LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Configure SUSE Observability for LDAP
  • Kubernetes
  • Using an external secret
  • See also
  1. Self-hosted setup
  2. Security
  3. Authentication

LDAP

SUSE Observability Self-hosted

Overview

SUSE Observability can use an LDAP server (including AD) to authenticate against and to get roles/groups from. It does require a running LDAP server that's accessible to SUSE Observability.

The LDAP main directory and all subdirectories will be checked for user files. The bind credentials in the SUSE Observability configuration are used to authenticate SUSE Observability on the LDAP server. After authentication, SUSE Observability passes the top LDAP directory name for the user that wants to log in to SUSE Observability.

Configure SUSE Observability for LDAP

Kubernetes

To configure SUSE Observability to authenticate using an LDAP authentication server on Kubernetes, LDAP details and user role mapping needs to be added to the file authentication.yaml. For example:

stackstate:
  authentication:
    ldap:
      host: sts-ldap
      port: 10389 # For most LDAP servers 389 for plain, 636 for ssl connections
      #ssl:
      #  sslType: ssl
      #  trustStore: <see below>
      #  trustCertificates <see below>
      bind:
        dn: "cn=admin,ou=employees,dc=acme,dc=com"
        password: "password"
      userQuery:
        parameters:
          - ou: employees
          - dc: acme
          - dc: com
        usernameKey: cn
        emailKey: mail
      groupQuery:
        parameters:
          - ou: groups
          - dc: acme
          - dc: com
        rolesKey: cn
        groupMemberKey: member
        # to return all nested groups, use:
        # groupMemberKey: "member:1.2.840.113556.1.4.1941:"

    # map the groups from LDAP to the
    # standard subjects in SUSE Observability (guest, powerUser and admin)
    roles:
      guest: ["ldap-guest-role-for-stackstate"]
      powerUser: ["ldap-power-user-role-for-stackstate"]
      admin: ["ldap-admin-role-for-stackstate"]

Follow the steps below to configure SUSE Observability to authenticate using LDAP:

  1. In authentication.yaml - add LDAP details (see the example above):

    • host - The hostname of the LDAP server.

    • port - The port the LDAP server is listening on.

    • sslType - Optional. The type of LDAP secure connection ssl or startTls. Omit if plain LDAP connection is used.

    • trustCertificates - Optional, certificate file for SSL. Formats PEM, DER and PKCS7 are supported.

    • trustStore - Optional, Java trust store file for SSL. If both trustCertificates and trustStore are specified, trustCertificatesPath takes precedence.

    • bind - Optional, used to authenticate SUSE Observability to LDAP server if the LDAP server doesn't support anonymous LDAP searches.

    • userQuery parameters and groupQuery parameters - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in SUSE Observability, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest.

    • usernameKey - The name of the attribute that stores the username, value is matched against the username provided on the login screen.

    • emailKey - The name of the attribute that's used as the email address in SUSE Observability.

    • rolesKey - The name of the attribute that stores the group name.

    • groupMemberKey - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern: <groupMemberKey>=<user.dn>,ou=groups,dc=acme,dc=com. To return all nested groups, use groupMemberKey: "member:1.2.840.113556.1.4.1941:".

  2. In authentication.yaml - map user roles from LDAP to the correct SUSE Observability subjects (see the example above):

  3. Store the file authentication.yaml together with the values.yaml from the SUSE Observability installation instructions.

  4. Run a Helm upgrade to apply the changes. If you are using SSL with custom certificates, the binary certificate files that should be used when connecting to LDAP should be set from the command line, use the command under SSL with custom certificates:

helm upgrade \
  --install \
  --namespace suse-observability \
  --values values.yaml \
  --values authentication.yaml \
suse-observability \
suse-observability/suse-observability

trustCertificates

helm upgrade \
  --install \
  --namespace suse-observability \
  --values values.yaml \
  --values authentication.yaml \
  --set-file stackstate.authentication.ldap.ssl.trustCertificates=./ldap-certificate.pem \
suse-observability \
suse-observability/suse-observability

trustStore

helm upgrade \
  --install \
  --namespace suse-observability \
  --values values.yaml \
  --values authentication.yaml \
  --set-file stackstate.authentication.ldap.ssl.trustStore=./ldap-cacerts \
suse-observability \
suse-observability/suse-observability

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Using an external secret

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  ldap_password: <base64 of ldap password>

See also

PreviousFile-basedNextOpen ID Connect (OIDC)

Last updated 5 months ago

roles - for details, see the . More SUSE Observability roles can also be created, see the .

When the ldap password should come from an external secret, follow but fill in the following data:

🚀
Authentication options
Create RBAC roles
RBAC documentation
these steps
External Secrets
default SUSE Observability roles
Permissions for predefined SUSE Observability roles