All Products
Search

This Product

    Container Service for Kubernetes:Set up an LDAP authentication source for ACK

    Document Center

    Container Service for Kubernetes:Set up an LDAP authentication source for ACK

    Last Updated:Mar 26, 2026

    Many enterprises manage their own LDAP directories for identity management and want to extend those systems into Alibaba Cloud without re-provisioning accounts. This topic walks you through connecting an OpenLDAP directory to ACK by routing authentication through Identity as a Service (IDaaS), which maps external LDAP users to Alibaba Cloud Resource Access Management (RAM) users.

    How it works

    LDAP

    Authentication flows through four services:

    • OpenLDAP stores the user directory.

    • IDaaS bridges the external directory to RAM.

    • RAM controls Alibaba Cloud permissions.

    • ACK enforces role-based access control (RBAC) at the cluster level.

    The end-to-end setup covers five stages:

    1. Sync LDAP accounts to IDaaS. Add an LDAP authentication source in the IDaaS console. Account data (but not passwords) is pulled from LDAP into IDaaS. To let LDAP users log in with their LDAP credentials, set a password for each account in IDaaS — or configure single sign-on (SSO) to skip per-account password management.

    2. Create an IDaaS application and link permissions. The application must be associated with a RAM user that holds the AliyunRAMFullAccess permission so it can manage RAM on your behalf — provide the AccessKey ID and AccessKey secret of that RAM user in the application configuration. It also needs to be linked to a separate RAM user or RAM role that grants LDAP accounts the ACK permissions they need. Import the synced LDAP accounts into the application and authorize them.

    3. Configure SSO for the IDaaS application. Set up an LDAP authentication source for IDaaS SSO so users can authenticate with their existing LDAP credentials.

    4. Users log in via SSO. When an LDAP user logs in to the Alibaba Cloud Management Console through SSO, they inherit permissions from the RAM user or RAM role linked to the IDaaS application.

    5. Complete RBAC authorization in ACK. Use an Alibaba Cloud account to assign Kubernetes RBAC roles to the LDAP-mapped users in the ACK console.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACK cluster with an Nginx Ingress controller deployed

    • kubectl configured to connect to the cluster

    • An Alibaba Cloud account with permissions to create RAM users and IDaaS instances

    • A RAM user with the AliyunRAMFullAccess policy attached (needed for the IDaaS application configuration)

    • A RAM user or RAM role that you want LDAP users to inherit ACK permissions from

    Step 1: Deploy OpenLDAP to your cluster

    This step provisions an OpenLDAP data store and phpLDAPadmin (a web UI for managing LDAP entries) inside the public-service namespace.

    Install OpenLDAP and phpLDAPadmin

    1. Clone the demo repository, which contains the Kubernetes manifests for OpenLDAP and phpLDAPadmin:

      git clone https://github.com/lilongthinker/demo-base-code.git

      Expected output:

      Cloning to 'demo-base-code'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 12 (delta 0), reused 9 (delta 0), pack-reused 0
Unpacking objects: 100% (12/12), done.

    2. Switch to the LDAP directory and review the included manifests:

      cd demo-base-code/01_ldap
tree ./
      ./
├── ingress-phpadmin.yaml
├── ldap-deploy.yaml
├── ldap-secret.yaml
├── ldap-service.yaml
├── phpldapadmin-deploy.yaml
└── phpldapadmin-svc.yaml

0 directories, 6 files
################################################
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    ingress-controller: nginx
  name: ldap-ui
  namespace: public-service
spec:
  ingressClassName: nginx
  rules:
    - host: phpldap.example.com # Replace with the domain name you want to use.
      http:
        paths:
          - backend:
              service:
                name: phpldapadmin
                port:
                  number: 8080
            path: /
            pathType: ImplementationSpecific
################################################

      Before deploying, open ingress-phpadmin.yaml and replace phpldap.example.com with the domain name you want to use for the phpLDAPadmin UI.

