Introduction

OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP), a standard application protocol to access and control the information shared during Internet connections.

OpenLDAP provides a secure and single authentication method for all the services you use and manage in your organization. Instead of managing the authentication by manually creating the users and passwords of each member in the team, LDAP will store the users, groups, and permissions information being transparent to the users of those services.

This guide shows how to create an OpenLDAP server on a Kubernetes cluster using the Bitnami OpenLDAP container. In addition, it explains how to enable LDAP as the authentication method on a Kubernetes deployment. It uses the MariaDB Galera cluster as an example, but you can follow these instructions to use the OpenLDAP server for authentication with any other application running in the cluster.

With this guide, you will get a development environment to test the OpenLDAP authentication up and running. For production environments, administrators will provide a custom configuration depending on the infrastructure where your organization is managing all its services and deployments.

Assumptions and prerequisites

This guide explains how to run an OpenLDAP server on your Kubernetes cluster using Bitnami containers. It also shows you how to deploy a MariaDB Galera cluster and integrate it with the OpenLDAP server for user authentication. This guide uses the VMware Tanzu Application Catalog(TM) Helm chart demo repository, but you can also use the MariaDB Galera Helm chart available in the Bitnami Community Catalog.

This tutorial assumes that:

• You have a Kubernetes cluster. Check out our Getting Started with Kubernetes guides for an easy way to get started with one.
• You have Helm 3 installed.
• You have the jq command line tool installed in your local machine.
• You are using the default namespace for your deployments.

Step 1: Create and install the OpenLDAP server on your cluster

To begin the process you need to create the required yaml files to run the OpenLDAP server on your cluster. This example uses some Kubernetes manifest files that will run the Bitnami OpenLDAP container image and sets custom values to create an OpenLDAP secret with a set of dummy user accounts and passwords. Follow these instructions:

• Make sure that you can connect to your Kubernetes cluster by executing the command below:

  kubectl cluster-info
  

• Create a file named deployment.yaml with the content below:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: openldap
  labels:
    app.kubernetes.io/name: openldap
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: openldap
  replicas: 1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: openldap
    spec:
      containers:
        - name: openldap
          image: docker.io/bitnami/openldap:latest
          imagePullPolicy: "Always"
          env:
            - name: LDAP_ADMIN_USERNAME
              value: "admin"
            - name: LDAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: adminpassword
                  name: openldap
            - name: LDAP_USERS
              valueFrom:
                secretKeyRef:
                  key: users
                  name: openldap
            - name: LDAP_PASSWORDS
              valueFrom:
                secretKeyRef:
                  key: passwords
                  name: openldap
          ports:
            - name: tcp-ldap
              containerPort: 1389

• Create a file named svc.yaml with the following parameters:

apiVersion: v1
kind: Service
metadata:
  name: openldap
  labels:
    app.kubernetes.io/name: openldap
spec:
  type: ClusterIP
  ports:
    - name: tcp-ldap
      port: 1389
      targetPort: tcp-ldap
  selector:
    app.kubernetes.io/name: openldap

• Create a secret containing the OpenLDAP users and passwords that your deployments will use by running the command below:

  kubectl create secret generic openldap --from-literal=adminpassword=adminpassword --from-literal=users=user01,user02 --from-literal=passwords=password01,password02
  

• Install OpenLDAP on your cluster by executing the following:

  kubectl create -f deployment.yaml
  kubectl create -f svc.yaml
  

The OpenLDAP server is now created on your cluster and ready to be used as the authentication method for your application deployments. You can run the kubectl get service command to make sure that OpenLDAP was correctly enabled.

Step 2: Deploy the MariaDB Galera cluster with LDAP authentication enabled

To test that the cluster uses OpenLDAP as the authentication method, run a deployment with the LDAP authentication enabled. To simplify the process, this guide uses the Bitnami MariaDB Galera Helm chart from the VMware Tanzu Application Catalog(TM) demo repository. You can also use the MariaDB Galera Helm chart community version. Follow the steps below:

• Add the VMware Tanzu Application Catalog(TM) Helm repository and search for the MariaDB Galera Helm chart as shown below:

  helm repo add demo https://charts.app-catalog.vmware.com/demo
  helm search repo -l demo/mariadb-galera
  

• Once you get the MariaDB Galera chart, edit the values.yaml file to enable LDAP authentication for your MariaDB Galera deployment as follows:

  • Edit the "Custom db configuration" section to add one of the LDAP users created in the previous step (e.g. user01). Thus, any interaction with the database will be processed using the LDAP user and its password.

