LogoLogo
Contact Uscybus.io
Connectware 1.10.2
Connectware 1.10.2
  • Getting Started
    • Introduction
    • System Requirements
    • Connectware Admin UI
    • Basic Components of Connectware
    • Connecting your First Machine
      • Your First Service Commissioning File
  • Documentation
    • Installation and Upgrades
      • Installing Connectware
        • Installing Connectware (Kubernetes)
        • Installing Connectware (Docker)
      • Upgrading Connectware
        • Upgrading Connectware (Kubernetes)
          • Version-Specific Upgrades (Kubernetes)
        • Upgrading Connectware (Docker)
          • Version-Specific Upgrades (Docker)
      • Uninstalling Connectware
        • Uninstalling Connectware (Kubernetes)
        • Uninstalling Connectware (Docker)
      • Licensing
    • User Management
      • Users and Roles View
      • Users
      • Roles
      • Permissions
      • Password Policy Rules
      • Default Admin User
      • MQTT Users
      • Adding a MQTT Publish Prefix for Users
      • Multi-Factor Authentication
      • Single Sign-On (SS0)
        • Single Sign-On with Microsoft Entra ID
        • Single Sign-On with LDAP
      • JSON Web Tokens
      • Access Permissions for Admin-UI
        • UI Access
        • Minimum Access Role Pages
    • Services
      • Service Overview
      • Service Resources View
        • Service Links View
        • Servers View
        • Containers View
        • Volumes View
        • Connections View
        • Endpoints View
        • Mappings View
      • Service Details View
      • Service Commissioning Files
        • Version
        • Description
        • Metadata
        • Parameters
        • Definitions
        • Resources
          • Cybus::Connection
          • Cybus::Container
            • Docker Problem with Network Changes
          • Cybus::Endpoint
          • Cybus::File
          • Cybus::IngressRoute
          • Cybus::Link
          • Cybus:Mapping
          • Cybus::Node
          • Cybus::Role
          • Cybus::Server
          • Cybus::User
          • Cybus::Volume
      • Setting Up and Configuring Services
        • Installing Services
        • Enabling Services
        • Updating Services
        • Disabling Services
        • Deleting Services
      • FlowSync
        • Example 1 - Node with Transaction Mode (HTTP)
        • Example 2 - Node Responds (HTTP)
        • Example 3 - Node with Error (HTTP)
        • Example 4 - Node with Timeout Error Code and Error Message (HTTP)
        • Example 5 - Full Transactional Data Flow (HTTP)
        • Example 6 - Full Transactional Data Flow (OPC UA)
      • ServiceID
      • Inter-Service Referencing
      • Deviation
      • Service Logs
        • Logs of Individual Services
        • Logs of All Services
      • Rule Engine
        • Data Processing Rules
        • Rule Sandbox
      • Shared Subscriptions
        • Setting Up Shared Subscriptions
    • Agents
      • Agents View
      • Installing Agents
        • Installing Agents via Docker
        • Installing Agents via Docker Compose
        • Installing Agents via Kubernetes
        • Using Mutual TLS for Agents
      • Registering Agents in Connectware
      • Using Agents
      • Monitoring Agents
      • Agents in Kubernetes
        • Adding Agents Inside your Connectware Installation
        • Remote Agents with the connectware-agent Helm Chart
        • Kubernetes Cluster Requirements for the connectware-agent Helm Chart
        • Installing Connectware Agents using the connectware-agent Helm Chart
        • Installing Connectware Agents without a License Key Using the connectware-agent Helm Chart
        • Upgrading the connectware-agent Helm Chart
        • Uninstalling Connectware agents with the connectware-agent Helm chart
        • Configuration Principles for the connectware-agent Helm Chart
        • Configuring Agents with the connectware-agent Helm Chart
          • Configuring Target Connectware for the connectware-agent Helm Chart
          • Configuring Agent Persistence for the connectware-agent Helm Chart
          • Configuring Compute Resources for the connectware-agent Helm Chart
          • Using a Custom Image Registry for the connectware-agent Helm Chart
          • Configuring Image Pull Policy for the connectware-agent Helm Chart
          • Using Mutual Transport Layer Security (mTLS) for agents with the connectware-agent Helm chart