    3. Create the namespace:

      kubectl create ns public-service

      Expected output:

      namespace/public-service created

    4. Deploy all manifests:

      kubectl apply -f ./

      Expected output:

      ingress.extensions/ldap-ui created
deployment.extensions/ldap created
secret/ldap-secret created
service/ldap-service created
deployment.extensions/phpldapadmin created
service/phpldapadmin created

    Initialize LDAP accounts

    1. Get the external IP address assigned to the Ingress:

      kubectl get ing
      NAME      HOSTS                 ADDRESS          PORTS   AGE
ldap-ui   phpldap.example.com   121.xx.xxx.xxx   80      45s

    2. Open the phpLDAPadmin console in your browser using the Ingress domain name. Log in with the default credentials:

      FieldDefault value
      Distinguished name (DN)cn=admin,dc=example,dc=org
      Passwordadmin
      If the browser reports that you are unauthorized to access /var/lib/php/sessions, run the chmod command to fix the session directory permissions.

    3. Create an organizational unit: In the left-side navigation pane, click Create new entry here. On the Create Object page, click Generic: Organisational Unit, then click Create Object. Enter a name for the organizational unit (for example, dev) and click Create Object.

      unit

    4. Create user accounts under the organizational unit: In the left-side navigation pane, click Create a child entry. Click Courier Mail:Account, fill in the user information, and click Create Object.

      Important

      The default account name may include trailing space characters. Delete them before saving.

      Account

    Step 2: Configure IDaaS

    Create an IDaaS instance and bind OpenLDAP

    1. Log in to the IDaaS console and click Create Instance.

    2. In the Create Instance dialog box, enter a description, accept the service agreement, and click Create.

    3. In the instance list, click the instance you created to open the Quick Start page, then click Bind OpenLDAP.

    4. On the Connect to LDAP step, fill in the LDAP connection details and click Next. For the full list of parameters, see Bind IDaaS to OpenLDAP - inbound.

      SectionParameterValue
      Basic informationDisplay nameEnter a name for this LDAP source
      Server configurationServer addressExternal IP address of the ldap-service Service. To find it: log in to the ACK console, click Clusters, click the cluster name, choose Network > Services in the left-side navigation pane, and record the external IP address of ldap-service.
      LDAP domain configurationAdministrator accountcn=admin,dc=example,dc=org
      LDAP domain configurationAdministrator passwordadmin

    5. On the Select scenario step, configure the scenario settings and click Next. For guidance, see Bind IDaaS to OpenLDAP - inbound.

    6. On the Field mapping step, map the following fields and click Save and Push:

      IDaaS fieldNotes
      UsernameMap to the CN field in OpenLDAP. If the mapping rule is Select field, choose the IDaaS field that matches your directory schema.
      Email addressMap to the corresponding field in OpenLDAP.

      When you designate a field as a unique mapping identifier, IDaaS automatically binds matching accounts between IDaaS and OpenLDAP and keeps them in sync. If no match is found, IDaaS creates a new account and binds it.

    Verify account synchronization and configure sign-in

    1. After saving, navigate to Accounts > Accounts and Orgs in the left-side navigation pane. Confirm that the organization and account data from OpenLDAP appears in IDaaS.

    2. In the left-side navigation pane, click Sign-in. On the General tab, set the sign-in method to ack-ldap for both computers and mobile platforms.

    Step 3: Verify the IDaaS configuration

    In the left-side navigation pane, navigate to IdPs > Delegated Authentication. Find the delegated authentication link and open it in your browser. If the IDaaS logon page appears and you can log in successfully, the configuration is working.

    Troubleshooting

    If the logon page does not appear or authentication fails, check the following:

    SymptomLikely causeAction
    Cannot reach the IDaaS delegated authentication URLNetwork or firewall issueConfirm the IDaaS instance is active and the URL is correct
    "Invalid credentials" on the IDaaS logon pageWrong DN or passwordRe-check the Administrator account and Administrator password values in the LDAP source configuration
    Accounts not visible in Accounts and OrgsField mapping misconfigured or base DN incorrectReview the Field mapping step
    Users cannot log in with LDAP credentialsPassword not set in IDaaS (SSO not configured)Set a password for each IDaaS account, or complete SSO configuration

    What's next

    To allow LDAP users to log in to the Alibaba Cloud Management Console through SSO and to assign them ACK permissions via RBAC, complete the following:

    • Create an Application — create an IDaaS application, link it to the required RAM user and RAM role, and import the synced LDAP accounts

    • Login and SSO — configure SSO so users authenticate with their LDAP credentials