LDAP
SUSE Observability Self-hosted
Overview
SUSE Observability can use an LDAP server (including AD) to authenticate against and to get roles/groups from. It does require a running LDAP server that's accessible to SUSE Observability.
The LDAP main directory and all subdirectories will be checked for user files. The bind credentials in the SUSE Observability configuration are used to authenticate SUSE Observability on the LDAP server. After authentication, SUSE Observability passes the top LDAP directory name for the user that wants to log in to SUSE Observability.
Configure SUSE Observability for LDAP
Kubernetes
To configure SUSE Observability to authenticate using an LDAP authentication server on Kubernetes, LDAP details and user role mapping needs to be added to the file authentication.yaml
. For example:
Follow the steps below to configure SUSE Observability to authenticate using LDAP:
In
authentication.yaml
- add LDAP details (see the example above):host - The hostname of the LDAP server.
port - The port the LDAP server is listening on.
sslType - Optional. The type of LDAP secure connection
ssl
orstartTls
. Omit if plain LDAP connection is used.trustCertificates - Optional, certificate file for SSL. Formats PEM, DER and PKCS7 are supported.
trustStore - Optional, Java trust store file for SSL. If both
trustCertificates
andtrustStore
are specified,trustCertificatesPath
takes precedence.bind - Optional, used to authenticate SUSE Observability to LDAP server if the LDAP server doesn't support anonymous LDAP searches.
userQuery parameters and groupQuery parameters - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in SUSE Observability, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest.
usernameKey - The name of the attribute that stores the username, value is matched against the username provided on the login screen.
emailKey - The name of the attribute that's used as the email address in SUSE Observability.
rolesKey - The name of the attribute that stores the group name.
groupMemberKey - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern:
<groupMemberKey>=<user.dn>,ou=groups,dc=acme,dc=com
. To return all nested groups, usegroupMemberKey: "member:1.2.840.113556.1.4.1941:"
.
In
authentication.yaml
- map user roles from LDAP to the correct SUSE Observability subjects (see the example above):roles - for details, see the default SUSE Observability roles. More SUSE Observability roles can also be created, see the RBAC documentation.
Store the file
authentication.yaml
together with thevalues.yaml
from the SUSE Observability installation instructions.Run a Helm upgrade to apply the changes. If you are using SSL with custom certificates, the binary certificate files that should be used when connecting to LDAP should be set from the command line, use the command under SSL with custom certificates:
trustCertificates
trustStore
Note:
The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.
Include
authentication.yaml
on everyhelm upgrade
run.The authentication configuration is stored as a Kubernetes secret.
Using an external secret
When the ldap password should come from an external secret, follow these steps but fill in the following data:
See also
Last updated