          • Configuring image name and version for the connectware-agent Helm chart
          • Configuring Environment Variables for the connectware-agent Helm Chart
          • Configuring Labels and Annotations for the connectware-agent Helm Chart
          • Configuring podAntiAffinity for the connectware-agent Helm Chart
          • Assigning Agents to Kubernetes Nodes for the connectware-agent Helm Chart
          • Configuring Security Context for the connectware-agent Helm Chart
          • Controlling the Name of Kubernetes Objects for the connectware-agent Helm Chart
      • Troubleshooting Agents
    • Client Registry
      • Implicit Flow
      • Explicit Flow
      • Granting Access
    • Certificates
    • Monitoring
      • Data Explorer
      • Live Data
    • Workbench
      • Flows in Git Repositories
    • System Status
      • Info
      • Metrics
      • Status
      • Retrieving More System Information
      • System Health
    • Backup and Restore
      • Volumes
      • User Database
    • Connectware on Kubernetes
      • Connectware Helm Chart
      • Resizing Broker Volumes in Kubernetes
      • Configuring Core Services
      • LDAP Authentication
        • Configuring LDAP Authentication
        • Enabling TLS for LDAP Authentication
        • Manual Kubernetes Secret for LDAP Authentication Bind User
        • Customizing the Search Filter for LDAP Authentication
        • Customizing the User RDN for LDAP Authentication
      • Troubleshooting Connectware on Kubernetes
    • Environment Variables
    • Industry Protocol Details
      • ADS
        • ADS Connection Properties
        • ADS Endpoint Properties
      • BACnet
        • BACnet Connection Properties
        • BACnet Endpoint Properties
      • Custom Connectors
        • Developing Custom Connectors
        • Deploying Custom Connectors
        • Using Custom Connectors
      • EtherNet/IP
        • EtherNet/Ip Connection Properties
        • EtherNet/Ip Endpoint Properties
      • FOCAS
        • FOCAS Connection Properties
        • FOCAS Endpoint Properties
      • Hottinger Baldwin Messtechnik (HBM)
        • HBM Connection Properties
        • HBM Endpoint Properties
      • Heidenhain DNC
        • Heidenhain DNC Connection Properties
        • Heidenhain DNC Endpoint Properties
      • HTTP/REST
        • HTTP/REST Connection Properties
        • HTTP/REST Endpoint Properties
      • HTTP Server/Node
        • HTTP Server Properties
        • HTTP Node Properties
      • InfluxDB
        • InfluxDB Connection Properties
        • InfluxDB Endpoint Properties
      • Kafka
        • Kafka Connection Properties
        • Kafka Endpoint Properties
      • Modbus/TCP
        • Modbus/TCP Connection Properties
        • Modbus/TCP Endpoint Properties
      • MQTT
        • MQTT Connection Properties
        • MQTT Endpoint Properties
      • MSSQL
        • Mssql Connection Properties
        • Mssql Endpoint Properties
      • OPC DA
        • OPC DA Connection Properties
        • OPC DA Endpoint Properties
      • OPC UA
        • OPC UA Client
          • OPC UA Client Connection Properties
          • OPC UA Client Endpoint Properties
        • OPC UA Server
          • OPC UA Server Properties
          • OPC UA Node Properties
        • OPC UA Object Types
        • OPC UA Server References
          • OPC UA Reference Node
          • OPC UA Object Node
      • Siemens SIMATIC S7
        • Siemens S7 Connection Properties
        • Siemens S7 Endpoint Properties
      • Shdr
        • Shdr Connection Properties
        • Shdr Endpoint Properties
      • SINUMERIK
        • SINUMERIK Connection Properties
        • SINUMERIK Endpoint Properties
      • SOPAS
        • SOPAS Connection Properties
        • SOPAS Endpoint Properties
      • SQL
        • SQL Connection Properties
        • SQL Endpoint Properties
      • Werma WIN Ethernet
        • Werma WIN Ethernet Connection Properties
        • Werma WIN Ethernet Endpoint Properties
      • Systemstate
        • Systemstate Connection Properties
        • Systemstate Endpoint Properties
    • API Reference
      • User Management (API)
      • Client Registry (API)
      • Services (API)
      • Resources (API)
      • System Status (API)
      • Industry Protocol Details (API)
    • Changelog
      • General changes from 0.x to 1.0
        • Upgrading from 0.x to 1.0
Powered by GitBook
LogoLogo

