Configuring LDAP
Configure LDAP to work with Dex authentication to enable end users to log in to the Console using LDAP server credentials. This example uses Okta for LDAP configuration.
Creating an Okta user for LDAP integration
Log in to Okta and create a new user with the read-only administrator role. Dex will use this user to communicate with the Okta LDAP interface.
Okta provides an LDAP interface for client integration. For more information, refer to the Okta LDAP Interface documentation.
Configuring Dex to connect to Okta via LDAP connector
Add an entry for the Okta LDAP configuration where you specify the username and password (BindDN and BindPW) for the created read-only administrator user. Add the entry either in your values.yaml file or HybridControlPlane custom resource, depending on the installation method you use.
portal:
authentication:
clientSecret: "edb-postgres-ai-secret"
idpConnectors:
- type: ldap
name: okta
id: oktaLdap
config:
host: <ldap_server>:<ldap_server_port>
insecureNoSSL: false
insecureSkipVerify: false
bindDN: uid=<okta_admin@example.com>, dc=<org_subdomain>, dc=<domain>, dc=com
bindPW: <okta_admin_password>
usernamePrompt: Email Address
userSearch:
baseDN: ou=users, dc=<org_subdomain>, dc=<domain>, dc=com
filter: "(objectclass=inetOrgPerson)"
username: mail
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: ou=groups, dc=<org_subdomain>, dc=<domain>, dc=com
filter: "(objectclass=groupOfUniqueNames)"
userMatchers:
- userAttr: memberOf
groupAttr: uniqueMember
nameAttr: cn
staticPasswords:
- [...]
Parameters
This section details the necessary identity provider settings within the portal.authentication configuration. It focuses exclusively on parameters that require customization based on your environment. Any other parameters not explicitly mentioned here can be configured as shown in the provided example.
| Parameter | Description |
|---|---|
clientSecret | Client secret for the Hybrid Manager authentication, use the default edb-postgres-ai-secret. |
idpConnectors | Enter an array of data per IdP connector you want to use for authentication. Refer to the official Dex LDAP documentation for more guidance. |
idpConnectors.config | Configuration for the connection to the LDAP server. Use the format <ldap_server>:<ldap_server_port>. |
idpConnectors.config.bindDN | Distinguished Name of the read-only admin user you created in Okta that Dex will use to communicate with the LDAP server. Also specify where Dex should look for this user in the LDAP server. |
idpConnectors.config.bindPW | Password for the read-only admin user you created in Okta that Dex will use to communicate with the LDAP server. |
idpConnectors.config.usernamePrompt: | The text displayed above the username/email input field on the login screen. |
idpConnectors.config.userSearch.baseDN: | Specify where Dex should look for users in your LDAP server. The administrator of your Okta LDAP instance will know the baseDN for users. |
idpConnectors.config.groupSearch.baseDN: | Specify where Dex should look for groups in your LDAP server. The administrator of your Okta LDAP instance will know the baseDN for users. |
idpConnectors.config.groupSearch.baseDN.userMatchers: | Define how Dex determines if a user is a member of a group. Match attributes between user entries and group entries. |
Applying Dex configuration
After changing the authentication settings, you'll need to reconcile the Dex configuration and restart the Dex services for your changes to take effect. See Applying Dex for instructions.
Assign new owner and disable native user
After assigning a new organization owner in the Hybrid Manager Console, disable the native user. For this, refer to Disabling a native user.
← Prev
Configuring your own identity provider
↑ Up
Configuring your own identity provider
Next →
Configuring SAML
Could this page be better? Report a problem or suggest an addition!