Alauda Container Platform

LDAP Management

Platform administrators can add, update, and delete LDAP services on the platform.

TOC

LDAP Overview

LDAP (Lightweight Directory Access Protocol) is a mature, flexible, and well-supported standard mechanism for interacting with directory servers. It organizes data in a hierarchical tree structure to store enterprise user and organization information, primarily used for implementing single sign-on (SSO).

NOTE

LDAP Key Features:

  • Enables communication between clients and LDAP servers
  • Supports data storage, retrieval, and search operations
  • Provides client authentication capabilities
  • Facilitates integration with other systems

For more information, refer to the LDAP official documentation.

Supported LDAP Types

OpenLDAP

OpenLDAP is an open-source implementation of LDAP. If your organization uses open-source LDAP for user authentication, you can configure the platform to communicate with the LDAP service by adding LDAP and configuring relevant parameters.

NOTE

OpenLDAP Integration:

  • Enables platform authentication for LDAP users
  • Supports standard LDAP protocols
  • Provides flexible user management

For more information about OpenLDAP, refer to the OpenLDAP official documentation.

Active Directory

Active Directory is Microsoft's LDAP-based software for providing directory storage services in Windows systems. If your organization uses Microsoft Active Directory for user management, you can configure the platform to communicate with the Active Directory service.

NOTE

Active Directory Integration:

  • Enables platform authentication for AD users
  • Supports Windows domain integration
  • Provides enterprise-level user management

LDAP Terminology

OpenLDAP Common Terms

TermDescriptionExample
dc (Domain Component)Domain componentdc=example,dc=com
ou (Organizational Unit)Organizational unitou=People,dc=example,dc=com
cn (Common Name)Common namecn=admin,dc=example,dc=com
uid (User ID)User IDuid=example
objectClass (Object Class)Object classobjectClass=inetOrgPerson
mail (Mail)Mailmail=example@126.com
givenName (Given Name)Given namegivenName=xq
sn (Surname)Surnamesn=ren
objectClass: groupOfNamesUser groupobjectClass: groupOfNames
member (Member)Group member attributemember=cn=admin,dc=example,dc=com
memberOfUser group membership attributememberOf=cn=users,dc=example,dc=com

Active Directory Common Terms

TermDescriptionExample
dc (Domain Component)Domain componentdc=example,dc=com
ou (Organizational Unit)Organizational unitou=People,dc=example,dc=com
cn (Common Name)Common namecn=admin,dc=example,dc=com
sAMAccountName/userPrincipalNameUser identifieruserPrincipalName=example or sAMAccountName=example
objectClass: userAD user object classobjectClass=user
mail (Mail)Mailmail=example@126.com
displayNameDisplay namedisplayName=example
givenName (Given Name)Given namegivenName=xq
sn (Surname)Surnamesn=ren
objectClass: groupUser groupobjectClass: group
member (Member)Group member attributemember=CN=Admin,DC=example,DC=com
memberOfUser group membership attributememberOf=CN=Users,DC=example,DC=com

Add LDAP

TIP

After successful LDAP integration:

  • Users can log in to the platform using their enterprise accounts
  • Multiple additions of the same LDAP will overwrite previously synchronized users

Prerequisites

Before adding LDAP, prepare the following information:

  • LDAP server address
  • Administrator username
  • Administrator password
  • Other required configuration details

Steps

  1. In the left navigation bar, click Users > IDPs
  2. Click Add LDAP
  3. Configure the following parameters:

Basic Information

ParameterDescription
Server AddressLDAP server access address (e.g., 192.168.156.141:31758)
UsernameLDAP administrator DN (e.g., cn=admin,dc=example,dc=com)
PasswordLDAP administrator account password
Login Box Username PromptPrompt message for username input (e.g., "Please enter your username")

Search Settings

NOTE

Search Settings Purpose:

