This topic describes how to connect VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) to an external LDAP server.



Overview

User Account and Authentication (UAA), the identity management service for Tanzu Kubernetes Grid Integrated Edition, can authenticate users either through its internal user account store or external authentication mechanisms such as an LDAP server or a SAML identity provider.

To enable an internal user account store for UAA, you select Internal UAA in the Tanzu Kubernetes Grid Integrated Edition tile > UAA.

If you want to connect Tanzu Kubernetes Grid Integrated Edition to an external LDAP server, you must integrate the UAA server with your LDAP server by following the instructions in Integrate UAA with an LDAP Server below. This enables UAA to delegate authentication to your LDAP user store.



Integrate UAA with an LDAP Server

To integrate UAA with one or more LDAP servers:

  1. In Tanzu Kubernetes Grid Integrated Edition > UAA, under Configure your UAA user account store with either internal or external authentication mechanisms, select LDAP Server.
    LDAP Server configuration pane

  2. Under Server URL, enter the URLs that point to your LDAP server. For example, ldaps://example.com. If you have multiple LDAP servers, separate their URLs with spaces. Each URL must include one of the following protocols:

    • ldap://: Enter this protocol if your LDAP server uses an unencrypted connection.
    • ldaps://: Enter this protocol if your LDAP server uses SSL for an encrypted connection. To support an encrypted connection, the LDAP server must hold a trusted certificate or you must import a trusted certificate to the JVM truststore.

  3. Under LDAP Credentials, enter the LDAP Distinguished Name (DN) and password for binding to the LDAP server. For example, cn=administrator,ou=Users,dc=example,dc=com. If the bind user belongs to a different search base, you must use the full DN.

    Note: VMware recommends that you provide LDAP credentials that grant read-only permissions on the LDAP search base and the LDAP group search base.

  4. Under User Search Base, enter the location in the LDAP directory tree where LDAP user search begins. For example, a domain named cloud.example.com might use ou=Users,dc=example,dc=com as its LDAP user search base.

  5. Under User Search Filter, enter a string to use for LDAP user search criteria. The search criteria allows LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.

    In the LDAP search filter string that you use to configure Tanzu Kubernetes Grid Integrated Edition, use {0} instead of the user name. For example, use cn={0} to return all LDAP objects with the same common name as the user name. In addition to cn, other common attributes are mail, uid, and for Active Directory, sAMAccountName.

    Note: For information about testing and troubleshooting your LDAP search filters, see Configuring LDAP integration with VMware Tanzu Application Service (TAS) for VMs.

  6. Under Group Search Base, enter the location in the LDAP directory tree where the LDAP group search begins. For example, a domain named cloud.example.com might use ou=Groups,dc=example,dc=com as its LDAP group search base. You must configure Group Search Base if you want to map an external LDAP group to a role in Tanzu Kubernetes Grid Integrated Edition or a Kubernetes group.

    Note: To map the groups under this search base to roles in Tanzu Kubernetes Grid Integrated Edition, follow the instructions in Grant Tanzu Kubernetes Grid Integrated Edition Access to an External LDAP Group.

  7. Under Group Search Filter, enter a string that defines LDAP group search criteria. The default value is member={0}.

  8. Under Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

  9. Under First Name Attribute, enter the attribute name in your LDAP directory that contains user first names. For example, cn.
    LDAP configuration fields

  10. Under Last Name Attribute, enter the attribute name in your LDAP directory that contains user last names. For example, sn.

  11. Under Email Attribute, enter the attribute name in your LDAP directory that contains user email addresses. For example, mail.

  12. Under Email Domain(s), enter a comma-separated list of the email domains for external users who can receive invitations to Apps Manager.

  13. Under LDAP Referrals, choose how UAA handles LDAP server referrals to other user stores. UAA can follow the external referrals, ignore them without returning errors, or generate an error for each external referral and abort the authentication.

  14. Under External Groups Whitelist, enter a comma-separated list of group patterns that need to be populated in the user’s id_token. For more information about accepted patterns, see the description of config.externalGroupsWhitelist in the OAuth/OIDC Identity Provider Documentation.

    Note: When sent as a Bearer token in the Authentication header, wide pattern queries for users who are members of multiple groups can cause the size of the id_token to extend beyond what is supported by web servers.

    External Groups Allowlist field

  15. Click Save.



Complete Your Tile Configuration



Next Steps

For information about creating Tanzu Kubernetes Grid Integrated Edition roles and managing Kubernetes cluster access, see:

check-circle-line exclamation-circle-line close-line
Scroll to top icon