Please note that LDAP is flexible enough to offer lots of other options and configuration possibilities. Spinnaker uses the Spring Security libraries, which solve a number of challenges.
With the LDAP manager credentials and search patterns in hand, use Halyard to configure Fiat:
hal config security authz ldap edit \
--url ldaps://ldap.mydomain.net:636/dc=mydomain,dc=net \
--manager-dn uid=admin,ou=system \
--manager-password \
--user-dn-pattern uid={0},ou=users \
--group-search-base ou=groups \
--group-search-filter "(uniqueMember={0})" \
--group-role-attributes cn
hal config security authz edit --type ldap
hal config security authz enable
The above is a sample. See below for more information.
The LDAP provider works by querying the LDAP server utilizing a user as set by the manager-dn and managerPassword and making a query that uses the logged-in user’s username to filter results.
Fiat will use the “bound” account to do the following:
group-search-base
. THIS IS A REQUIRED FIELD. If not set, no roles get queried.group-search-filter
to find the results.group-role-attributes
attribute (defaults to cn
).url
(ldaps://my.server/a/b/c
→ a/b/c
)If
com.netflix.spinnaker.fiat.roles.ldap.LdapUserRolesProvider
log level is at debug, you should seeRoot DN: <the actual root DN extracted>
user-search-filter
is provided then:user-search-base
user-search-filter
aka (uid={0})
user-search-filter
is not provided:user-dn-pattern
You must provide either a search filter or a DN pattern. In the case below, the user joe
would have a full DN of
uid=joe,ou=users,dc=mydomain,dc=net
.
The search would be rooted at ou=groups,dc=mydomain,dc=net
, looking for directory entries that
include the attribute uniqueMember=uid=joe,ou=users,dc=mydomain,dc=net
, which is the structure
for the groupOfUniqueNames
group standard.
The group-role-attribute
is how the group/role name is extracted. For example, all entries that
pass the filter will then have the cn
(common name) attribute returned.
IF you want to use a username instead of a user DN for group membership, you can specify
{1}
instead of{0}
for thegroup-search-filter
parameter.
To see the internals (can be useful for debugging):