  • Matches LDAP user entries based on specified conditions
  • Extracts key user and group attributes
  • Maps LDAP attributes to platform user attributes
ParameterDescription
Object TypeObjectClass for users:
- OpenLDAP: inetOrgPerson
- Active Directory: organizationalPerson
- Groups: posixGroup
Login FieldAttribute used as login username:
- OpenLDAP: mail (email address)
- Active Directory: userPrincipalName
Filter ConditionsLDAP filter conditions for user/group filtering
Example: (&(cn=John*)(givenName=*xq*))
Search Starting PointBase DN for user/group search (e.g., dc=example,dc=org)
Search ScopeSearch scope:
- sub: entire directory subtree
- one: one level below starting point
Login AttributeUnique user identifier:
- OpenLDAP: uid
- Active Directory: distinguishedName
Name AttributeObject name attribute (default: cn)
Email AttributeEmail attribute:
- OpenLDAP: mail
- Active Directory: userPrincipalName
Group Member AttributeGroup member identifier (default: uid)
Group AttributeUser group relationship attribute (default: memberuid)

  1. In the IDP Service Configuration Validation section:

    • Enter a valid LDAP account username and password
    • The username must match the Login Field setting
    • Click to verify the configuration

  2. (Optional) Configure LDAP Auto-Sync Policy:

    • Enable Auto-Sync Users switch
    • Set synchronization rules
    • Use online tool to verify CRON expressions

  3. Click Add

NOTE

After adding LDAP:

  • Users can log in before synchronization
  • User information syncs automatically on first login
  • Auto-sync occurs based on configured rules

LDAP Configuration Examples

LDAP Connector Configuration

The following example shows how to configure an LDAP connector:

apiVersion: dex.coreos.com/v1
kind: Connector
id: ldap        # Connector ID
name: ldap      # Connector display name
type: ldap      # Connector type is LDAP
metadata:
  name: ldap
  namespace: cpaas-system
spec:
  config:
    # LDAP server address and port
    host: ldap.example.com:636                         
    # DN and password for the service account used by the connector.
    # This DN is used to search for users and groups.
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com 
    # Service account password, required when creating a connector.
    bindPW: password                         

    # Login account prompt. For example, username
    usernamePrompt: SSO Username
    
    # User search configuration
    userSearch:
      # Start searching from the base DN
      baseDN: cn=users,dc=example,dc=com
      # LDAP query statement, used to search for users.
      # For example: "(&(objectClass=person)(uid=<username>))"
      filter: (&(objectClass=organizationalPerson))

      # The following fields are direct mappings of user entry attributes.
      # User ID attribute
      idAttr: uid
      # Required. Attribute to map to email                     
      emailAttr: mail
      # Required. Attribute to map to username
      nameAttr: cn
      # Login username attribute
      # Filter condition will be converted to "(<attr>=<username>)", such as (uid=example).
      username: uid

      # Extended attributes
      # phoneAttr: phone

    # Group search configuration  
    groupSearch:
      # Start searching from the base DN
      baseDN: cn=groups,dc=freeipa,dc=example,dc=com
      # Group filter condition
      # "(&(objectClass=group)(member=<user uid>))".
      filter: "(objectClass=group)"
      # User group matching field
      # Group attribute
      groupAttr: member
      # User group member attribute
      userAttr: uid
      # 组显示名称
      nameAttr: cn

User Filter Examples

# 1. Basic filter: Find all users
(&(objectClass=person))

# 2. Multiple conditions combination: Find users in a specific department
(&(objectClass=person)(departmentNumber=1000))

# 3. Find enabled users (Active Directory)
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# 4. Find users with a specific email domain
(&(objectClass=person)(mail=*@example.com))

# 5. Find members of specific group
(&(objectClass=person)(memberOf=cn=developers,ou=groups,dc=example,dc=com))

# 6. Find recently logged in users (Active Directory)
(&(objectClass=user)(lastLogon>=20240101000000.0Z))

# 7. Exclude system accounts
(&(objectClass=person)(!(uid=admin))(!(uid=system)))

# 8. Find users with a specific attribute
(&(objectClass=person)(mobile=*))

# 9. Find users in multiple departments
(&(objectClass=person)(|(ou=IT)(ou=HR)(ou=Finance)))

# 10. Complex condition combination example
(&
  (objectClass=person)
  (|(department=IT)(department=Engineering))
  (!(title=Intern))
  (manager=cn=John Doe,ou=People,dc=example,dc=com)
)

