Enabling TLS for LDAP Authentication

Prerequisites

Enabling TLS for LDAP Authentication

To use TLS for LDAP you only need to set a valid ldaps:// URL for the Helm value url in the global.authentication.ldap context. Remember to also adjust the TCP port number. By default LDAPS uses port 636.

Connectware will verify that the LDAP server presents a valid certificate before using it as authentication backend. Unless you have a certificate for your LDAP server that is signed by a valid root CA, you will need to provide the CA certificate that signed your LDAP server’s certificate. Alternatively you can disable certificate validation.

Providing the CA Certificate through Helm Values

You can simply provide the CA certificate in the Helm value caChain.cert in the global.authentication.ldap context. Provide the complete certificate chain necessary to validate the LDAP server’s certificate.

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldaps://my-dc.complany.tld:636
      caChain:
        cert: |
           -----BEGIN CERTIFICATE-----
           MIIFpTCCA40CFGFL86145m7JIg2RaKkAVCOV1H71MA0GCSqGSIb3DQEBCwUAMIGN
           [skipped for brevity - include whole certificate]
           SKnBS1Y1Dn2e
           -----END CERTIFICATE-----
Code-Sprache: YAML (yaml)

As an alternative, you can provide the CA certificate through a manually create Kubernetes ConfigMap.

Providing the CA Certificate through a Kubernetes ConfigMap

To provide the CA certificate necessary to validate the certificate used by your LDAP server, you can manually create a Kubernetes ConfigMap that contains the certificate as a file named ca.crt. You will then provide the name of that ConfigMap in the Helm value caChain.existingConfigMap in the global.authentication.ldap context.

Example

Create the Kubernetes ConfigMap from a file named ca.crt in your current directory:

kubectl -n <namespace> create cm cw-ldap-ca-cert --from-file ca.cr
Code-Sprache: YAML (yaml)

Specify the name of the ConfigMap:

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldaps://my-dc.complany.tld:636
      caChain:
        existingConfigMap: cw-ldap-ca-cert
Code-Sprache: YAML (yaml)

Disabling Certificate Validation

While we do not recommend skipping certificate validation for production use, it is possible to tell Connectware to accept any certificate the LDAP server presents. To do so, simply set the Helm value caChain.trustAllCertificates in the global.authentication.ldap context to true.

Example

global:
  authentication:
    ldap:
      enabled: true
      bindDn: CN=Users,DC=company,DC=tld
      url: ldaps://my-dc.complany.tld:636
      caChain:
        trustAllCertificates: true
Code-Sprache: YAML (yaml)
Was this article helpful?
YesNo
Need more help?

Can’t find the answer you’re looking for?
Don’t worry, we’re here to help.

Share this article
  • Previous

    Configuring Connectware to Use LDAP Authentication

  • Manual Kubernetes Secret for LDAP Authentication Bind User

Ihr Browser unterstützt diese Webseite nicht.

Liebe Besucher:innen, Sie versuchen unsere Website über den Internet Explorer zu besuchen. Der Support für diesen Browser wurde durch den Hersteller eingestellt, weshalb er moderne Webseiten nicht mehr richtig darstellen kann.
Um die Inhalte dieser Website korrekt anzeigen zu können, benötigen Sie einen modernen Browser.

Unter folgenden Links finden Sie Browser, für die unsere Webseite optimiert wurde:

Google Chrome Browser herunterladen Mozilla Firefox Browser herunterladen

Sie können diese Website trotzdem anzeigen lassen, müssen aber mit erheblichen Einschränkungen rechnen.

Diese Website trotzdem anzeigen.