# Enabling TLS for LDAP Authentication ## Prerequisites * Helm version 3 is installed on your system. * The Kubernetes command line tool kubectl is configured and has access to the target installation. * You know the name and namespace of your Connectware installation. See [Obtaining the name, namespace, and version of your Connectware installation](/2-0-3/documentation/connectware-on-kubernetes/connectware-helm-chart.md#obtaining-the-name-namespace-and-version-of-your-connectware-installation). * The `values.yaml` file is available. * [LDAP authentication configured](/2-0-3/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication.md). ## Enabling TLS for LDAP Authentication To use TLS for LDAP you only need to set a valid `ldaps://` URL for the Helm value `url` in the `global.authentication.ldap` context. Remember to also adjust the TCP port number. By default LDAPS uses port 636. Connectware will verify that the LDAP server presents a valid certificate before using it as authentication backend. Unless you have a certificate for your LDAP server that is signed by a valid root CA, you will need to provide the CA certificate that signed your LDAP server’s certificate. Alternatively you can disable certificate validation. ### Providing the CA Certificate through Helm Values You can provide the CA certificate in the Helm value `caChain.cert` in the `global.authentication.ldap` context. Provide the complete certificate chain necessary to validate the LDAP server’s certificate. **Example** {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: cert: | -----BEGIN CERTIFICATE----- MIIFpTCCA40CFGFL86145m7JIg2RaKkAVCOV1H71MA0GCSqGSIb3DQEBCwUAMIGN [skipped for brevity - include whole certificate] SKnBS1Y1Dn2e -----END CERTIFICATE----- ``` {% endcode %} As an alternative, you can provide the CA certificate through a manually create Kubernetes ConfigMap. ### Providing the CA Certificate through a Kubernetes ConfigMap To provide the CA certificate necessary to validate the certificate used by your LDAP server, you can manually create a Kubernetes ConfigMap that contains the certificate as a file named ca.crt. You will then provide the name of that ConfigMap in the Helm value `caChain.existingConfigMap` in the `global.authentication.ldap` context. **Example** Create the Kubernetes ConfigMap from a file named ca.crt in your current directory: {% code lineNumbers="true" %} ```yaml kubectl -n create cm cw-ldap-ca-cert --from-file ca.cr ``` {% endcode %} Specify the name of the ConfigMap: {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: existingConfigMap: cw-ldap-ca-cert ``` {% endcode %} ### Disabling Certificate Validation While we do not recommend skipping certificate validation for production use, it is possible to tell Connectware to accept any certificate the LDAP server presents. To do so, set the Helm value `caChain.trustAllCertificates` in the `global.authentication.ldap` context to `true`. **Example** {% code lineNumbers="true" %} ```yaml global: authentication: ldap: enabled: true bindDn: CN=Users,DC=company,DC=tld url: ldaps://my-dc.complany.tld:636 caChain: trustAllCertificates: true ``` {% endcode %} **Related Links** * [Single Sign-On with LDAP](/2-0-3/documentation/user-management/single-sign-on-sso/single-sign-on-with-ldap.md). * [Configuring Connectware to use LDAP authentication](/2-0-3/documentation/connectware-on-kubernetes/ldap-authentication/configuring-ldap-authentication.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cybus.io/2-0-3/documentation/connectware-on-kubernetes/ldap-authentication/enabling-tls-for-ldap-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.