Suggest an Edit

LDAP

Please note that LDAP is flexible enough to offer lots of other options and configuration possibilities. Spinnaker uses the Spring Security libraries, which solve a number of challenges.

Configure with Halyard

With the LDAP manager credentials and search patterns in hand, use Halyard to configure Fiat:

hal config security authz ldap edit \
    --url ldaps://ldap.mydomain.net:636/dc=mydomain,dc=net \
    --manager-dn uid=admin,ou=system \
    --manager-password \
    --user-dn-pattern uid={0},ou=users \
    --group-search-base ou=groups \
    --group-search-filter "(uniqueMember={0})" \
    --group-role-attributes cn
      
 hal config security authz edit --type ldap
 hal config security authz enable

The above is a sample. See below for more information.

How Fiat determines group membership

The LDAP provider works by querying the LDAP server utilizing a user as set by the manager-dn and managerPassword and making a query. If a manager is NOT set, Spinnaker falls back to validating group membership using the login user’s credentials.

Fiat will use the “bound” account to do the following:

Make a query using a base of group-search-base. THIS IS A REQUIRED FIELD. If not set, no roles get queried.
That query uses group-search-filter to find the results.
This uses a parameter of the user’s full DN as a filter. This means the ONLY groups shown are those which the user is a member.
For the groups retrieved, get the role names. This uses the group-role-attributes attribute (defaults to cn).

How to determine the “Full DN”

Extract the Root DN from the url (ldaps://my.server/a/b/c → a/b/c)

If com.netflix.spinnaker.fiat.roles.ldap.LdapUserRolesProvider log level is at debug, you should see Root DN: <the actual root DN extracted>
If user-search-filter is provided then:
- Search LDAP:
  - For user-search-base
  - Using user-search-filter aka (uid={0})
- Return root DN computed + found user DN
ELSE when user-search-filter is not provided:
- Make user DN using user-dn-pattern
- Return root DN computed + user DN

You must provide either a search filter or a DN pattern. In the case below, the user joe would have a full DN of uid=joe,ou=users,dc=mydomain,dc=net.

The search would be rooted at ou=groups,dc=mydomain,dc=net, looking for directory entries that include the attribute uniqueMember=uid=joe,ou=users,dc=mydomain,dc=net, which is the structure for the groupOfUniqueNames group standard.

The group-role-attribute is how the group/role name is extracted. For example, all entries that pass the filter will then have the cn (common name) attribute returned.

IF you want to use a username instead of a user DN for group membership, you can specify {1} instead of {0} for the group-search-filter parameter.

Source code

To see the internals (can be useful for debugging):

Fiat: LdapUserRolesProvider
Spring Auth Provider: LdapAuthenticationProviderConfigurer
Gate: LdapSsoConfig

Next steps…

Read through Authorization Overview
Read through LDAP Authorization