Group Search Configuration Examples

# 1. Basic filter: Find all groups
(objectClass=groupOfNames)

# 2. Find groups with a specific prefix
(&(objectClass=groupOfNames)(cn=dev-*))

# 3. Find non-empty groups
(&(objectClass=groupOfNames)(member=*))

# 4. Find groups with a specific member
(&(objectClass=groupOfNames)(member=uid=john,ou=People,dc=example,dc=com))

# 5. Find nested groups (Active Directory)
(&(objectClass=group)(|(groupType=-2147483646)(groupType=-2147483644)))

# 6. Find groups with a specific description
(&(objectClass=groupOfNames)(description=*admin*))

# 7. Exclude system groups
(&(objectClass=groupOfNames)(!(cn=system*)))

# 8. Find groups with specific members
(&(objectClass=groupOfNames)(|(cn=admins)(cn=developers)(cn=operators)))

# 9. Find groups in a specific OU
(&(objectClass=groupOfNames)(ou=IT))

# 10. Complex condition combination example
(&
  (objectClass=groupOfNames)
  (|(cn=prod-*)(cn=dev-*))
  (!(cn=deprecated-*))
  (owner=cn=admin,dc=example,dc=com)
)

Examples of AND(&) and OR(|) Operators in LDAP Filters

# AND operator (&) - All conditions must be met
# Syntax: (&(condition1)(condition2)(condition3)...)

# Multiple attribute AND example
(&
  (objectClass=person)
  (mail=*@example.com)
  (title=Engineer)
  (manager=*)
)

# OR operator (|) - At least one condition must be met
# Syntax: (|(condition1)(condition2)(condition3)...)

# Multiple attribute OR example
(|
  (department=IT)
  (department=HR)
  (department=Finance)
)

# Combining AND and OR
(&
  (objectClass=person)
  (|
    (department=IT)
    (department=R&D)
  )
  (employeeType=FullTime)
)

# Complex condition combination
(&
  (objectClass=person)
  (|
    (&
      (department=IT)
      (title=*Engineer*)
    )
    (&
      (department=R&D)
      (title=*Developer*)
    )
  )
  (!(status=Inactive))
  (|(manager=*)(isManager=TRUE))
)

Synchronize LDAP Users

After successfully synchronizing LDAP users to the platform, you can view the synchronized users in the user list.

You can configure an automatic synchronization policy when adding LDAP (which can be updated later) or manually trigger synchronization after adding LDAP successfully. Here's how to manually trigger a synchronization operation.

Notes:

  • Newly added users in the LDAP integrated with the platform can log in to the platform before performing the user synchronization operation. Once they successfully log in to the platform, their information will be automatically synchronized to the platform.

  • Users deleted from LDAP will have an Invalid status after synchronization.

  • The default validity period for newly synchronized users is Permanent.

  • Synchronized users with the same name as existing users (local users, IDP users) are automatically associated. Their permissions and validity period will be consistent with existing users. They can log in to the platform using the login method corresponding to their respective sources.

Procedure of Operation

  1. In the left navigation bar, click Users > IDPs.

  2. Click the LDAP name that you want to manually synchronize.

  3. Click Actions > Sync user in the upper-right corner.

  4. Click Sync.

    Notes: If you manually close the synchronization prompt dialog, a confirmation dialog will appear to confirm the closure. After closing the synchronization prompt dialog, the system will continue to synchronize users. If you remain on the user list page, you will receive synchronization result feedback. If you leave the user list page, you will not receive synchronization results.

Relevant Operations

You can click the on the right in the list page or click Actions in the upper-right corner on the details page to update or delete LDAP as needed.

OperationDescription
Update LDAPUpdate the configuration information of the added LDAP or the LDAP Auto-Sync Policy.

Note: After updating LDAP, users currently synchronized to the platform through this LDAP will also be updated. Users removed from LDAP will become invalid in the platform user list. You can clean up junk data by executing the operation to clean up invalid users.
Delete LDAPAfter deleting LDAP, all users synchronized to the platform through this LDAP will have an Invalid status (the binding relationship between users and roles remains unchanged), and they cannot log in to the platform. After re-integrating, synchronization needs to be re-executed to activate users.

Tips: After deleting IDP, if you need to delete users and user groups synchronized to the platform through LDAP, check the checkbox Clean IDP Users and User Groups below the prompt box.