All Products
Search
Document Center

Container Service for Kubernetes:Set up an LDAP authentication source for ACK

Last Updated:Oct 09, 2023

An increasing number of enterprise users of Container Service for Kubernetes (ACK) require to use their own account systems in the cloud. However, cloud migration may not be a smooth process for these account systems. The challenge is how to smoothly migrate their accounts to the cloud without registering a large number of new accounts and managing different username/password pairs. This topic describes how to set up a Lightweight Directory Access Protocol (LDAP) authentication source to map external users to Alibaba Cloud Resource Access Management (RAM) users.

Background information

The following services are used in this topic:

  • ACK

  • RAM

  • Identity as a Service (IDaaS): This service is used to interface external account systems with RAM.

  • LDAP: This service is used to store account information for single sign-on (SSO). OpenLDAP is the open source implementation of LDAP.

How it works

LDAP

The LDAP authentication source is interfaced with RAM through the following steps:

  1. Add an LDAP authentication source in the IDaaS console and synchronize LDAP accounts to IDaaS. The passwords are not synchronized. If you want LDAP users to log on to ACK with their LDAP accounts, you must set a password for each LDAP account in IDaaS. To avoid the trouble of setting a password for each account, you can also configure SSO.

  2. Add an application in the IDaaS console.

    • The application must be linked to a RAM user that has the AliyunRAMFullAccess permission so that the application has full permissions to manage RAM. Therefore, you must specify the AccessKey ID and AccessKey secret of the RAM user in the application configuration.

    • The application must also be linked to another RAM user or RAM role that is used to authorize the LDAP accounts to manage ACK.

    • You must import the LDAP accounts that have been synchronized to IDaaS to the application, and authorize these accounts to use the application. This enables the LDAP accounts to derive the required permissions from the RAM role or RAM user that is linked to the application.

  3. Set up an LDAP authentication source for IDaaS SSO.

  4. When LDAP users log on to the Alibaba Cloud Management Console through SSO, they derive the required permissions from the RAM role or RAM user that is linked to the application in IDaaS.

  5. Complete role-based access control (RBAC) authorization in the ACK console with an Alibaba Cloud account.

Step 1: Prepare the environment

Perform the following steps to build a staging environment for LDAP:

  1. Run the following command to install OpenLDAP.

    You can use OpenLDAP to provision an LDAP data store and configure php-LDAP-admin to manage LDAP.

    1. Run the following command to clone the code repository:

      git clone https://github.com/lilongthinker/demo-base-code.git

      Expected output:

      Cloning to 'demo-base-code'...
      remote: Enumerating objects: 12, done.
      remote: Counting objects: 100% (12/12), done.
      remote: Compressing objects: 100% (10/10), done.
      remote: Total 12 (delta 0), reused 9 (delta 0), pack-reused 0
      Unpacking objects: 100% (12/12), done.
    2. Run the following command to check the directory tree and create an Ingress YAML file:

      cd demo-base-code/01_ldap
      01_ldap git:(master) tree ./
      ./
      ├── ingress-phpadmin.yaml
      ├── ldap-deploy.yaml
      ├── ldap-secret.yaml
      ├── ldap-service.yaml
      ├── phpldapadmin-deploy.yaml
      └── phpldapadmin-svc.yaml
      
      0 directories, 6 files
      ################################################ 
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        labels:
          ingress-controller: nginx
        name: ldap-ui
        namespace: public-service
      spec:
        ingressClassName: nginx
        rules:
          - host: phpldap.example.com #Replace it with the domain name that you want to use. 
            http:
              paths:
                - backend:
                    service:
                      name: phpldapadmin
                      port:
                        number: 8080
                  path: /
                  pathType: ImplementationSpecific
      ################################################
    3. Run the following command to create a namespace:

      01_ldap git:(master) kubectl create ns public-service

      Expected output:

      namespace/public-service created
    4. Run the following command to deploy the application:

      01_ldap git:(master) kubectl apply -f ./

      Expected output:

      ingress.extensions/ldap-ui created
      deployment.extensions/ldap created
      secret/ldap-secret created
      service/ldap-service created
      deployment.extensions/phpldapadmin created
      service/phpldapadmin created
  2. Initialize LDAP accounts.

