Configuring LDAP
Configure LDAP to work with Dex authentication to enable end users to log in to the Hybrid Manager (HM) console using LDAP server credentials. This example uses Okta for LDAP configuration.
Creating an Okta user for LDAP integration
Log in to Okta and create a new user with the read-only administrator role. Dex will use this user to communicate with the Okta LDAP interface.
Okta provides an LDAP interface for client integration. For more information, see the Okta LDAP Interface documentation.
Configuring Dex to connect to Okta via LDAP connector
Add an entry for the Okta LDAP configuration in which you specify the username and password (BindDN and BindPW) for the created read-only administrator user. Add the entry either in your values.yaml file or HybridControlPlane custom resource, depending on the installation method you use.
portal:
authentication:
clientSecret: "edb-postgres-ai-secret"
idpConnectors:
- type: ldap
name: okta
id: oktaLdap
config:
host: <ldap_server>:<ldap_server_port>
insecureNoSSL: false
insecureSkipVerify: false
bindDN: uid=<okta_admin@example.com>, dc=<org_subdomain>, dc=<domain>, dc=com
bindPW: <okta_admin_password>
usernamePrompt: Email Address
userSearch:
baseDN: ou=users, dc=<org_subdomain>, dc=<domain>, dc=com
filter: "(objectclass=inetOrgPerson)"
username: mail
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: ou=groups, dc=<org_subdomain>, dc=<domain>, dc=com
filter: "(objectclass=groupOfUniqueNames)"
userMatchers:
- userAttr: memberOf
groupAttr: uniqueMember
nameAttr: cn
staticPasswords:
- [...]Parameters
The table shows the needed identity provider settings in the portal.authentication configuration. It shows the parameters that require customization based on your environment. Any other parameters not mentioned here can be configured as shown in the provided example.
| Parameter | Description |
|---|---|
clientSecret | Client secret for HM authentication. Use the default edb-postgres-ai-secret. |
idpConnectors | Enter an array of data per IdP connector you want to use for authentication. See the Dex LDAP documentation for more guidance. |
idpConnectors.config | Configuration for the connection to the LDAP server. Use the format <ldap_server>:<ldap_server_port>. |
idpConnectors.config.bindDN | Distinguished Name of the read-only admin user you created in Okta that Dex will use to communicate with the LDAP server. Also specify where you want Dex to look for this user in the LDAP server. |
idpConnectors.config.bindPW | Password for the read-only admin user you created in Okta that Dex will use to communicate with the LDAP server. |
idpConnectors.config.usernamePrompt: | The text displayed above the username/email input field on the login screen. |
idpConnectors.config.userSearch.baseDN: | Specify where you want Dex to look for users in your LDAP server. The administrator of your Okta LDAP instance will know the baseDN for users. |
idpConnectors.config.groupSearch.baseDN: | Specify where you want Dex to look for groups in your LDAP server. The administrator of your Okta LDAP instance will know the baseDN for users. |
idpConnectors.config.groupSearch.baseDN.userMatchers: | Define how Dex determines if a user is a member of a group. Match attributes between user entries and group entries. |
Applying Dex configuration
After changing the authentication settings, you need to reconcile the Dex configuration and restart the Dex services for your changes to take effect. See Applying Dex for instructions.
Assign new owner and disable native user
After assigning a new organization owner in the HM console, disable the native user. See Disabling a native user.
← Prev
Configuring your own identity provider
↑ Up
Configuring your own identity provider
Next →
Configuring SAML
Could this page be better? Report a problem or suggest an addition!