How-To: Configure LDAP External Authentication in Portainer using OpenLDAP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi welcome to another video on our how to series this is sam from portena in this video we'll show you how to configure ldap external authentication with botana using open ldap we'll also go through configuring group filtering and teams auto population i have portainer installed on a standalone docker host and i am managing several endpoints the docker host itself a swarm cluster and a kubernetes cluster i also have openld up installed and have a php ldap admin running as well so that i can manage my open ldap using a webgui i'm using osixia docker open ldap and o6a docker php ldap images to get open ldap working and phd ldap admin to category and here's a look at the php ldap admin page where i can manage my directory i've already created several users and corresponding groups in the open ldap directory these are the users and the corresponding groups that i have created inside the open ltap so you can see users under portena users and several groups under protein groups i also have the read-only account um that's enabled so that we can use that to have read-only access to the directory to configure ldap external authentication we need to go to settings menu in botana then click on authentication it's currently on internal authentication mechanism we simply switch to ldap and configure our settings in there so for ldap server my server ip address you can use the name if you have dns working dns in there and for the uh raider dn i'm going to use my read-only account that's already enabled needs to be a bind account and then click connect so we can connect to the ldap server using that account so next um if you choose to use ldap s you'll need to change the [Music] port to 636 and tick the box for use tls i'm using self-signed search at the moment so i'm going to skip the certificate check test connectivity that's all good and for base dn we can simply copy um the oh you that i've created here okay that's what i want to use for the base dm for the users i'll copy that from there sdn and the username attribute in our case is the uid and i simply have the object class as equals i net person i'll show you how i can get that from so if we go here say it's simply the object class there that we can use so just using case and stews who are using that there and for the group search we can copy the same for our groups oh you go here copy that and the group member attribute is member and group object class we'll copy that from there as well so it should be the group of names object class equals names and save settings that's all there is to it now any users under this portena users or you should be able to log in so if i log out from here i'll try to log in as uh one of the developers as you can see we can log in but as we have not given any access to the user you will not see anything there that needs to be expected i'll show you how to do the uh teams and users now i've logged in as the admin user if i go to the users menu you'll see here that the user i just logged in as is auto added and the authentication type is set as ldap from here you can give that user access to the resources and endpoints as you like but when you have a handful of users or more than a handful of users it gets really tedious to do individual user level access so that's where the teams come into play so to use teams we go into the teams under users menu and we create teams here and keep in mind that we will need to create these teams the same names as the groups in your ad that you want to use inside portena so for example in our case that's devs testers read only and admins so notice that these are the same groups i have created inside protein underscore groups in the ldap directory as well now that we have all the teams added i'll go to the endpoints and give them access to some teams to make that easier we can group the end points into groups so for ease of use i've grouped docker and docker swarm into the docker group and um kubernetes into the cube group you can have many clusters in here so i can give access at the group layer so if i click on the docker and i can select testers to have access to the docker and create axes so testers will now have access to docker group which has docker and docker swarm clusters endpoint in there and for cube i'll give devs access to that create access i will also give access to some of the resources inside our endpoints for example in the docker standalone endpoint i have several containers running container here is public so everybody should be able to see it and caddy is restricted to administrators so if i go into caddy i can restrict change the ownership to the team that i want to give access to so that for example testers okay and update ownership should now change to restricted and the group that has access to that would be testers similarly if i go to the swarm cluster i'll have a look at my wordpress and see the ownership here i can currently set to public i'll change it to restricted and the testers team again okay so i finally i go to the kubernetes cluster go to the resource pool and i can give say web services um namespace access to the devs group create access so if i log out now log back in as the developer i can now see the kubernetes cluster because developers have access to it and he's a developer and if i go to the resource pools i now have access to the web services all the other resource pools i have not given access to the developers or the devs group so the only thing he can see would be the one resource pool or name space that i have given him access so i'll log out from there log in as john smith and he is a part of a tester group and we've given access to the docker and docker swarm clusters endpoints so here you'll see both of them and if i click on docker only as john smith i can see the public um container and the restricted to testers only container okay similarly to home swarm we should see the wordpress stack yep so yeah that is how we manage teams and groups so if i log out and back in as admin go to users and teams dev's team you'll see that he ddes he is a developer he's already auto added to the team here and similarly for the testers john smith um this is done automatically based on the group names that we have that's matching the team names so this is a very powerful feature this this is really useful when you have a large number of users that are are a group of users or users that change quite often you can use the ldap membership and to give them access to your resources inside portena and the resources inside each of the endpoints i hope this video has been helpful if you have any questions or comments feel free to comment and let us know and thank you for watching catch you next time bye
Info
Channel: Portainer IO
Views: 718
Rating: 5 out of 5
Keywords: container management, open-source, low code, docker gui, kubernetes gui, portainer, portainer ce
Id: l2pOP9syo7g
Channel Id: undefined
Length: 12min 28sec (748 seconds)
Published: Wed Mar 24 2021
Related Videos
How to Install Adguard Home on Docker Using Portainer
StrykerBytes
5K
iOS 15 Settings You Need To Turn Off Now
Payette Forward
1.3M
Apache nifi Security(SSL Authentication)
rdtech_in
546
[ Kube 33 ] Set up MetalLB Load Balancing for Bare Metal Kubernetes
Just me and Opensource
29K
Setting up OpenLDAP Server in Ubuntu 18.04 LTS
Linux Lab
37K
Weblogic 12c Authentication Using External LDAP (Oracle Unified Directory)
Prasad Domala
19K
How to replace Docker Desktop on Windows with Portainer
Portainer IO
464
Use Portainer, integrated into Git, to automate the deployment of Apps with your DevOps workflow
Portainer IO
240
How To Transition from Docker/Swarm to Kubernetes with Portainer (Episode 5)
Portainer IO
373
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.