--- title: Configure the Pinniped Supervisor to use OpenLDAP as an LDAP Provider description: Set up the Pinniped Supervisor to use OpenLDAP login. cascade: layout: docs menu: docs: name: Configure Supervisor With OpenLDAP weight: 100 parent: howtos --- The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single "upstream" identity provider to many "downstream" cluster clients. [OpenLDAP](https://www.openldap.org) is a popular open source LDAP server for Linux/UNIX. This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their identity from an OpenLDAP server. ## Prerequisites This how-to guide assumes that you have already [installed the Pinniped Supervisor]({{< ref "install-supervisor" >}}) with working ingress, and that you have [configured a FederationDomain to issue tokens for your downstream clusters]({{< ref "configure-supervisor" >}}). ## An Example of Deploying OpenLDAP on Kubernetes *Note: If you already have an OpenLDAP server installed and configured, please skip to the next section to configure the Supervisor.* There are many ways to configure and deploy OpenLDAP. In this section we document a simple way to stand up an OpenLDAP server in a way that would only be appropriate for a demo or testing environment. **Following the steps below to deploy and configure OpenLDAP is not appropriate for production use.** If you are interested in using OpenLDAP in a production setting, there are many other configuration and deployment guides available elsewhere online which would be more appropriate. We will use [Bitnami's OpenLDAP container image](https://www.openldap.org) deployed on Kubernetes as a Deployment in the same cluster as the Supervisor. We will enable TLS and create some test user accounts on the OpenLDAP server. First we'll need to create TLS serving certs for our OpenLDAP server. In this example, we'll use the `cfssl` CLI tool, but they could also be created with other tools (e.g. `openssl` or `step`). ```sh cfssl print-defaults config > /tmp/cfssl-default.json echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json cfssl genkey \ -config /tmp/cfssl-default.json \ -initca /tmp/csr.json \ | cfssljson -bare ca cfssl gencert \ -ca ca.pem -ca-key ca-key.pem \ -config /tmp/cfssl-default.json \ -profile www \ -cn "ldap.openldap.svc.cluster.local" \ -hostname "ldap.openldap.svc.cluster.local" \ /tmp/csr.json \ | cfssljson -bare ldap ``` The above commands will create the following files in your current working directory: `ca-key.pem`, `ca.csr`, `ca.pem`, `ldap-key.pem`, `ldap.csr`, and `ldap.pem`. Next, create a namespace for the OpenLDAP deployment. ```sh kubectl create namespace openldap ``` Next, load some of those certificate files into a Kubernetes Secret in the new namespace, so they can be available to the Deployment in the following step. ```sh kubectl create secret generic -n openldap certs \ --from-file=ldap.pem --from-file=ldap-key.pem --from-file=ca.pem ``` Finally, create this Deployment for the OpenLDAP server. Also create a Service to expose the OpenLDAP server within the cluster on the service network so the Supervisor can connect to it. ```yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: ldap namespace: openldap labels: app: ldap spec: replicas: 1 selector: matchLabels: app: ldap template: metadata: labels: app: ldap spec: containers: - name: ldap image: docker.io/bitnami/openldap imagePullPolicy: Always ports: - name: ldap containerPort: 1389 - name: ldaps containerPort: 1636 resources: requests: cpu: "100m" memory: "64Mi" readinessProbe: tcpSocket: port: ldap initialDelaySeconds: 2 timeoutSeconds: 90 periodSeconds: 2 failureThreshold: 9 env: - name: BITNAMI_DEBUG value: "true" - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_ADMIN_PASSWORD # Rather than hard-coding passwords, please consider # using a Secret with a random password! # We are hard-coding the password to keep this example # as simple as possible. value: "admin123" - name: LDAP_ROOT value: "dc=pinniped,dc=dev" - name: LDAP_USER_DC value: "users" - name: LDAP_USERS value: "pinny,wally" - name: LDAP_PASSWORDS # Rather than hard-coding passwords, please consider # using a Secret with random passwords! # We are hard-coding the passwords to keep this example # as simple as possible. value: "pinny123,wally123" - name: LDAP_GROUP value: "users" - name: LDAP_ENABLE_TLS value: "yes" - name: LDAP_TLS_CERT_FILE value: "/var/certs/ldap.pem" - name: LDAP_TLS_KEY_FILE value: "/var/certs/ldap-key.pem" - name: LDAP_TLS_CA_FILE value: "/var/certs/ca.pem" volumeMounts: - name: certs mountPath: /var/certs readOnly: true volumes: - name: certs secret: secretName: certs --- apiVersion: v1 kind: Service metadata: name: ldap namespace: openldap labels: app: ldap spec: type: ClusterIP selector: app: ldap ports: - protocol: TCP port: 636 targetPort: 1636 name: ldaps ``` If you've saved this into a file `openldap.yaml`, then install it into your cluster using: ```sh kubectl apply -f openldap.yaml ``` ## Configure the Supervisor cluster Create an [LDAPIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#ldapidentityprovider) in the same namespace as the Supervisor. For example, this LDAPIdentityProvider configures the LDAP entry's `uid` as the Kubernetes username, and the `cn` (common name) of each group to which the user belongs as the Kubernetes group names. The specific values in this example are appropriate for the OpenLDAP server deployed by the previous section's steps, but the values could be customized for your pre-existing LDAP server if you skipped the previous section. We'll use the CA created in the steps above to trust the TLS certificates of the OpenLDAP server. ```sh cat <}})! Then you'll be able to log into those clusters as any of the users from the OpenLDAP directory.