Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow injecting searchBase and searchFilter via a SecretClass in ldap AuthenticationClass #448

Open
soenkeliebau opened this issue Jun 18, 2024 · 0 comments
Open

Allow injecting searchBase and searchFilter via a SecretClass in ldap AuthenticationClass #448

soenkeliebau opened this issue Jun 18, 2024 · 0 comments
Labels
customer-request

Comments

@soenkeliebau
Copy link
Member

A customer reached out about enabling dynamic searchBase and searchFilter configuration of AuthenticationClasses for LDAP.

They are currently deploying NiFi clusters per team, that use a central ldap provider for authentication. Every team has an individual bind user that is only allowed to access ldap structures which are relevant for that team - which means that every team needs an individual 'searchBase' setting.

For the bindUser setting, we allow to configure that per namespace via a secretclass, so this is not an issue.

For the searchBase, this is hardcoded in the AuthenticationClass as a String, which at the moment means that the user has to have a dedicated authenticationclass per group that targets the same ldap.

One possible solution could be to allow specifying the searchBase and searchFilter via a SecretClass as well, this would allow the admininstrator in charge of maintaining the SecretClass to optionally delegate the searchBase (and searchFilter) to the users of this AuthenticationClass. Since these SecretClasses can be scoped to look in the namespace of a pod starting up, this would allow configuring a different searchBase per namespace, instead of just one global one.

An idea for how this could look in the CRDs is shown below, but this would most probably be breaking..

---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
  name: ldap-simple
spec:
  provider:
    ldap:
      hostname: my.ldap.server
      port: 389
      searchBase:
        secretClass: openldap-searchbase
      bindCredentials:
        secretClass: openldap-bind-credentials
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: openldap-searchbase
spec:
  backend:
    k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: my-admin-credentials
  namespace: userns1
  labels:
    secrets.stackable.tech/class: openldap-searchbase
stringData:
  searchBase: blablabla

The need for this in this specific case arises out of the organizational practice of not having a global ldap bind user but rather "team specific" bind users that cannot access user objects from different teams.
An organizational solution for this issue would be to change this - but that is not always possible, so the question would be if making this configurable is something we want to add.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lfrancke @soenkeliebau