Cybus

  • Terms and Condition
  • Imprint
  • Data Privacy

© Copyright 2025, Cybus GmbH

On this page
  • Prerequisites
  • Configuring LDAP Authentication
  • Connectware LDAP Modes
  • Using a Bind User
  • Enabling LDAP Authentication
  • Configuring Group Mode
  • Configuring Attribute Mode
  • Further LDAP Topics
  • Enabling TLS for LDAP
  • Providing Bind User through an Existing Kubernetes Secret
  • Customizing the Search Filter
  • Customizing the User RDN

Was this helpful?

  1. Documentation
  2. Connectware on Kubernetes
  3. LDAP Authentication

Configuring LDAP Authentication

PreviousLDAP AuthenticationNextEnabling TLS for LDAP Authentication

Last updated 23 days ago

Was this helpful?

Prerequisites

  • Helm version 3 is installed on your system.

  • The Kubernetes command line tool kubectl is configured and has access to the target installation.

  • You know the name and namespace of your Connectware installation. See .

  • The values.yaml file is available.

Configuring LDAP Authentication

When configuring LDAP authentication, you need to match Connectware’s setting to the capabilities of your LDAP server. There are two fundamental decisions to make:

  1. Choosing between “group” and “attribute” mode.

  2. Whether to use a bind user.

Connectware LDAP Modes

Connectware offers two modes for LDAP authentication:

  • Group mode

  • Attribute mode

For more information, see .

Using a Bind User

A bind user is common in LDAP setup that use a more complicated directory structure. It is a limited user you create in your LDAP directory, that is usually a read-only user with the permission to search through the LDAP directory tree.

It is used when users don’t share a single LDAP base DN (e.g. are not in the same group). If your users are spread among the directory tree, you will likely want to use a bind user.

Enabling LDAP Authentication

To enable the LDAP feature in Connectware, you need to set the Helm value global.authentication.ldap.enabled to true.

Additionally, you always need to provide these Helm values within the global.authentication.ldap context:

Value
Example
Description

bindDn

CN=Users,DC=example,DC=org

bindDN contains either the LDAP base DN of users logging in, or the DN of a dedicated bind user that is able to search for the user trying to log in within the search base.

url

ldap://dc.mycompany.tld:389

URL of the LDAP server in format schema://hostname:port

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldap://my-dc.complany.tld:389

If you are using a bind user to search through the directory tree, you must specify the full DN of the bind user as bindDn, and also need to provide these values:

Value
Example
Description

bindPassword

ANc97WCO"!xcC=(

bindPassword contains the password for the bind user as defined in your LDAP server.

searchBase

ldap://dc.mycompany.tld:389

URL of the LDAP server in format schema://hostname:port

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=connectwarebinduser,CN=Users,DC=company,DC=tld
            bindPassword: SuperS3cret!
            url: ldap://my-dc.complany.tld:389
            searchBase: CN=Users,DC=company,DC=tld

By providing a bindPassword through one of these mechanisms, the nature of bindDn changes from being a single base DN that contains all users that are allowed to log into Connectware, to containing the DN of a single user – the bind user. In this scenario, searchBase takes the role of containing the base DN which all users share, acting as the root from which a search for valid users will be performed.

Configuring Group Mode

To configure Connectware to use LDAP in group mode, you need to specify the LDAP attribute of your user, that specifies what LDAP groups they are part of. This is done through the Helm value memberAttribute within the global.authentication.ldap context. Additionally, mode must be set to group.

The default value of memberOf is often the correct choice, but you may have to adapt this to your LDAP server.

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldap://my-dc.complany.tld:389
            mode: group
            memberAttribute: memberOf

Configuring Attribute Mode

To configure Connectware to use LDAP in attribute mode, you need to specify the LDAP attribute of your user, that specifies the Connectware role that is associated with the user. This is done through the Helm value rolesAttribute within the global.authentication.ldap context. Additionally, mode must be set to attribute.

The default value of employeeType is often the correct choice, but you may have to adapt this to your LDAP server.

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldap://my-dc.complany.tld:389
            mode: attribute
            rolesAttribute: employeeType

Further LDAP Topics

Enabling TLS for LDAP

Providing Bind User through an Existing Kubernetes Secret

Customizing the Search Filter

Customizing the User RDN

Related Links

If you don’t want to provide the bind user and its password through your Helm values, for example because you follow a GitOps approach for your Connectware deployment, you can also provide the bind user through a manually created Kubernetes secret that is specified in existingBindSecret. For more information, see .

These LDAP groups are then mapped to Connectware roles using the Connectware UI. For more information, see .

Connectware supports connecting to LDAP servers that offer Transport Layer Security. You can find out how to configure this .

You can provide the bind user through a manually created Kubernetes secret that is specified in existingBindSecret. You can find detailed instructions .

By default the username trying to log in acts as the search filter, but there may be advanced situations where this is not enough, for example when that matches multiple users. Visit to learn how to customize the search filter.

The user RDN describes what LDAP attribute contains the username. By default this uses cn, but if this is not correct for your LDAP setup, you can customize this using the userRdn Helm value. Find out more .

.

Manual Kubernetes Secret for LDAP Authentication Bind User
in this article
in this article
this article
in this article
Single Sign-On with LDAP
Enabling TLS for LDAP authentication
Obtaining the name, namespace, and version of your Connectware installation
Connectware LDAP Modes
Connectware LDAP Modes