Enabling TLS for LDAP Authentication

Prerequisites

• Helm version 3 is installed on your system.

• The Kubernetes command line tool kubectl is configured and has access to the target installation.

• You know the name and namespace of your Connectware installation. See Obtaining the name, namespace, and version of your Connectware installation.

• The values.yaml file is available.

• LDAP authentication configured.

Enabling TLS for LDAP Authentication

To use TLS for LDAP you only need to set a valid ldaps:// URL for the Helm value url in the global.authentication.ldap context. Remember to also adjust the TCP port number. By default LDAPS uses port 636.

Connectware will verify that the LDAP server presents a valid certificate before using it as authentication backend. Unless you have a certificate for your LDAP server that is signed by a valid root CA, you will need to provide the CA certificate that signed your LDAP server’s certificate. Alternatively you can disable certificate validation.

Providing the CA Certificate through Helm Values

You can simply provide the CA certificate in the Helm value caChain.cert in the global.authentication.ldap context. Provide the complete certificate chain necessary to validate the LDAP server’s certificate.

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldaps://my-dc.complany.tld:636
            caChain:
                cert: |
                    -----BEGIN CERTIFICATE-----
                    MIIFpTCCA40CFGFL86145m7JIg2RaKkAVCOV1H71MA0GCSqGSIb3DQEBCwUAMIGN
                    [skipped for brevity - include whole certificate]
                    SKnBS1Y1Dn2e
                    -----END CERTIFICATE-----

As an alternative, you can provide the CA certificate through a manually create Kubernetes ConfigMap.

Providing the CA Certificate through a Kubernetes ConfigMap

To provide the CA certificate necessary to validate the certificate used by your LDAP server, you can manually create a Kubernetes ConfigMap that contains the certificate as a file named ca.crt. You will then provide the name of that ConfigMap in the Helm value caChain.existingConfigMap in the global.authentication.ldap context.

Example

Create the Kubernetes ConfigMap from a file named ca.crt in your current directory:

kubectl -n <namespace> create cm cw-ldap-ca-cert --from-file ca.cr

Specify the name of the ConfigMap:

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldaps://my-dc.complany.tld:636
            caChain:
                existingConfigMap: cw-ldap-ca-cert

Disabling Certificate Validation

While we do not recommend skipping certificate validation for production use, it is possible to tell Connectware to accept any certificate the LDAP server presents. To do so, simply set the Helm value caChain.trustAllCertificates in the global.authentication.ldap context to true.

Example

global:
    authentication:
        ldap:
            enabled: true
            bindDn: CN=Users,DC=company,DC=tld
            url: ldaps://my-dc.complany.tld:636
            caChain:
                trustAllCertificates: true

Related Links

• Single Sign-On with LDAP.

• Configuring Connectware to use LDAP authentication