    1. Log on to php-LDAP-admin.

      1. Run the following command to query the domain name and IP address of the Ingress:

        01_ldap_with_ui git:(master) ✗ kubectl get ing
        NAME      HOSTS                 ADDRESS          PORTS   AGE 
        ldap-ui   phpldap.example.com   121.xx.xxx.xxx   80      45s
      2. Enter the Ingress domain name into the address bar of your browser to open the console of php-LDAP-admin. Then, use the default distinguished name (DN) and password to log on to the console.

        Note
        • The default DN is cn=admin,dc=example,dc=org.

        • The default password is admin.

        • If the system prompts that you are unauthorized to access /var/lib/php/sessions, run the chmod command to modify the permissions.

    2. Create organizations and accounts.

      1. In the left-side navigation pane of the php-LDAP-admin console, click Create new entry here. On the Create Object page, click Generic: Organisational Unit and then click Create Object.unit

      2. Enter a name for the organization and click Create Object. In this example, the organization name is dev.

      3. In the left-side navigation pane of the php-LDAP-admin console, click Create a child entry. Then, click Courier Mail:Account, specify the user information, and click Create Object.Account

        Important

        The default name of the account may contain extra space characters. We recommend that you delete the space characters.

Step 2: Configure IDaaS

  1. Log on to the IDaaS console and click Create Instance.

  2. In the Create Instance dialog box, specify Description, select the service agreement, and then click Create.

  3. In the instance list, select the instance that you created to go to the Quick Start page of IDaaS and click Bind OpenLDAP.

  4. On the Connect to LDAP wizard page of the Bind OpenLDAP wizard, specify the LDAP information and click Next.

    For more information, see Bind IDaaS to OpenLDAP.

    Section

    Parameter

    Description

    Basic Information

    Nickname

    Enter a name.

    Server Configuration

    Server Address

    Enter the external IP address of the idap-service service. To obtain the external IP address, perform the following steps:

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Network > Services in the left-side navigation pane.

    3. Find the idap-service service and record the external IP address.

    LDAP Domain Configuration

    Administrator Account

    The default administrator DN is cn=admin,dc=example,dc=org.

    Administrator Password

    The password is admin.

  5. On the Select Scenario wizard page, specify the scenario information and click Next. For more information about scenario settings, see Bind IDaaS to OpenLDAP.

  6. On the Field Mapping wizard page, configure field mappings and click Save and Push. In this example, you need to map only the Username and Email Address fields.

    Note
    • When you configure a field mapping, if the mapping rule is Select Field, you need to select an IDaaS field based on your business requirement. In this example, the Username field is mapped to the CN field in OpenLDAP.

    • You can also specify an IDaaS field as a mapping identifier. After you specify an IDaaS field as a unique mapping identifier, if the IDaaS field matches the external field, the system automatically binds the corresponding IDaaS account to the external account and synchronizes data. If the IDaaS field does not match the external field, the system creates an IDaaS account and binds it to the external account.

  7. After you complete the configuration, choose Accounts > Accounts and Orgs in the left-side navigation pane. You can find that the organization and account information is synchronized from OpenLDAP to IDaaS.

  8. In the left-side navigation pane, click Sign-in. On the General tab, configure sign-in settings. In this example, the sign-in method is set to ack-ldap for both computers and mobile platforms.

Step 3: Verify the IDaaS configuration

In the left-side navigation pane, choose IdPs > Delegated Authentication, find the delegated authentication link, and enter it into the address bar of the web browser. If the logon page of IDaaS appears and you are logged on, the IDaaS configuration is successful.

What to do next

For more information about how to configure SSO for an IDaaS account, see Create an Application and Login and SSO.