  ## Custom db configuration
  ##
  db:
    ## MariaDB username and password
    ## Password is ignored if existingSecret is specified.
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mariadb-galera#creating-a-database-user-on-first-run
    ##
    user: "user01"
    password: ""
    ## Database to create
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mariadb-galera#creating-a-database-on-first-run
    ##
    name: my_database
    ## Option to force users to specify a password. That is required for 'helm upgrade' to work properly.
    ## If it is not force, a random password will be generated.
    ##
    forcePassword: false
  

  • Set the following parameters in the LDAP configuration section:

    • Enable the LDAP configuration by changing this value from false to true.
    • Specify a URL to connect to a LDAP server that will manage all the authentication process.
    • Provide some credentials so MariaDB Galera can see the server for this authentication process.

    The LDAP section of the values.yaml file should look similar to this.

  ## LDAP configuration
  ##
  ldap:
    ## Enable LDAP support
    ##
    enabled: true
    uri: ldap://openldap.default.svc.cluster.local:1389
    base: dc=example,dc=org
    binddn: cn=admin,dc=example,dc=org
    bindpw: adminpassword
  

• Install the chart with the parameters provided.

  helm install -f values.yaml my-release demo/mariadb-galera
  

The deployment of the chart takes several minutes. Once the chart is installed, you will see a set of useful commands for getting the root database password, connecting to the database, connecting to the database from outside the cluster, or upgrading the chart.

You can check the status of the deployment by running the following command.

kubectl get sts -l app.kubernetes.io/instance=my-release -w

Check all the services that are running on your cluster by using the command below:

kubectl get service

Step 3: Test the integration between OpenLDAP and the MariaDB Galera Cluster

To test the integration between OpenLDAP and MariaDB Galera, you can connect to the database using a MySQL client and authenticate the connection with a user account from the OpenLDAP directory.

• Obtain the OpenLDAP users and passwords that will be used to connect to the database. To do so, execute the command below:

  echo "$(kubectl get secret openldap -n default -o json | jq -r .data.users | base64 --decode)"
  echo "$(kubectl get secret openldap -n default -o json | jq -r .data.passwords | base64 --decode)"
  

  You should see an output message similar to this:

• Use a MySQL client to connect to the MariaDB Galera service by running the following commands:

  kubectl run mariadb-galera-client --rm --tty -i --restart='Never' --namespace default --image gcr.io/sys-2b0109it/demo/bitnami/mariadb-galera:10.4.13-centos-7-r20 --command -- bash
  

  • To run a MySQL client, execute the following command which specifies the user and the password to use for connecting to the database. The example below specifies the user01 and password01 which were among the list of user accounts set when deploying the OpenLDAP server:

  mysql -h my-release-mariadb-galera -u user01 -ppassword01 my_database
  

• To check that MariaDG Galera used the OpenLDAP server for authentication, review the OpenLDAP server logs. Run the following command, remembering to replace OPENLDAP-POD-NAME with the name of the OpenLDAP pod (you can obtain the pod name using kubectl get pods).

  kubectl logs OPENLDAP-POD-NAME
  

  You will see an output message similar to this:

As you can see in the image above, the server has processed the authentication against the database with 0 errors with the user01 user and its associated password from the OpenLDAP directory.

You can now follow a similar approach to integrate other applications with the OpenLDAP directory and have all authentication operations managed by the OpenLDAP server in a secure and compliant way.

Useful links

• OpenLDAP official site
• Kubernetes Authentication
• VMware Tanzu Application Catalog(TM)
• Bitnami Helm charts catalog
• Bitnami OpenLDAP container image
• Backup and Restore MariaDB Galera Deployments on Kubernetes