Illumina Innovates with Rancher and Kubernetes
Available as of v2.0.5
If your organization uses LDAP for user authentication, you can configure Rancher to communicate with an OpenLDAP server to authenticate users. This allows Rancher admins to control access to clusters and projects based on users and groups managed externally in the organisation’s central user repository, while allowing end-users to authenticate with their LDAP credentials when logging in to the Rancher UI.
Note: Before you proceed with the configuration, please familiarise yourself with the concepts of External Authentication Configuration and Principal Users.
Note:
Before you proceed with the configuration, please familiarise yourself with the concepts of External Authentication Configuration and Principal Users.
Rancher must be configured with a LDAP bind account (aka service account) to search and retrieve LDAP entries pertaining to users and groups that should have access. It is recommended to not use an admin account or personal account for this purpose and instead create a dedicated account in OpenLDAP with read-only access to users and groups under the configured search base (see below).
Using TLS? If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain.
Using TLS?
If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain.
admin
In the section titled 1. Configure an OpenLDAP server, complete the fields with the information specific to your server. Please refer to the following table for detailed information on the required values for each parameter.
1. Configure an OpenLDAP server
Note: If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section Identify Search Base and Schema using ldapsearch in the Active Directory authentication documentation.
If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section Identify Search Base and Schema using ldapsearch in the Active Directory authentication documentation.
Table 1: OpenLDAP server parameters
User Search Base
If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the Customize Schema section to match it. Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP.
Note: If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section Identify Search Base and Schema using ldapsearch in the Active Directory authentication documentation.
If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section Identify Search Base and Schema using ldapsearch in the Active Directory authentication documentation.
The table below details the parameters for the user schema configuration.
Table 2: User schema configuration parameters
uid
memberOf
isMemberOf
User Enabled Attribute
The table below details the parameters for the group schema configuration.
Table 3: Group schema configuration parameters
Group Member Mapping Attribute
Search Attribute
User Member Attribute
Once you have completed the configuration, proceed by testing the connection to the OpenLDAP server. Authentication with OpenLDAP will be enabled implicitly if the test is successful.
Note: The OpenLDAP user pertaining to the credentials entered in this step will be mapped to the local principal account and assigned admin privileges in Rancher. You should therefore make a conscious decision on which LDAP account you use to perform this step.
The OpenLDAP user pertaining to the credentials entered in this step will be mapped to the local principal account and assigned admin privileges in Rancher. You should therefore make a conscious decision on which LDAP account you use to perform this step.
Result:
Note: You will still be able to login using the locally configured admin account and password in case of a disruption of LDAP services.
You will still be able to login using the locally configured admin account and password in case of a disruption of LDAP services.
If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to How can I enable debug logging in this documentation.