LDAP authentication for database cluster access
You can configure LDAP for database cluster authentication.
- Applies to: Hybrid Manager version 1.2 and later
Prerequisites
- Before deploying a cluster with LDAP configurations using the API, an LDAP server must be present in your environment.
- Before authentication via LDAP, the user must exist in PostgreSQL.
Configure LDAP via the API
After setting up the LDAP server, deploy the cluster using the API. This will configure LDAP authentication.
Use the following steps to create or modify a cluster to use LDAP.
Creating a new cluster to use LDAP
Before using the REST API, make sure you have valid key and the appropriate role is assigned to perform cluster CRUD operations.
For a new cluster, use curl to configure the LDAP server during cluster creation. Update the ${URL}, KEY, URL, project_id, and other parameters in the request:
curl -H "x-access-key: ${KEY}" -H "Content-Type: application/json" --insecure -s "https://.${URL} edbaiplatform.enterprisedb.network/api/v1/projects/prj_pJ9Ug36492SQhdEQ/clusters" -d '{"projectId": "prj_pJ9Ug36492SQhdEQ", "psr": { "clusterName": "ldap-cluster", "password": "111111111111", "locationId": "managed-devspatcher", "clusterData": { "instances": 1, "resourceRequest": { "requests": { "memory": "2Gi", "cpu": "1" } }, "storageConfiguration": { "primaryStorage": { "size": "4" } }, "image": { "url": "<pg_image_url>", "digest": "<pg_image_sha>" }, "ldapConfig": { "enabled": true, "config": { "hostname": "ldap-service.default.svc.cluster.local", "scheme": "ldap", "bindAuth": { "prefix": "uid=", "suffix": ",dc=example,dc=org" } } } } }}'
Modify an existing cluster to use LDAP
For an existing cluster, use PATCH to configure it for LDAP authentication:
curl -X PATCH -H "x-access-key: ${KEY}" -H "Content-Type: application/json" --insecure -s "https://portal.eks-05220612-main.edbaiplatform.enterprisedb.network/api/v1/projects/prj_sXNNRhwj1YddHslR/clusters/p-lfdghq5gxe" -d '{"projectId": "prj_sXNNRhwj1YddHslR","clusterId": "p-lfdghq5gxe", "psr": { "ldapConfig": { "enabled": true, "config": { "hostname": "ldap-service.default.svc.cluster.local", "scheme": "ldap", "bindAuth": { "prefix": "uid=", "suffix": ",dc=example,dc=org" } } } } }'
Verification
Verify the pg_hba.conf file has been updated with an LDAP entry for authentication:
# # LDAP CONFIGURATION (optional) # host all all 0.0.0.0/0 ldap ldapserver="ldap-server.default.svc.cluster.local" ldapscheme="ldap" ldapprefix="uid=" ldapsuffix=",dc=example,dc=org"
Bind and Search mode configuration
The following parameters are required when using search+bind mode:
serverprefixsuffix
The following parameters are optional when using search+bind mode:
searchFiltersearchAttribute: IfsearchAttributeis not specified, the default value is set touid.scheme: an LDAP schemeport
Example:
postgresql: ldap: server: 'openldap.default.svc.cluster.local' bindSearchAuth: baseDN: 'ou=org,dc=example,dc=com' bindDN: 'cn=admin,dc=example,dc=com' bindPassword: name: 'ldapBindPassword' key: 'data' searchAttribute: 'uid'
Bind mode configuration
The following parameters are required when using bind mode:
serverbaseDNbinDNbindPassword: a secret containing the ldap password
The following parameters are optional when using bind mode:
scheme: an LDAP schemeport
Example:
postgresql: ldap: server: "openldap.default.svc.cluster.local" bindAuth: prefix: "uid=" suffix: ",dc=example,dc=org"
LDAP over TLS
TLS can be used to encrypt traffic between the PostgreSQL server and the LDAP server. You can configure your LDAP server to use TLS certificates.
The connection between the PostgreSQL server and the PostgreSQL client will remain unencrypted unless SSL is configured.
References
https://www.postgresql.org/docs/current/auth-ldap.html
https://cloudnative-pg.io/documentation/preview/postgresql_conf/#ldap-configuration
Could this page be better? Report a problem or suggest an addition!