LDAP身份提供者

LDAP Authentication

Set LDAPIdentityProvider in the identityProviders section to validate username and password against an LDAPv3 server using simple bind authentication.

During authentication, the LDAP directory is searched for an entry that matches the provided username. If a single unique match is found, a simple bind is attempted using the DN of the entry plus the provided password.

Example Configuration Using LDAPIdentityProvider:

apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
  name: ks-installer
spec:
  authentication:
    jwtSecret: ********************************
    authenticateRateLimiterMaxTries: 10
    authenticateRateLimiterDuration: 10m
    oauthOptions:
      accessTokenInactivityTimeout: 30m
      accessTokenMaxAge: 1h
      identityProviders:
      - name: ldap
        type: LDAPIdentityProvider
        mappingMethod: auto
        provider:
          host: 192.168.0.2:389
          managerDN: uid=root,cn=users,dc=nas
          managerPassword: ******
          userSearchBase: cn=users,dc=nas
          loginAttribute: uid
          mailAttribute: mail

For the above example:

ParameterDescription
insecureSkipVerifyUsed to turn off TLS certificate checks.
startTLSIf specified, connections will use the ldaps:// protocol.
rootCAPath to a trusted root certificate file. Default: use the host’s root CA.
rootCADataA raw certificate file can also be provided inline. Base64 encoded PEM file.
hostThe name and port of the LDAP server.
managerDNDN to use to bind during the search phase.
managerPasswordPassword to use to bind during the search phase.
userSearchBaseThe search base is the distinguished name (DN) of a level of the directory tree below which all users can be found.
userSearchFilterLDAP filter used to identify objects of type user. e.g. (objectClass=person)
loginAttributeUser naming attributes identify user objects, will be mapped to KubeSphere account name.
mailAttributeThe mail attribute will be mapped to the KubeSphere account.