AuthenticationClass
AuthenticationClass is a CRD describing a generic authentication method like LDAP or Kerberos.
Multiple operators use this CRD as a way to express the authentication of the product.
At the moment the following Authentication providers are supported:
LDAP
A very simple AuthenticationClass with LDAP Authentication looks like this:
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: ldap-simple
spec:
provider:
ldap:
hostname: my.ldap.server (1)
port: 389 (2)
searchBase: ou=users,dc=example,dc=org (3)| 1 | The hostname of the LDAP server without any protocol or port |
| 2 | The port of the LDAP server. If TLS is used it defaults to 636 otherwise to 389 |
| 3 | An optional searchBase where the users should be searched |
OpenLDAP
Here is an example that is tuned for an OpenLDAP LDAP server and is configured to read bind user credentials from a secret:
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: openldap-simple
spec:
provider:
ldap:
hostname: my.openldap.server
port: 1389
searchBase: ou=users,dc=example,dc=org
bindCredentials:
secretClass: openldap-simple-bind (1)
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: openldap-simple-bind (2)
spec:
backend:
k8sSearch:
searchNamespace:
pod: {} (3)
---
apiVersion: v1
kind: Secret
metadata:
name: openldap-simple-bind (4)
labels:
secrets.stackable.tech/class: openldap-simple-bind (5)
stringData:
user: cn=admin,dc=example,dc=org
password: admin| 1 | The name of the secret-operator::secretclass.adoc providing the bind credentials (username and password). Must match the name of the secret-operator::secretclass.adoc in this example in ② |
| 2 | The name of the secret-operator::secretclass.adoc we are creating that is referred to by ➀. See secret-operator::secretclass.adoc |
| 3 | This determines the namespace in which the referenced Secret will be looked for. In this case it searches for a Secret in the same namespace as the product runs in. See the documentation of SecretClass |
| 4 | The Secret containing the actual bind credentials. Please keep in mind that the Secret needs to be in the same namespace as the product |
| 5 | The name of the secret-operator::secretclass.adoc that wants to refer to this Secret. Must match the name of the secret-operator::secretclass.adoc in this example in ② |
The following diagram describes the relationship between the created CRDs
All possible attributes
The following example shows all possible attributes:
---
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: ldap-full
spec:
provider:
ldap:
hostname: my.ldap.server (1)
port: 389 (2)
searchBase: ou=users,dc=example,dc=org (3)
searchFilter: (memberOf=cn=myTeam,ou=teams,dc=example,dc=org) (4)
ldapFieldNames: (5)
uid: uid
group: memberof
givenName: givenName
surname: sn
email: mail
bindCredentials:
secretClass: ldap-full-bind (6)
scope: (7)
pod: true
node: false
services:
- ldap-full
tls: (8)
verification:
server:
caCert:
secretClass: ldap-full-ca-cert| 1 | The hostname of the LDAP server without any protocol or port |
| 2 | The port of the LDAP server. If TLS is used defaults to 636 otherwise to 389 |
| 3 | The searchBase where the users should be searched |
| 4 | Additional filter that filters the allowed users |
| 5 | The name of the corresponding field names in the LDAP objects |
| 6 | The name of the secret-operator::secretclass.adoc providing the bind credentials (username and password) |
| 7 | The secret-operator::scope.adoc of the secret-operator::secretclass.adoc |
| 8 | TLS connection to the LDAP server |