LDAP authentication for database cluster access
You can configure LDAP for database cluster authentication.
- Applies to: Hybrid Manager version 1.2 and later
Prerequisites
- Before you deploy a cluster with LDAP configurations using the API, an LDAP server must be present in your environment.
- Before a user can authenticate via LDAP, the user must exist in PostgreSQL.
Configure LDAP via the API
After setting up the LDAP server, deploy the cluster using the API to configure LDAP authentication.
Creating a new cluster to use LDAP
Before using the REST API, make sure you have a valid key and the appropriate role is assigned to perform cluster CRUD operations.
For a new cluster, use curl to configure the LDAP server during cluster creation. Update the ${URL}, KEY, URL, project_id, and other parameters in the request:
curl -H "x-access-key: ${KEY}" -H "Content-Type: application/json" --insecure -s "https://.${URL} edbaiplatform.enterprisedb.network/api/v1/projects/prj_pJ9Ug36492SQhdEQ/clusters" -d '{"projectId": "prj_pJ9Ug36492SQhdEQ", "psr": { "clusterName": "ldap-cluster", "password": "111111111111", "locationId": "managed-devspatcher", "clusterData": { "instances": 1, "resourceRequest": { "requests": { "memory": "2Gi", "cpu": "1" } }, "storageConfiguration": { "primaryStorage": { "size": "4" } }, "image": { "url": "<pg_image_url>", "digest": "<pg_image_sha>" }, "ldapConfig": { "enabled": true, "config": { "hostname": "ldap-service.default.svc.cluster.local", "scheme": "ldap", "bindAuth": { "prefix": "uid=", "suffix": ",dc=example,dc=org" } } } } }}'
Modify an existing cluster to use LDAP
For an existing cluster, use PATCH to configure it for LDAP authentication:
curl -X PATCH -H "x-access-key: ${KEY}" -H "Content-Type: application/json" --insecure -s "https://portal.eks-05220612-main.edbaiplatform.enterprisedb.network/api/v1/projects/prj_sXNNRhwj1YddHslR/clusters/p-lfdghq5gxe" -d '{"projectId": "prj_sXNNRhwj1YddHslR","clusterId": "p-lfdghq5gxe", "psr": { "ldapConfig": { "enabled": true, "config": { "hostname": "ldap-service.default.svc.cluster.local", "scheme": "ldap", "bindAuth": { "prefix": "uid=", "suffix": ",dc=example,dc=org" } } } } }'
Verification
Verify the pg_hba.conf file was updated with an LDAP entry for authentication:
# # LDAP CONFIGURATION (optional) # host all all 0.0.0.0/0 ldap ldapserver="ldap-server.default.svc.cluster.local" ldapscheme="ldap" ldapprefix="uid=" ldapsuffix=",dc=example,dc=org"
Bind-and-search mode configuration
The following parameters are required when using search+bind mode:
serverprefixsuffix
The following parameters are optional when using search+bind mode:
searchFiltersearchAttribute: IfsearchAttributeis not specified, the default value is set touid.scheme: an LDAP schemeport
This example shows configuring search+bind mode:
postgresql: ldap: server: 'openldap.default.svc.cluster.local' bindSearchAuth: baseDN: 'ou=org,dc=example,dc=com' bindDN: 'cn=admin,dc=example,dc=com' bindPassword: name: 'ldapBindPassword' key: 'data' searchAttribute: 'uid'
Bind mode configuration
The following parameters are required when using bind mode:
serverbaseDNbinDNbindPassword: a secret containing the ldap password
The following parameters are optional when using bind mode:
scheme: an LDAP schemeport
This example shows configuring bind mode:
postgresql: ldap: server: "openldap.default.svc.cluster.local" bindAuth: prefix: "uid=" suffix: ",dc=example,dc=org"
LDAP over TLS
You can use TLS to encrypt traffic between the PostgreSQL server and the LDAP server. You can configure your LDAP server to use TLS certificates.
The connection between the PostgreSQL server and the PostgreSQL client remains unencrypted unless SSL is configured.
More information
Could this page be better? Report a problem or suggest an addition!