Last updated:

Use an LDAP Service

This document describes how to use an LDAP service as an external identity provider, which allows you to authenticate users against the LDAP service.

Prerequisites

You need to deploy a Kubernetes cluster and install KubeSphere in the cluster. For details, see Installing on Linux and Installing on Kubernetes.
You need to obtain the manager distinguished name (DN) and manager password of an LDAP service.

Procedure

Log in to KubeSphere as admin, move the cursor to in the bottom-right corner, click Kubectl, and run the following command to edit the kubesphere-config ConfigMap:

kubectl -n kubesphere-system edit cm kubesphere-config

Example:

apiVersion: v1
data:
  kubesphere.yaml: |
    authentication:
      authenticateRateLimiterMaxTries: 10
      authenticateRateLimiterDuration: 10m0s
      loginHistoryRetentionPeriod: 168h
      maximumClockSkew: 10s
      multipleLogin: true
      jwtSecret: "********"
      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
        - name: LDAP
          type: LDAPIdentityProvider
          mappingMethod: auto
          provider:
            host: 192.168.0.2:389
            managerDN: uid=root,cn=users,dc=nas
            managerPassword: ********
            userSearchBase: cn=users,dc=nas
            loginAttribute: uid
            mailAttribute: mail

Configure fields other than oauthOptions:identityProviders in the data:kubesphere.yaml:authentication section. For details, see Set Up External Authentication.
Configure fields in oauthOptions:identityProviders section.
- name: User-defined LDAP service name.
- type: To use an LDAP service as an identity provider, you must set the value to LDAPIdentityProvider.
- mappingMethod: Account mapping method. The value can be auto or lookup.
  - If the value is auto (default), you need to specify a new username. KubeSphere automatically creates a user according to the username and maps the user to an LDAP user.
  - If the value is lookup, you need to perform step 4 to manually map an existing KubeSphere user to an LDAP user.
- provider:
  - host: Address and port number of the LDAP service.
  - managerDN: DN used to bind to the LDAP directory.
  - managerPassword: Password corresponding to managerDN.
  - userSearchBase: User search base. Set the value to the DN of the directory level below which all LDAP users can be found.
  - loginAttribute: Attribute that identifies LDAP users.
  - mailAttribute: Attribute that identifies email addresses of LDAP users.

If mappingMethod is set to lookup, run the following command and add the labels to map a KubeSphere user to an LDAP user. Skip this step if mappingMethod is set to auto.

kubectl edit user <KubeSphere username>

labels:
  iam.kubesphere.io/identify-provider: <LDAP service name>
  iam.kubesphere.io/origin-uid: <LDAP username>

After the fields are configured, run the following command to restart ks-apiserver.
```
kubectl -n kubesphere-system rollout restart deploy/ks-apiserver
```
Note

The KubeSphere web console is unavailable during the restart of ks-apiserver. Please wait until the restart is complete.
Go to the KubeSphere login page and enter the username and password of an LDAP user to log in.

Note

The username of an LDAP user is the value of the attribute specified by loginAttribute.

Feedback

Was this page Helpful?

Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.

Previous : Set Up External Authentication Next : OIDC identity provider

What’s on this Page