      powerUser: ["ldap-power-user-role-for-stackstate"]
      admin: ["ldap-admin-role-for-stackstate"]
      platformAdmin: ["ldap-platform-admin-role-for-stackstate"]

Follow the steps below to configure StackState to authenticate using LDAP:

  1. In authentication.yaml - add LDAP details (see the example above):

    • host - The hostname of the LDAP server.

    • port - The port the LDAP server is listening on.

    • sslType - Optional. The type of LDAP secure connection ssl or startTls. Omit if plain LDAP connection is used.

    • trustCertificates - Optional, certificate file for SSL. Formats PEM, DER and PKCS7 are supported.

    • trustStore - Optional, Java trust store file for SSL. If both trustCertificates and trustStore are specified, trustCertificatesPath takes precedence.

    • bind - Optional, used to authenticate StackState to LDAP server if the LDAP server doesn't support anonymous LDAP searches.

    • userQuery parameters and groupQuery parameters - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in StackState, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest.

    • usernameKey - The name of the attribute that stores the username, value is matched against the username provided on the login screen.

    • emailKey - The name of the attribute that's used as the email address in StackState.

    • rolesKey - The name of the attribute that stores the group name.

    • groupMemberKey - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern: <groupMemberKey>=<user.dn>,ou=groups,dc=acme,dc=com. To return all nested groups, use groupMemberKey: "member:1.2.840.113556.1.4.1941:".

  2. In authentication.yaml - map user roles from LDAP to the correct StackState subjects (see the example above):

  3. Store the file authentication.yaml together with the values.yaml from the StackState installation instructions.

  4. Run a Helm upgrade to apply the changes. If you are using SSL with custom certificates, the binary certificate files that should be used when connecting to LDAP should be set from the command line, use the command under SSL with custom certificates:

helm upgrade \
  --install \
  --namespace stackstate \
  --values values.yaml \
  --values authentication.yaml \
stackstate \
stackstate/stackstate

trustCertificates

helm upgrade \
  --install \
  --namespace stackstate \
  --values values.yaml \
  --values authentication.yaml \
  --set-file stackstate.authentication.ldap.ssl.trustCertificates=./ldap-certificate.pem \
stackstate \
stackstate/stackstate

trustStore

helm upgrade \
  --install \
  --namespace stackstate \
  --values values.yaml \
  --values authentication.yaml \
  --set-file stackstate.authentication.ldap.ssl.trustStore=./ldap-cacerts \
stackstate \
stackstate/stackstate

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Linux

To configure StackState to authenticate using an LDAP authentication server on Linux, LDAP details and user role mapping needs to be added to the file application_stackstate.conf. For example:

authorization {
  // map the groups from the LDAP to the
  // 4 standard subjects in StackState (guest, powerUser, admin and platformAdmin)
  // Please note! you have to use the syntax
  // `<group>Groups = ${stackstate.authorization.<group>Groups} ["ldap-role"]`
  // to extend the list of standard roles (stackstate-admin, stackstate-platform-admin, stackstate-guest, stackstate-power-user)
  // with the ones from Ldap
  guestGroups = ${stackstate.authorization.guestGroups} ["ldap-guest-role-for-stackstate"]
  powerUserGroups = ${stackstate.authorization.powerUserGroups} ["ldap-powerUser-role-for-stackstate"]
  adminGroups = ${stackstate.authorization.adminGroups} ["ldap-admin-role-for-stackstate"]
  platformAdminGroups = ${stackstate.authorization.platformAdminGroups} ["ldap-platform-admin-role-for-stackstate"]
}

authentication {
  authServer {
    authServerType = [ "ldapAuthServer" ]

    ldapAuthServer {
      connection {
        host = localhost
        port = 8000
        # ssl {
        #    sslType = ssl
        #    trustCertificatesPath = "/var/lib/ssl/sts-ldap.pem"
        #    trustStorePath = "/var/lib/ssl/cacerts"
        # }
        bindCredentials {
           dn = "cn=admin,ou=employees,dc=acme,dc=com"
           password = "password"
         }
      }
      userQuery {
        parameters = [
          { ou : employees }
          { dc : acme }
          { dc : com }
        ]
        usernameKey = cn
        emailKey = mail
      }
      groupQuery {
        parameters = [
          { ou : groups }
          { dc : acme }
          { dc : com }
        ]
        rolesKey = cn
        groupMemberKey = member
        // to return all nested groups, use:
        // groupMemberKey: "member:1.2.840.113556.1.4.1941:"
      }
    }
  }
}

Follow the steps below to configure StackState to authenticate using LDAP:

  1. In application_stackstate.conf - add LDAP details (see the example above):

    • host - The hostname of the LDAP server.

    • port - The port the LDAP server is listening on.

    • sslType - Optional. Omit if plain LDAP connection is used. The type of LDAP secure connection ssl | startTls.

    • trustCertificatesPath - optional, path to the trust store on the StackState server. Formats PEM, DER and PKCS7 are supported.

    • trustStorePath - optional, path to a Java trust store on the StackState server. If both trustCertificatesPath and trustStorePath are specified, trustCertificatesPath takes precedence.

    • bindCredentials - optional, used to authenticate StackState on the LDAP server if the LDAP server doesn't support anonymous LDAP searches.

    • userQuery and groupQuery parameters - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in StackState, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest.

    • usernameKey - The name of the attribute that stores the username, value is matched against the username provided on the login screen.

    • emailKey - The name of the attribute that's used as the email address in StackState.

    • rolesKey - The name of the attribute that stores the group name.

    • groupMemberKey - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern: <groupMemberKey>=<user.dn>,ou=groups,dc=acme,dc=com. To return all nested groups, use groupMemberKey: "member:1.2.840.113556.1.4.1941:".

  2. Restart StackState to apply the changes.

See also

PreviousFile basedNextOpen ID Connect (OIDC)

Last updated 2 years ago

roles - for details, see the . More StackState roles can also be created, see the .

In application_stackstate.conf - map the LDAP groups to the correct StackState groups using guestGroups, powerUserGroups, adminGroups and platformAdminGroups (see the example above). For details, see the . More StackState roles can also be created, see the .

🔧
Authentication options
Create RBAC roles
RBAC documentation
RBAC documentation
default StackState roles
default StackState roles
Permissions for predefined StackState roles