Set up an external LDAP authentication source for ACK - Container Service for Kubernetes

Many enterprises that migrate to the cloud have their own account systems. They need a way to migrate these systems smoothly and avoid registering new accounts or managing multiple usernames and passwords. This topic describes how to connect a self-managed Lightweight Directory Access Protocol (LDAP) service to Alibaba Cloud to address these issues.

Background information

This topic involves the following products:

ACK.
Resource Access Management (RAM).
Identity as a Service (IDaaS): A product that integrates your own account system with the Alibaba Cloud account system.
LDAP: This service is used to store account information for single sign-on (SSO). OpenLDAP is the open source implementation of LDAP.

How it works

LDAP

The process of connecting a self-managed LDAP service to Alibaba Cloud is as follows:

Add an LDAP connection configuration in IDaaS to sync LDAP accounts to IDaaS. Passwords are not synced. To log on using an LDAP username, you must reset the password in IDaaS. If you do not want to manage multiple passwords, you can use SSO.
Add an application in IDaaS:
- The application needs to connect to a RAM user that has the AliyunRAMFullAccess permission using an AccessKey. This allows the application to manage RAM permissions.
- The application connects to another RAM role or RAM user. This connection is used to grant permissions to the LDAP accounts for logon.
- Import the LDAP accounts that are already in IDaaS into the application. This allows these accounts to use the application. The permissions are inherited from the connected RAM role or RAM user.
Configure the LDAP service for IDaaS SSO.
LDAP users log on to the Alibaba Cloud platform using SSO. They obtain the permissions of the RAM role or RAM user that is connected in the IDaaS application.
An Alibaba Cloud account grants Platform as a Service (PaaS) layer permissions to the container platform.

Step 1: Prepare the environment

The following steps show how to simulate an LDAP environment.

Run the following command to install OpenLDAP.

Set up OpenLDAP to simulate an LDAP data source and use the php-LDAP-admin management tool.

Run the following command to clone the code repository:

git clone https://github.com/lilongthinker/demo-base-code.git

Expected output:

Cloning to 'demo-base-code'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 12 (delta 0), reused 9 (delta 0), pack-reused 0
Unpacking objects: 100% (12/12), done.

Check the directory structure and create a YAML file.

cd demo-base-code/01_ldap
tree ./

./
├── ingress-phpadmin.yaml
├── ldap-deploy.yaml
├── ldap-secret.yaml
├── ldap-service.yaml
├── phpldapadmin-deploy.yaml
└── phpldapadmin-svc.yaml

0 directories, 6 files
################################################ 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    ingress-controller: nginx
  name: ldap-ui
  namespace: public-service
spec:
  ingressClassName: nginx
  rules:
    - host: phpldap.example.com # Replace with your actual domain name.
      http:
        paths:
          - backend:
              service:
                name: phpldapadmin
                port:
                  number: 8080
            path: /
            pathType: ImplementationSpecific
################################################

Run the following command to create a namespace.

kubectl create ns public-service

Expected output:

namespace/public-service created

Run the following command to deploy the application.

kubectl apply -f ./

Expected output:

ingress.extensions/ldap-ui created
deployment.extensions/ldap created
secret/ldap-secret created
service/ldap-service created
deployment.extensions/phpldapadmin created
service/phpldapadmin created

You can initialize the account.
1. Log on to php-LDAP-admin.
  1. Run the following command to obtain the Ingress domain name and address.
```
kubectl get ing
```
```
NAME      HOSTS                 ADDRESS          PORTS   AGE 
ldap-ui   phpldap.example.com   121.xx.xxx.xxx   80      45s
```
  2. Copy the Ingress domain name to your browser. Then, log on to the php-LDAP-admin console using the default DN and password.
    Note
    Default DN: cn=admin,dc=example,dc=org.
    Default password: admin.
    If you do not have permission to access /var/lib/php/sessions, use the chmod command to modify the path permissions.
2. Create organizations and accounts.
  1. In the navigation pane on the left of the php-LDAP-admin console, click Create new entry here. On the Create Object page, click Generic: Organizational Unit and then click Create Object.
  2. Enter an organization name and click Create Object. In this example, the organization name is dev.
  3. In the navigation pane on the left of the php-LDAP-admin console, click the ou=dev that you created in the previous step, click Create a child entry, click Courier Mail:Account, configure the user information, and then click Create Object.
    Important
    The default account name generated by php-LDAP-admin contains a space. Make sure to delete the space.

Step 2: Configure IDaaS

Log on to the IDaaS console and click Create Instance.
In the Create Instance panel, enter a Description, select the agreement, and then click Create.
In the instance list, click the instance that you created to open the Quick Start page of IDaaS, and then click Bind OpenLDAP.

In the Bind OpenLDAP wizard, on the Connect To LDAP page, configure the LDAP settings and click Next.

For more information, see Bind OpenLDAP - Inbound.

Category	Configuration item	Description
Basic information	Display name	Enter a custom name.
Server configuration	Server Address	Enter the external IP address of the idap-service service. To obtain the IP address, follow these steps: Log on to the ACK console. In the left navigation pane, click Clusters. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Network > Services. Find the idap-service service and record its external IP address.
LDAP domain configuration	Administrator account	The default administrator DN is cn=admin,dc=example,dc=org.
LDAP domain configuration	Administrator password	The password is admin.

On the Select Scenario page, configure the scenario settings, and then click Complete Creation. For more information about scenario settings, see Bind OpenLDAP - Inbound.
On the Field Mapping page, configure the field mappings and click Save And Sync. For this example, you need to map only the Username and Email Address fields.
Note
- When you map fields, if the mapping rule is Select Field, select the required IDaaS fields. For example, in this topic, the account name corresponds to CN in OpenLDAP. You can also map other fields as needed.
- You can set a field as an identifier. When a field is used as the unique identifier for mapping, if the field values in both systems are the same but the accounts are not yet bound, the accounts are bound and the data is updated. If the values are different, a new account is created and bound.
After you complete the configuration, select Accounts > Accounts And Organizations in the navigation pane on the left. You can see that the organization and user information from OpenLDAP are successfully synchronized.
In the navigation pane on the left, click Sign-in. On the General tab, configure sign-in settings. In this example, the sign-in method is set to ack-ldap for both computers and mobile platforms.

Step 3: Verify the result

In the navigation pane on the left, select IdPs > Delegated Authentication, find and copy the delegated authentication link, and then paste it into the address bar of your browser. If the IDaaS logon page appears and you can log on successfully, the IDaaS configuration is successful.

Related operations

For more information about how to configure SSO for an IDaaS account, see Create an Application and Login and SSO.