OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP), a standard application protocol to access and control the information shared during Internet connections.
OpenLDAP provides a secure and single authentication method for all the services you use and manage in your organization. Instead of managing the authentication by manually creating the users and passwords of each member in the team, LDAP will store the users, groups, and permissions information being transparent to the users of those services.
This guide shows how to create an OpenLDAP server on a Kubernetes cluster using the Bitnami OpenLDAP container. In addition, it explains how to enable LDAP as the authentication method on a Kubernetes deployment. It uses the MariaDB Galera cluster as an example, but you can follow these instructions to use the OpenLDAP server for authentication with any other application running in the cluster.
With this guide, you will get a development environment to test the OpenLDAP authentication up and running. For production environments, administrators will provide a custom configuration depending on the infrastructure where your organization is managing all its services and deployments.
Assumptions and prerequisites
This guide explains how to run an OpenLDAP server on your Kubernetes cluster using Bitnami containers. It also shows you how to deploy a MariaDB Galera cluster and integrate it with the OpenLDAP server for user authentication. This guide uses the VMware Tanzu Application Catalog (TAC) Helm chart demo repository, but you can also use the MariaDB Galera Helm chart available in the Bitnami Community Catalog.
This tutorial assumes that:
- You have a Kubernetes cluster. Check out our Getting Started with Kubernetes guides for an easy way to get started with one.
- You have Helm 3 installed.
- You have the jq command line tool installed in your local machine.
- You are using the default namespace for your deployments.
Step 1: Create and install the OpenLDAP server on your cluster
To begin the process you need to create the required yaml files to run the OpenLDAP server on your cluster. This example uses some Kubernetes manifest files that will run the Bitnami OpenLDAP container image and sets custom values to create an OpenLDAP secret with a set of dummy user accounts and passwords. Follow these instructions:
Make sure that you can connect to your Kubernetes cluster by executing the command below:
Create a file named deployment.yaml with the content below:
apiVersion: apps/v1 kind: Deployment metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: selector: matchLabels: app.kubernetes.io/name: openldap replicas: 1 template: metadata: labels: app.kubernetes.io/name: openldap spec: containers: - name: openldap image: docker.io/bitnami/openldap:latest imagePullPolicy: "Always" env: - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: adminpassword name: openldap - name: LDAP_USERS valueFrom: secretKeyRef: key: users name: openldap - name: LDAP_PASSWORDS valueFrom: secretKeyRef: key: passwords name: openldap ports: - name: tcp-ldap containerPort: 1389
- Create a file named svc.yaml with the following parameters:
apiVersion: v1 kind: Service metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: type: ClusterIP ports: - name: tcp-ldap port: 1389 targetPort: tcp-ldap selector: app.kubernetes.io/name: openldap
Create a secret containing the OpenLDAP users and passwords that your deployments will use by running the command below:
kubectl create secret generic openldap --from-literal=adminpassword=adminpassword --from-literal=users=user01,user02 --from-literal=passwords=password01,password02
The command above uses adminpassword as the password parameter. You can use the password that best suits your needs. In this case, don't forget to specify the new password in the ldap.bindpw parameter of the values.yaml file when deploying the MariaDB Galera chart.
Install OpenLDAP on your cluster by executing the following:
kubectl create -f deployment.yaml kubectl create -f svc.yaml
The OpenLDAP server is now created on your cluster and ready to be used as the authentication method for your application deployments. You can run the kubectl get service command to make sure that OpenLDAP was correctly enabled.
Step 2: Deploy the MariaDB Galera cluster with LDAP authentication enabled
To test that the cluster uses OpenLDAP as the authentication method, run a deployment with the LDAP authentication enabled. To simplify the process, this guide uses the Bitnami MariaDB Galera Helm chart from the TAC demo repository. You can also use the MariaDB Galera Helm chart community version. Follow the steps below:
Add the TAC Helm repository and search for the MariaDB Galera Helm chart as shown below:
helm repo add demo https://charts.trials.tac.bitnami.com/demo helm search repo -l demo/mariadb-galera
Once you get the MariaDB Galera chart, edit the values.yaml file to enable LDAP authentication for your MariaDB Galera deployment as follows:
- Edit the "Custom db configuration" section to add one of the LDAP users created in the previous step (e.g. user01). Thus, any interaction with the database will be processed using the LDAP user and its password.
## Custom db configuration ## db: ## MariaDB username and password ## Password is ignored if existingSecret is specified. ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run ## user: "user01" password: "" ## Database to create ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run ## name: my_database ## Option to force users to specify a password. That is required for 'helm upgrade' to work properly. ## If it is not force, a random password will be generated. ## forcePassword: false
Set the following parameters in the LDAP configuration section:
- Enable the LDAP configuration by changing this value from false to true.
- Specify a URL to connect to a LDAP server that will manage all the authentication process.
- Provide some credentials so MariaDB Galera can see the server for this authentication process.
The LDAP section of the values.yaml file should look similar to this.
## LDAP configuration ## ldap: ## Enable LDAP support ## enabled: true uri: ldap://openldap.default.svc.cluster.local:1389 base: dc=example,dc=org binddn: cn=admin,dc=example,dc=org bindpw: adminpassword
Install the chart with the parameters provided.
helm install -f values.yaml my-release demo/mariadb-galera
The deployment of the chart takes several minutes. Once the chart is installed, you will see a set of useful commands for getting the root database password, connecting to the database, connecting to the database from outside the cluster, or upgrading the chart.
You can check the status of the deployment by running the following command.
kubectl get sts -l app.kubernetes.io/instance=my-release -w
Check all the services that are running on your cluster by using the command below:
kubectl get service
Step 3: Test the integration between OpenLDAP and the MariaDB Galera Cluster
To test the integration between OpenLDAP and MariaDB Galera, you can connect to the database using a MySQL client and authenticate the connection with a user account from the OpenLDAP directory.
Obtain the OpenLDAP users and passwords that will be used to connect to the database. To do so, execute the command below:
echo "$(kubectl get secret openldap -n default -o json | jq -r .data.users | base64 --decode)" echo "$(kubectl get secret openldap -n default -o json | jq -r .data.passwords | base64 --decode)"
You should see an output message similar to this:
Use a MySQL client to connect to the MariaDB Galera service by running the following commands:
kubectl run mariadb-galera-client --rm --tty -i --restart='Never' --namespace default --image gcr.io/sys-2b0109it/demo/bitnami/mariadb-galera:10.4.13-centos-7-r20 --command -- bash
- To run a MySQL client, execute the following command which specifies the user and the password to use for connecting to the database. The example below specifies the user01 and password01 which were among the list of user accounts set when deploying the OpenLDAP server:
mysql -h my-release-mariadb-galera -u user01 -ppassword01 my_database
To check that MariaDG Galera used the OpenLDAP server for authentication, review the OpenLDAP server logs. Run the following command, remembering to replace OPENLDAP-POD-NAME with the name of the OpenLDAP pod (you can obtain the pod name using kubectl get pods).
kubectl logs OPENLDAP-POD-NAME
You will see an output message similar to this:
As you can see in the image above, the server has processed the authentication against the database with 0 errors with the user01 user and its associated password from the OpenLDAP directory.
You can now follow a similar approach to integrate other applications with the OpenLDAP directory and have all authentication operations managed by the OpenLDAP server in a secure and compliant way.