So, you have Portainer running, and now you want to integrate with your corporate LDAP directory in order to centralise user and group management? Well read up because this article is for you..
First up, Portainer will allow you to auto-create users that successfully authenticate via LDAP; however any users auto-created will not be able to access any endpoint unless they are manually granted access to an endpoint, or map to a corresponding Portainer Team which has access to an endpoint (a Portainer Team maps to an LDAP group when enabled).
Lets get started.. for the purpose of this article, we have used OpenLDAP as the LDAP repository, and have fronted it with phpLDAPadmin for simplicity. Your LDAP config (and corresponding LDAP attributes) may differ. We used the container image sealeo/openldap as its self-contained, and easy to use.
Below is the login screen (available on port 80 of the container)
OK, step 1. Create the OU's to hold "users" and "groups"
Click "create new entry here", then select "Generic: Organisational Unit", then enter in "groups" and save it, repeat for "users". You should then see your OUs in the left hand navigation pane.
Now lets create your users... Click on the users OU, and then click on "create child entry" then select "Default"; Select "inetOrgPerson" as the type, click "proceed". Set the RDN to be "CN" and then enter a username in the three fields "cn", "sn", and "username". Also set a password where prompted. Click "Create Object" and then "commit". Repeat for all remaining users.
Now lets create the LDAP groups that will correspond to Portainer Teams, and then add the users into those Groups.
Click on the "groups" OU, and then click "Create a child entry". Select "default" as then "groupOfNames" as the type. Set the RDN as "CN" and then enter a group name in the "CN" field, and in the "member" field, browse to select all the applicable users. Once finished, click "create object". Repeat for all Groups.
Now lets switch to Portainer.
Login as an admin, and then click "settings", and then "authentication".
Click on LDAP to enable LDAP authentication, and then enter your LDAP access details.
For our demo, our LDAP server is 192.168.1.42:389 (note its LDAP without TLS, if with TLS, you need the TLS certs). Add a reader DN account, which is an account in LDAP that can query LDAP. Click "connectivity check" and make sure you get a green tick.
Now you are ready to start adding the LDAP search criteria.
To enable any authenticated LDAP user to login to Portainer, Scroll down and enable "automatic user provisioning". If you do not enable this, users must be pre-created in Portainer, with LDAP used only for password authentication.
To add the User Search configuration, add the base DN of your domain, the username attribute used in your LDAP, and any applicable filters.
Note: for Native LDAP, Enter “uid” as the username attribute; For Active Directory, either enter "userPrincipalName" if your usernames will be in the format of ‘email@example.com’ OR enter sAMAccountName if your usernames will be in the format ‘username'. NOTE These entries are case sensitive. DO NOT USE uid with Active Directory as it will not work.
To add the Group Search configuration, add the base DN of your domain, and then the group membership attribute used in your LDAP, and any applicable filters.
In order to use user/group auto-association, you must first pre-create teams in Portainer with team names that match the LDAP group names (case sensitive).
Note: for Native LDAP, Enter “member” as the username attribute.
For the OPTIONAL Filters, you can use (objectClass=inetOrgPerson) for native LDAP to only search for users with the "inetOrgPerson" schema type. and (objectClass=groupOfNames) to only search for groups with the "groupOfNames" schema type.
Click "save settings" to continue; then navigate to "users" and then "teams"
Create the team names that correspond to LDAP groups you want to enable access to Portainer for (in our case Development and Production).
Now click on Endpoints, and click "manage access" on the endpoint you want to grant access.
Click on the teams you want to allow access, they will move from the left side (unauthorised) to right side (authorised).
You can now logout as admin, and login as one of your LDAP users; you can see they have access and can directly start working with the assigned endpoint of their team.
Clearly this is a pretty simple example, and most corporates will have a far more complex LDAP infrastructure, but the principle is the same. You might have different LDAP criteria based on your schema (posixuser / posixgroup).