Skip to main content

Configuring 3rd party authentication for the Console via LDAP

  • Updated

Deployment Considerations

LDAP support allows you to use your existing user database to authenticate users logging into the Capsule8 Console. Please be aware of the following considerations before configuring LDAP in the Console:

  • Console v4.6.2 and earlier:
    • supports OpenLDAP-backed LDAP
    •  does not allow accounts created via the Console UI to login alongside LDAP accounts; this can prevent access to the Console during an LDAP outage
  • Console v4.7.0 and later:
    • supports OpenLDAP- and ActiveDirectory-backed LDAP
    •  does allow accounts created via the Console UI to login alongside LDAP accounts; this can be used as fallback access to the Console during an LDAP outage
  • Users who login with LDAP for the first time are assigned a built-in Console role with minimal permissions. Typically, an admin user will then assign the correct role to the new user.

OpenLDAP

Set the fields  auth_ldap_hostname  and auth_ldap_base in the console configuration file. For example: 

console:
  #...
  auth_ldap_hostname: "ldap.my-company.com" # an LDAP server address
  auth_ldap_base: "ou=Users,dc=my-company,dc=com" # LDAP subtree where user searches can be run

Active Directory (Console 4.7+)

In addition to the OpenLDAP instructions above, to connect to a Microsoft Active Directory LDAP server, set the value of auth_ldap_type to "activedirectory". For example:

console:
  #...
  auth_ldap_type: "activedirectory" # This value is 'openldap' by default

Customization

LDAP port and TLS settings may be customized. For example:

console:
  #...
  auth_ldap_port: 636 # LDAP server port, if not 389
  auth_ldap_use_tls: "false" # By default, we connect to the LDAP server over TLS. To ignore TLS, set the field to false.

Users may be restricted by setting the auth_ldap_allowed_groups key. If the field is empty, all authenticated users will be able to access the Capsule8 Console. A space-delimited list of allowed groups will restrict access to users in those groups.  This feature is only supported on LDAP installations using the memberOf overlay.

console:
  #...
  auth_ldap_allowed_groups: group1 group2 group3

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.