Control Access to HTTP Resources with NGINX and LDAP on Kubernetes

Introduction

NGINX is a popular open-source Web server that offers high performance and scalability. It powers 25% of the biggest websites, including websites such as Dropbox and Netflix, and supports HTTP/2, SSL/TLS, load balancing and fault tolerance. The easiest way to deploy NGINX on Kubernetes is with Bitnami's NGINX Helm chart, which provides a secure and up-to-date version of NGINX that is also packaged in accordance with current best practices.

One of the interesting features of this chart is the inclusion of an LDAP authentication daemon, which can be used to authenticate HTTP requests using an LDAP directory. This allows NGINX users to secure and protect Web applications (or other HTTP resources) by enforcing prevailing organizational roles/groups/privileges and reusing existing LDAP infrastructure.

This article walks you through the process of protecting Web resources with NGINX on Kubernetes using Bitnami's NGINX Helm chart and Bitnami's OpenLDAP container image.

Assumptions and prerequisites

This article assumes that you have a Kubernetes cluster running with Helm v3.x and kubectl installed. Learn more about getting started with Kubernetes and Helm using different cloud providers.

Step 1: Deploy OpenLDAP on Kubernetes

Tip

If you already have an LDAP directory, you can use that instead and skip to Step 2.

The first step is to set up an LDAP server and seed it with a few user accounts. An easy way to do this is to use Bitnami's OpenLDAP container image, which provides an updated, secure OpenLDAP server and also creates a set of default users.

  • Deploy the Bitnami OpenLDAP container image in a pod on your cluster:

    kubectl run ldap --image=bitnami/openldap --port=1389
    

    By default, the OpenLDAP server is initialized with an administrator account named admin and a default password set to adminpassword. These default values can be adjusted via the LDAP_ADMIN_USERNAME and LDAP_ADMIN_PASSWORD environment variables of the container.

  • Create a Kubernetes service for the OpenLDAP deployment:

    kubectl expose deployment ldap --port=1389 --target-port=1389
    

    The previous command creates a Kubernetes service named ldap on port 1389 (the default port used by the OpenLDAP server in the container image) of the cluster.

  • Confirm that the pod and service are both running:

    kubectl get svc | grep ldap
    kubectl get pods | grep ldap
    

Step 2: Deploy NGINX on kubernetes

The next step is to deploy NGINX on Kubernetes. Bitnami's NGINX Helm chart includes LDAP authentication support, but this feature is disabled by default. To enable this feature, you must provide additional configuration values so that the LDAP authentication daemon is able to connect to your LDAP service.

  • Begin by creating a values.yaml file with the following configuration:

    ldapDaemon:
    
      enabled: true
    
      nginxServerBlock: |-
        server {
        listen 0.0.0.0:{{ .Values.containerPort }};
    
        # You can provide a special subPath or the root
        location = / {
            auth_request /auth-proxy;
        }
    
        location = /auth-proxy {
            internal;
    
            proxy_pass http://127.0.0.1:{{ .Values.ldapDaemon.port }};
    
            # URL and port for connecting to the LDAP server
            proxy_set_header X-Ldap-URL "ldap://ldap:1389";
    
            # Base DN
            proxy_set_header X-Ldap-BaseDN "dc=example,dc=org";
    
            # Bind DN
            proxy_set_header X-Ldap-BindDN "cn=admin,dc=example,dc=org";
    
            # Bind password
            proxy_set_header X-Ldap-BindPass "adminpassword";
        }
        }
    

    In this configuration:

    • The ldapDaemon.enabled parameter enables the LDAP authentication daemon.
    • The ldapDaemon.nginxServerBlock parameter defines an additional NGINX server block for LDAP authentication. Within the block, the proxy_set_header directives configure the parameters for LDAP directory search, including the LDAP server URI, port and password. In this case, these directives are set to match the Kubernetes service created in Step 1.
    Tip

    If you are using a different LDAP service, adjust these values to match the service URI, port, password and base DNs for your LDAP service.

  • Add the Bitnami repository to Helm:

    helm repo add bitnami https://charts.bitnami.com/bitnami
    
  • Deploy NGINX using the Bitnami Helm chart and the additional configuration shown above. In this case, the NGINX service is made available at a public IP address using a load balancer.

    helm install nginx bitnami/nginx --set service.type=LoadBalancer
    

Step 3: Test the integration

You can now proceed to test the integration, as follows:

  • Obtain the public IP address for the NGINX service:

    kubectl get svc | grep nginx
    
  • Browse to the public IP address. You should be presented with an authentication prompt, as shown below:

Authentication request

Enter the credentials for a valid user account in your LDAP directory. For example, if you are using the Bitnami OpenLDAP container image, use one of the pre-seeded example accounts, by entering the username user1 and password bitnami1.

Authentication response
  • If the credentials are correct, the authentication will be successfull and you should see the NGINX welcome page, as shown below:

At this point, your NGINX server is integrated with your LDAP directory. You can now proceed to refine the integration by (for example) controlling access to specific HTTP endpoints based on the user's enterprise roles and groups, or by extending the LDAP authentication daemon to support specific use cases.

Useful links

To learn more about the topics discussed in this guide, use the links below: