LDAP Security Provider

You can use your existing LDAP server for authentication/authorization on the Management Center.

See Management Center Documentation for more detailed information.

Setting Up the LDAP Security Provider

To set up LDAP, you need to configure the securityProvider.ldap section in the Management Center CR. The following are the required fields to configure the LDAP Security provider.

Field Description

url

URL of your LDAP server, including schema (ldap://) and port.

credentialsSecretName

The name of the secret that contains username and password keys of a user that has admin privileges on the LDAP server. The username must be the must be the distinguished name (DN) of the user. It is used to connect to the server when authenticating users.

userDN

DN to be used for searching users.

groupDN

DN to be used for searching groups.

adminGroups

Members of these groups and its nested groups have admin privileges on the Management Center.

userGroups

Members of these groups and its nested groups have read and write privileges on the Management Center.

readonlyUserGroups

Members of these groups and its nested groups have only read privilege on the Management Center.

metricsOnlyGroups

Members of these groups and its nested groups have the privilege to see only the metrics on the Management Center.

userSearchFilter

LDAP search filter expression to search for the users.

groupSearchFilter

LDAP search filter expression to search for the groups.

Example Management Center LDAP Configuration

The following is an example configuration for the LDAP Security Provider:

apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter
spec:
  repository: "hazelcast/management-center"
  licenseKeySecretName: hazelcast-license-key
  securityProvider:
    ldap:
      credentialsSecretName: ldap-credentials
      groupDN: ou=groups,dc=example,dc=org
      groupSearchFilter: member={0}
      nestedGroupSearch: false
      url: ldap://ldap-server-url:1389
      userDN: ou=groups,dc=example,dc=org
      userGroups:
      - users
      metricsOnlyGroups:
      - metrics
      adminGroups:
      - admins
      readonlyUserGroups:
      - readers
      userSearchFilter: cn={0}

The following example shows how to create a Secret for the LDAP credentials.

$ kubectl create secret generic ldap-credentials --from-literal=username="cn=admin,dc=example,dc=org" --from-literal=password="adminpassword"
$ kubectl get secret ldap-credentials -o=yaml
apiVersion: v1
data:
  password: YWRtaW5wYXNzd29yZA==
  username: Y249YWRtaW4sZGM9ZXhhbXBsZSxkYz1vcmc=
kind: Secret
metadata:
  creationTimestamp: "2023-10-11T10:51:37Z"
  name: ldap-credentials
  namespace: default
  resourceVersion: "59391"
  uid: 299e5d42-4c72-4877-9a99-c6ffa3c68d07
type: Opaque