# Enabling TLS for LDAP Authentication ## Prerequisites * Helm version 3 is installed on your system. * The Kubernetes command line tool kubectl is configured and has access to the target installation. * You know the name and namespace of your Connectware installation. See [Obtaining the name, namespace, and version of your Connectware installation](https://docs.cybus.io/2-0-2/documentation/connectware-helm-chart#obtaining-the-name-namespace-and-version-of-your-connectware-installation). * The `values.yaml` file is available. * [LDAP authentication configured](https://docs.cybus.io/2-0-2/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication). ## Enabling TLS for LDAP Authentication To use TLS for LDAP you only need to set a valid `ldaps://` URL for the Helm value `url` in the `global.authentication.ldap` context. Remember to also adjust the TCP port number. By default LDAPS uses port 636. Connectware will verify that the LDAP server presents a valid certificate before using it as authentication backend. Unless you have a certificate for your LDAP server that is signed by a valid root CA, you will need to provide the CA certificate that signed your LDAP server’s certificate. Alternatively you can disable certificate validation. ### Providing the CA Certificate through Helm Values You can provide the CA certificate in the Helm value `caChain.cert` in the `global.authentication.ldap` context. Provide the complete certificate chain necessary to validate the LDAP server’s certificate. **Example** {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: cert: | -----BEGIN CERTIFICATE----- MIIFpTCCA40CFGFL86145m7JIg2RaKkAVCOV1H71MA0GCSqGSIb3DQEBCwUAMIGN [skipped for brevity - include whole certificate] SKnBS1Y1Dn2e -----END CERTIFICATE----- ``` {% endcode %} As an alternative, you can provide the CA certificate through a manually create Kubernetes ConfigMap. ### Providing the CA Certificate through a Kubernetes ConfigMap To provide the CA certificate necessary to validate the certificate used by your LDAP server, you can manually create a Kubernetes ConfigMap that contains the certificate as a file named ca.crt. You will then provide the name of that ConfigMap in the Helm value `caChain.existingConfigMap` in the `global.authentication.ldap` context. **Example** Create the Kubernetes ConfigMap from a file named ca.crt in your current directory: {% code lineNumbers="true" %} ```yaml kubectl -n create cm cw-ldap-ca-cert --from-file ca.cr ``` {% endcode %} Specify the name of the ConfigMap: {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: existingConfigMap: cw-ldap-ca-cert ``` {% endcode %} ### Disabling Certificate Validation While we do not recommend skipping certificate validation for production use, it is possible to tell Connectware to accept any certificate the LDAP server presents. To do so, set the Helm value `caChain.trustAllCertificates` in the `global.authentication.ldap` context to `true`. **Example** {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: trustAllCertificates: true ``` {% endcode %} **Related Links** * [Single Sign-On with LDAP](https://docs.cybus.io/2-0-2/documentation/user-management/single-sign-on-sso/single-sign-on-with-ldap). * [Configuring Connectware to use LDAP authentication](https://docs.cybus.io/2-0-2/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication)