LDAP Security Provider
This topic explains how to use your existing LDAP server for authentication/authorization in Management Center.
Hazelcast supports authentication and authorization against Lightweight Directory Access Protocol (LDAP) servers. You can use Hazelcast Operator to configure Management Center to use an LDAP server. For more information about using LDAP in the Management Center, see the Management Center Documentation.
Setting Up the LDAP security provider
You can configure either LDAP or LDAP over TLS (or LDAPS). To set up:
-
LDAP — configure the
securityProvider.ldapsection in the Management Center CR -
LDAP over TLS (or LDAPS)
-
Create a secret (the
secretName) that contains the certificate and key. The operator will set up TrustStore and KeyStore automatically. If you do not create the secretName, a validation error will occur -
Configure the
securityProvider.ldap.tlssection in the Management Center CR
-
Use the following fields to configure the LDAP security provider:
| Field | Description |
|---|---|
|
URL of your LDAP server, including schema (ldap://) and port. |
|
Configuration for TLS:
|
|
The name of the secret that contains |
|
DN to be used for searching users. |
|
DN to be used for searching groups. |
|
Members of these groups and its nested groups have admin privileges on the Management Center. |
|
Members of these groups and its nested groups have read and write privileges on the Management Center. |
|
Members of these groups and its nested groups have only read privilege on the Management Center. |
|
Members of these groups and its nested groups have the privilege to see only the metrics on the Management Center. |
|
LDAP search filter expression to search for the users. |
|
LDAP search filter expression to search for the groups. |
Example Management Center LDAP configuration
The following example shows how to create a Secret for the LDAP credentials:
$ kubectl create secret generic ldap-credentials --from-literal=username="cn=admin,dc=example,dc=org" --from-literal=password="adminpassword"
$ kubectl get secret ldap-credentials -o=yaml
apiVersion: v1
data:
password: YWRtaW5wYXNzd29yZA==
username: Y249YWRtaW4sZGM9ZXhhbXBsZSxkYz1vcmc=
kind: Secret
metadata:
creationTimestamp: "2023-10-11T10:51:37Z"
name: ldap-credentials
namespace: default
resourceVersion: "59391"
uid: 299e5d42-4c72-4877-9a99-c6ffa3c68d07
type: OpaqueThe following example shows how to create the secret for LDAP/TLS:
$ kubectl create secret tls mc-ldap-secret --cert=ca.crt --key=ca.keykgpThe following is an example configuration for the LDAP security provider:
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
name: managementcenter
spec:
repository: "hazelcast/management-center"
licenseKeySecretName: hazelcast-license-key
securityProvider:
ldap:
credentialsSecretName: ldap-credentials
groupDN: ou=groups,dc=example,dc=org
groupSearchFilter: member={0}
nestedGroupSearch: false
url: ldap://ldap-server-url:1389
userDN: ou=groups,dc=example,dc=org
userGroups:
- users
metricsOnlyGroups:
- metrics
adminGroups:
- admins
readonlyUserGroups:
- readers
userSearchFilter: cn={0}The following is an example configuration for the LDAP over TLS (or LDAPS) security provider:
apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
name: managementcenter
spec:
repository: 'hazelcast/management-center'
licenseKeySecretName: hazelcast-license-key
securityProvider:
ldap:
tls:
secretName: mc-ldap-secret
startTLS: true
credentialsSecretName: ldap-credentials
groupDN: ou=users,dc=example,dc=org
groupSearchFilter: member={0}
nestedGroupSearch: false
url: ldap://34.118.236.200:1389
userDN: ou=users,dc=example,dc=org
userGroups:
- readers
metricsOnlyGroups:
- readers
adminGroups:
- readers
readonlyUserGroups:
- readers
userSearchFilter: cn={0}