Integrate Portainer with OpenLDAP for Authentication

0
198

Follow through this guide to learn how to integrate Portainer with OpenLDAP for authentication. By default, Portainer ships with its own internal authentication mechanism. But if you are using OpenLDAP in your environment, you can easily integrate Portainer with it to make the management of user accounts and access to various container environments easy.

When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.

With Portainer community edition, some features are not available.

Using Docker+Portainer to Install O...
Using Docker+Portainer to Install Open Source Password Manager Bitwarden
Integrate Portainer with OpenLDAP for Authentication

To begin with, ensure you have a Portainer and OpenLDAP already installed and setup.

You can use some of our tutorials below;

Install Portainer on Linux

Install and Setup Portainer in Linux

Install OpenLDAP Server on Linux

Install and Configure OpenLDAP for Authentication

Create OpenLDAP Portainer Access Groups

To make the account and access management easy, you can create specific groups on OpenLDAP.

Each user that needs to access and manage various container environments via the Portainer web interface can belong to a specific OpenLDAP group.

As per the guide below, we have created two groups, devops and admins on OpenLDAP;

How to Create OpenLDAP Member Groups

Confirming the groups and members;

Devops Group

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -QQQ \
-b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=devops

Sample output;

dn: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: devops
member: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

The individual users have the memberOf attributes defined;

memberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

Admins Group;

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -QQQ \
-b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=admins

Sample output;

dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

The individual users have the memberOf attributes defined;

memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOf -QQQ -LLL
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

Create OpenLDAP Teams Groups on Portainer

To make access to various Portainer environments easy, you need to create the exact teams names as the OpenLDAP groups on Portainer.

In our OpenLDAP, we have two groups, admins and devops.

Thus, login to Portainer and navigate to Users > Teams and create teams whose names matches the OpenLDAP group names.

Integrate Portainer with OpenLDAP for Authentication

Connect Portainer to OpenLDAP Server

Head over to Portainer web interface and navigate to Settings > Authentications > Click LDAP (LDAP Authentication).

Integrate Portainer with OpenLDAP for Authentication

Server type, Custom, is selected by default on the community edition version.

Next, configure OpenLDAP server connection details;

  • LDAP server address. Can be IP address or container resolvable domain name.
  • Disable anonymous option if your LDAP requires authentication to get records.
  • Reader DN/Bind DN and Password. This is the DN used to authenticate to OpenLDAP server to enable you query the directory server for user records.
  • Click Test Connectivity to confirm that you can connect to OpenLDAP server with provided credentials;
portainer ldap configuration

Configure OpenLDAP SSL/TLS connection

  • If your OpenLDAP server is configured with SSL/TLS, you can enable TLS/SSL connnection.
  • Thus;
    • Enable the use of StartTLS (as you can see we use port 389, if using LDAPS/TLS, change port on the server address above to 636)
    • We chose to Skip certificate verification in this setup.
    • Test connectivity
  • Define User search configurations.
    • Base DN (where to start when searching for users) e.g: dc=ldapmaster,dc=kifarunix-demo,dc=com
    • Username attribute: We use uid in our LDAP setup.
    • User entry filter: We only allow users whose LDAP entry have host=portainer entry OR they belong to devops OR admins groups.
    • (|(memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)(memberOf=cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)(host=portainer))
    • We have a user called Alex (uid is alex) with host attribute entry defined as portainer. The rest of users belong to either groups as shown above.
    • Confirming on LDAP server;
ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=alex host -QQQ -LLL
dn: uid=alex,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
host: portainer
  • Define Group Search Configuration
    • Group Base DN: dc=ldapmaster,dc=kifarunix-demo,dc=com
    • Group Membership Attribute: member
    • Filter (we filter for only member of the devops or admins group created above): (objectClass=groupOfNames)
portainer ldap security users groups
  • Save the changes by hitting Save settings at the bottom;

Test Login to Portainer using OpenLDAP Account

Now, logout and test login using OpenLDAP accounts. We will login as LDAP user alex, with host=portainer attribute entry.

Integrate Portainer with OpenLDAP for Authentication

And there you go! No permissions given yet!

portainer ldap user login

Log out and re-login as admin to continue with access management setup.

Grant Portainer Environment/Endpoints Access to LDAP Users

You can now grant access to various Portainer environments to various OpenLDAP user groups/users depending on your setup.

For example, let’s make Alex and Administrator for Portainer at large;

Under Users, you will see user alex or any other user who has logged in and authentication method is LDAP.

Portainer ldap users

To grant Alex Portainer system wide admin access, click on the username alex and toggle the Administrator button on to make alex admin.

grant user admin rights

Save the changes by clicking Save button. Alex is now Portainer system wide administrator.

To avoid having to grant each individual user access to specific environments, you can utilize the groups created before. Remember we had two groups, admins and devops created both on LDAP and Portainer.

Thus, you can grant access to various endpoints to users based on their group names.

As you can see, at the moment, we only have the local Portainer docker environment connected;

portainer environments local

Now that we have two groups of users, lets grant users in admins/devops groups access to local environment.

Thus, under Environment > Groups > local environment > click Manage access. Under Create Access > Select user(s) and/or team(s) > Select teams. Ability to select roles other than standard user is not possible on community edition.

portainer create team access

and click Create access.

You can also give access to specific components of the Portainer environment.

For example, click Home > Open specific environment e.g local > Stacks/Volumes/Networks/Containers > you can give access accordingly.

So take for example, to restrict access to Portainer containers, navigate to containers under local environment > click Portainer container name > Access Control > Change ownership > Restricted > Authorized teams > Select appropriate teams.

portainer environment access restriction

Update ownership.

See screenshot below for restriction of the Volumes on the local environment to users in admins groups only;

restrict access to volumes portainer

If you login as a user in devops group, you wouldnt be able to access the restricted volume;

See johndoe from devops group cannot access volumes;

restricted volume access to ldap users

And that is how easy it is to control access to Portainer environment and specific resources using LDAP based authentication.

That concludes our guide on how to integrate Portainer with OpenLDAP for authentication.

Other Tutorials

Integrate sysPass with OpenLDAP for Authentication

Integrate Gitlab with OpenLDAP for Authentication

LEAVE A REPLY

Please enter your comment!
Please enter your name here