# LDAP ## Overview StackState can use an LDAP server (including AD) to authenticate against and to get roles/groups from. It does require a running LDAP server that's accessible to StackState. The LDAP main directory and all subdirectories will be checked for user files. The bind credentials in the StackState configuration are used to authenticate StackState on the LDAP server. After authentication, StackState passes the top LDAP directory name for the user that wants to log in to StackState. ## Configure StackState for LDAP ### Kubernetes To configure StackState to authenticate using an LDAP authentication server on Kubernetes, LDAP details and user role mapping needs to be added to the file `authentication.yaml`. For example: {% tabs %} {% tab title="authentication.yaml" %} ```yaml stackstate: authentication: ldap: host: sts-ldap port: 10389 # For most LDAP servers 389 for plain, 636 for ssl connections #ssl: # sslType: ssl # trustStore: # trustCertificates bind: dn: "cn=admin,ou=employees,dc=acme,dc=com" password: "password" userQuery: parameters: - ou: employees - dc: acme - dc: com usernameKey: cn emailKey: mail groupQuery: parameters: - ou: groups - dc: acme - dc: com rolesKey: cn groupMemberKey: member # to return all nested groups, use: # groupMemberKey: "member:1.2.840.113556.1.4.1941:" # map the groups from LDAP to the # 4 standard subjects in StackState (guest, powerUser, admin and platformAdmin) roles: guest: ["ldap-guest-role-for-stackstate"] powerUser: ["ldap-power-user-role-for-stackstate"] admin: ["ldap-admin-role-for-stackstate"] platformAdmin: ["ldap-platform-admin-role-for-stackstate"] ``` {% endtab %} {% endtabs %} Follow the steps below to configure StackState to authenticate using LDAP: 1. In `authentication.yaml` - add LDAP details (see the example above): * **host** - The hostname of the LDAP server. * **port** - The port the LDAP server is listening on. * **sslType** - Optional. The type of LDAP secure connection `ssl` or `startTls`. Omit if plain LDAP connection is used. * **trustCertificates** - Optional, certificate file for SSL. Formats PEM, DER and PKCS7 are supported. * **trustStore** - Optional, Java trust store file for SSL. If both `trustCertificates` and `trustStore` are specified, `trustCertificatesPath` takes precedence. * **bind** - Optional, used to authenticate StackState to LDAP server if the LDAP server doesn't support anonymous LDAP searches. * **userQuery parameters and groupQuery parameters** - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in StackState, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest. * **usernameKey** - The name of the attribute that stores the username, value is matched against the username provided on the login screen. * **emailKey** - The name of the attribute that's used as the email address in StackState. * **rolesKey** - The name of the attribute that stores the group name. * **groupMemberKey** - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern: `=,ou=groups,dc=acme,dc=com`. To return all nested groups, use `groupMemberKey: "member:1.2.840.113556.1.4.1941:"`. 2. In `authentication.yaml` - map user roles from LDAP to the correct StackState subjects (see the example above): * **roles** - for details, see the [default StackState roles](/5.1/configure/security/rbac/rbac_permissions.md#predefined-roles). More StackState roles can also be created, see the [RBAC documentation](/5.1/configure/security/rbac.md). 3. Store the file `authentication.yaml` together with the `values.yaml` from the StackState installation instructions. 4. Run a Helm upgrade to apply the changes. If you are using SSL with custom certificates, the binary certificate files that should be used when connecting to LDAP should be set from the command line, use the command under **SSL with custom certificates**: {% tabs %} {% tab title="Plain LDAP or Secure LDAP" %} ``` helm upgrade \ --install \ --namespace stackstate \ --values values.yaml \ --values authentication.yaml \ stackstate \ stackstate/stackstate ``` {% endtab %} {% tab title="SSL with custom certificates" %} **trustCertificates** ```bash helm upgrade \ --install \ --namespace stackstate \ --values values.yaml \ --values authentication.yaml \ --set-file stackstate.authentication.ldap.ssl.trustCertificates=./ldap-certificate.pem \ stackstate \ stackstate/stackstate ``` **trustStore** ```bash helm upgrade \ --install \ --namespace stackstate \ --values values.yaml \ --values authentication.yaml \ --set-file stackstate.authentication.ldap.ssl.trustStore=./ldap-cacerts \ stackstate \ stackstate/stackstate ``` {% endtab %} {% endtabs %} {% hint