GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → torchbox → kube-ldap-authn

torchbox / kube-ldap-authn

Licence: other
Kubernetes LDAP authentication service

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects
Makefile
30231 projects

Labels

kubernetesldapauthentication

Projects that are alternatives of or similar to kube-ldap-authn

ldaptools-bundle
Provides easy LDAP integration for Symfony via LdapTools.
Stars: ✭ 49 (+19.51%)
Mutual labels:  ldap
horusec-platform
Horusec Platform is a set of web services that integrate with the Horusec CLI to facilitate the visualization and management of found vulnerabilities.
Stars: ✭ 32 (-21.95%)
Mutual labels:  ldap
ldapconsole
The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
Stars: ✭ 25 (-39.02%)
Mutual labels:  ldap
Linux-Active-Directory-join-script
Active directory Join script for Ubuntu, Debian, CentOS, Linux Mint, Fedora, Kali, Elementary OS and Raspbian with built in failchcheck and debugmode for Ubuntu. "The most advanced and updated AD join script on GITHUB for Linux"
Stars: ✭ 97 (+136.59%)
Mutual labels:  ldap
spring-data-ldap
Repository abstraction for Spring LDAP
Stars: ✭ 53 (+29.27%)
Mutual labels:  ldap
aspnet-core-ad-authentication
ASP.NET Core Active Directory authentication use LDAP
Stars: ✭ 21 (-48.78%)
Mutual labels:  ldap
existing-ldap-docker-registry
This is a docker application to run Docker Registry behind an Ngnix in order to obtain an authentication method using a company Active Directory.
Stars: ✭ 29 (-29.27%)
Mutual labels:  ldap
JNDIMonitor
一个LDAP请求监听器,摆脱dnslog平台
Stars: ✭ 177 (+331.71%)
Mutual labels:  ldap
ntlmrelayx-prettyloot
Convert the loot directory of ntlmrelayx into an enum4linux like output
Stars: ✭ 20 (-51.22%)
Mutual labels:  ldap
k8s-idm-lab
Kubernetes Identity Management Lab
Stars: ✭ 20 (-51.22%)
Mutual labels:  ldap
vaultwarden ldap
LDAP directory connector for vaultwarden
Stars: ✭ 80 (+95.12%)
Mutual labels:  ldap
gitlab-ldap-group-sync
Manage your gitlab groups with ldap / active directory
Stars: ✭ 21 (-48.78%)
Mutual labels:  ldap
Auth
Manage multiple user authentication databases from a central web application
Stars: ✭ 17 (-58.54%)
Mutual labels:  ldap
ldap2json
The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.
Stars: ✭ 56 (+36.59%)
Mutual labels:  ldap
paddle
A library simplifying LDAP usage in Elixir projects
Stars: ✭ 46 (+12.2%)
Mutual labels:  ldap
rabbitmq-auth-backend-cache
Authorisation result caching plugin (backend) for RabbitMQ
Stars: ✭ 17 (-58.54%)
Mutual labels:  ldap
seahorse
ELKFH - Elastic, Logstash, Kibana, Filebeat and Honeypot (HTTP, HTTPS, SSH, RDP, VNC, Redis, MySQL, MONGO, SMB, LDAP)
Stars: ✭ 31 (-24.39%)
Mutual labels:  ldap
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
Stars: ✭ 476 (+1060.98%)
Mutual labels:  ldap
log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
Stars: ✭ 55 (+34.15%)
Mutual labels:  ldap
authentication
A framework agnostic authentication library based on PSR standards
Stars: ✭ 19 (-53.66%)
Mutual labels:  ldap
View All Similar Projects ➔

Kubernetes LDAP authentication

This is a Kubernetes LDAP authentication service. It allows the Kubernetes API server to authenticate users against an LDAP directory. Only authentication is supported, not authorization. It will work fine with RBAC, WebHook authorization, or any other authorization method that deals with users and groups.

Directory requirements

The token is expected to be stored in an LDAP attribute such as kubernetesToken. Authenticating against userPassword is not supported. (Because kubectl stores the password unencrypted in its configuration file, this would be quite insecure.)

A sample schema might look like this:

attributeType ( 1.3.6.1.4.1.18171.2.1.8
        NAME 'kubernetesToken'
        DESC 'Kubernetes authentication token'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectClass ( 1.3.6.1.4.1.18171.2.3
        NAME 'kubernetesAuthenticationObject'
        DESC 'Object that may authenticate to a Kubernetes cluster'
        AUXILIARY
        MUST kubernetesToken )

We have allocated the OIDs above for these schema types, so you can use them in your own schema if you like (although there is no requirement to do so).

Setup

Copy config.py.example to config.py and edit it for your site.

Create a secret containing the configuration:

$ kubectl -n kube-system create secret generic ldap-authn-config \
        --from-file=config.py=config.py

Or if your LDAP server requires a CA certificate:

$ kubectl -n kube-system create secret generic ldap-authn-config \
        --from-file=config.py=config.py --from-file=ca-cert.pem=my-ca-cert.pem

Deploy the DaemonSet:

$ kubectl apply -f daemonset.yaml

Create a kubeconfig on the master with the connection details:

clusters:
  - name: ldap-authn
    cluster:
      server: http://localhost:8087/authn
users:
  - name: apiserver
current-context: webhook
contexts:
- context:
    cluster: ldap-authn
    user: apiserver
  name: webhook

Configure kube-apiserver to use webhook authentication by passing --authentication-token-webhook-config-file=/path/to/my/webhook-auth-kubeconfig.

Client setup

Configure kubectl to use your LDAP token:

$ kubectl config set-cluster mycluster --server=https://myapiserver.com/ [...]
$ kubectl config set-credentials mycluster-ldap --token="my-ldap-token"
$ kubectl config set-context mycluster --cluster=mycluster --user=mycluster-ldap
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].