Active Directory feature is enabled for Director version >= 1.6
STEP 1
Clone Director OnPrem-charts repo.
To clone Director OnPrem repo, execute the following:
git clone https://github.com/mayadata-io/director-charts.git
STEP 2
Go to the following directory,
cd director-charts/1.6.0/
STEP 3
Find your active directory server
To configure AD, ensure your ActiveDirectory Directory Server is reachable from the Kubernetes cluster where Director OnPrem will be deployed.
STEP 4
By default Director OnPrem assumes the following:
- User entities are of objectClass user,
- Group entities are of objectClass group
- User’s visible name in the application is stored in the givenName attribute
- Groups’ visible name in the application is stored in the cn attribute
- User is searched by the sAMAccountName attribute
- Group is searched by the sAMAccountName attribute
- Users are configured to log in via the username attribute/field which can be
- sAMAccountName (default login domain is assumed for this user)
- userPrincipalName i.e. <sAMAccountName>@<domain>
- <DOMAIN>\<sAMAccountName>
- ActiveDirectory Directory Server is running with TLS over port 636
The following fields have to be edited in values.yaml:-
- ActiveDirectory server domain (without the ldap://), the IP or the service-name which is reachable from your Kubernetes Cluster
- ActiveDirectory server port, i.e. the port number on which the server is listening for requests
- Credentials of an ActiveDirectory service account(DN & password) which only has Read Access to the ActiveDirectory users(used to search for the users, groups, etc)
- User search base DN
The config-keys in bold are compulsory, and need to rightly written out in the values.yaml file
|
Config-key |
Default value |
Meaning |
Example values |
|
server.adHost |
“” |
The URI of the AD server |
Ad.dirNS.svc.cluster.local or ad.xyz.io |
|
server.adDomain |
“” |
The base domain name of ActiveDirectory |
dc=mayadata,dc=io |
|
server.adPort |
636 |
The default port on which AD is listening on(valid port, integer only) |
636 or 389 |
|
server.adTLS |
true |
The boolean flag which tells if AD DS communicates securely, i.e. using ldaps:// |
true or false are the only supported values, this will be false if your AD DS communicates insecurely, i.e. without SSL |
|
server.adSvcAccUser |
“” |
The read-only login username of a service account(ideally this user should only have read-only permissions to the Active Directory DS) |
readadmin@mayadata.io |
|
server.adSvcAccPwd |
“” |
The read-only login password of an AD service account(ideally this user should only have read-only permissions to the Active Directory DS) |
%SomeComplexSecretPassword% |
|
server.adNameField |
givenName |
The name a user gets to see in DoP in AD |
givenName, cn |
|
server.adGroupObjectClass |
objectClass of a group of users |
||
|
server.adUserObjectClass |
objectClass of a user entity |
||
|
server.apiAuthInternalProviderConfigured |
localAuthConfig\,adconfig |
The authentication modes configured to enable AD & admin login for Director |
|
|
server.apiAuthInternalProviderEnabled |
true |
Activates the internal authentication providers required for AD & admin login to work |
An example config file(values.yaml), is represented below:
# enabled ad provider apiAuthInternalProviderEnabled: true apiAuthInternalProviderConfigured: localAuthConfig\,adconfig # The host URL of the AD server adHost: x.x.x.x # The base domain of the AD server adDomain: dc=abc,dc=xyz # The port number on which the AD server is listening adPort: 389 adTLS: false # an ADuser with read access to the AD server, someuser@domain.d1adSvcAccUser: adSvcAccUser: klmn@abc.xy adSvcAccPwd: password adNameField: givenName # default objectclass for users adUserObjectClass: person adGroupObjectClass: group # connection timeout in milliseconds adConnectionTimeout: 5000
STEP 5
Next, setup Director OnPrem.
Once the above steps have been implemented AD gets configured and the Director OnPrem Authentication page will now have two login options as shown in image below.