style="info" %} **Note:** * The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability. * Include `authentication.yaml` on every `helm upgrade` run. * The authentication configuration is stored as a Kubernetes secret. {% endhint %} ### Linux To configure StackState to authenticate using an LDAP authentication server on Linux, LDAP details and user role mapping needs to be added to the file `application_stackstate.conf`. For example: {% tabs %} {% tab title="application\_stackstate.conf" %} ```javascript authorization { // map the groups from the LDAP to the // 4 standard subjects in StackState (guest, powerUser, admin and platformAdmin) // Please note! you have to use the syntax // `Groups = ${stackstate.authorization.Groups} ["ldap-role"]` // to extend the list of standard roles (stackstate-admin, stackstate-platform-admin, stackstate-guest, stackstate-power-user) // with the ones from Ldap guestGroups = ${stackstate.authorization.guestGroups} ["ldap-guest-role-for-stackstate"] powerUserGroups = ${stackstate.authorization.powerUserGroups} ["ldap-powerUser-role-for-stackstate"] adminGroups = ${stackstate.authorization.adminGroups} ["ldap-admin-role-for-stackstate"] platformAdminGroups = ${stackstate.authorization.platformAdminGroups} ["ldap-platform-admin-role-for-stackstate"] } authentication { authServer { authServerType = [ "ldapAuthServer" ] ldapAuthServer { connection { host = localhost port = 8000 # ssl { # sslType = ssl # trustCertificatesPath = "/var/lib/ssl/sts-ldap.pem" # trustStorePath = "/var/lib/ssl/cacerts" # } bindCredentials { dn = "cn=admin,ou=employees,dc=acme,dc=com" password = "password" } } userQuery { parameters = [ { ou : employees } { dc : acme } { dc : com } ] usernameKey = cn emailKey = mail } groupQuery { parameters = [ { ou : groups } { dc : acme } { dc : com } ] rolesKey = cn groupMemberKey = member // to return all nested groups, use: // groupMemberKey: "member:1.2.840.113556.1.4.1941:" } } } } ``` {% endtab %} {% endtabs %} Follow the steps below to configure StackState to authenticate using LDAP: 1. In `application_stackstate.conf` - add LDAP details (see the example above): * **host** - The hostname of the LDAP server. * **port** - The port the LDAP server is listening on. * **sslType** - Optional. Omit if plain LDAP connection is used. The type of LDAP secure connection `ssl` | `startTls`. * **trustCertificatesPath** - optional, path to the trust store on the StackState server. Formats PEM, DER and PKCS7 are supported. * **trustStorePath** - optional, path to a Java trust store on the StackState server. If both `trustCertificatesPath` and `trustStorePath` are specified, `trustCertificatesPath` takes precedence. * **bindCredentials** - optional, used to authenticate StackState on the LDAP server if the LDAP server doesn't support anonymous LDAP searches. * **userQuery and groupQuery parameters** - The set of parameters inside correspond to the base dn of your LDAP where users and groups can be found. The first one is used for authenticating users in StackState, while the second is used for retrieving the group of that user to determine if the user is an Administrator, Power User or a Guest. * **usernameKey** - The name of the attribute that stores the username, value is matched against the username provided on the login screen. * **emailKey** - The name of the attribute that's used as the email address in StackState. * **rolesKey** - The name of the attribute that stores the group name. * **groupMemberKey** - The name of the attribute that indicates whether a user is a member of a group. The constructed LDAP filter follows this pattern: `=,ou=groups,dc=acme,dc=com`. To return all nested groups, use `groupMemberKey: "member:1.2.840.113556.1.4.1941:"`. 2. In `application_stackstate.conf` - map the LDAP groups to the correct StackState groups using **guestGroups**, **powerUserGroups**, **adminGroups** and **platformAdminGroups** (see the example above). For details, see the [default StackState roles](/5.1/configure/security/rbac/rbac_permissions.md#predefined-roles). More StackState roles can also be created, see the [RBAC documentation](/5.1/configure/security/rbac.md). 3. Restart StackState to apply the changes. ## See also * [Authentication options](/5.1/configure/security/authentication/authentication_options.md) * [Permissions for predefined StackState roles](/5.1/configure/security/rbac/rbac_permissions.md#predefined-roles) * [Create RBAC roles](/5.1/configure/security/rbac/rbac_roles.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://archivedocs.stackstate.com/5.1/configure/security/authentication/ldap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.