LDAP support allows you to use your existing user database to authenticate users logging into the Capsule8 Console. Please be aware of the following considerations before configuring LDAP in the Console:
- Console v4.6.2 and earlier:
- supports OpenLDAP-backed LDAP
- does not allow accounts created via the Console UI to login alongside LDAP accounts; this can prevent access to the Console during an LDAP outage
- Console v4.7.0 and later:
- supports OpenLDAP- and ActiveDirectory-backed LDAP
- does allow accounts created via the Console UI to login alongside LDAP accounts; this can be used as fallback access to the Console during an LDAP outage
- Users who login with LDAP for the first time are assigned a built-in Console role with minimal permissions. Typically, an admin user will then assign the correct role to the new user.
Set the fields
auth_ldap_base in the console configuration file. For example:
console: #... auth_ldap_hostname: "ldap.my-company.com" # an LDAP server address auth_ldap_base: "ou=Users,dc=my-company,dc=com" # LDAP subtree where user searches can be run
Active Directory (Console 4.7+)
In addition to the OpenLDAP instructions above, to connect to a Microsoft Active Directory LDAP server, set the value of
"activedirectory". For example:
console: #... auth_ldap_type: "activedirectory" # This value is 'openldap' by default
LDAP port and TLS settings may be customized. For example:
console: #... auth_ldap_port: 636 # LDAP server port, if not 389 auth_ldap_use_tls: "false" # By default, we connect to the LDAP server over TLS. To ignore TLS, set the field to false.
Users may be restricted by setting the
auth_ldap_allowed_groups key. If the field is empty, all authenticated users will be able to access the Capsule8 Console. A space-delimited list of allowed groups will restrict access to users in those groups. This feature is only supported on LDAP installations using the memberOf overlay.
console: #... auth_ldap_allowed_groups: group1 group2 group3