Hi , Can anyone help me to find the helm value file entry to enable LDAP authentication using user Query ?
Actually I need to use the LDAP userDNMapping: query instead of template. We are using Windows AD and I can only able to enable the LDAP user authentication using LDAP user Query through the UI , template settings not working properly. But I didn’t find the same option in Helm chart value to give the user mapping query. The chart always asking for template not taking the query input. So please help me if anyone knows about it.
The template format I was given is below but it is not finding the user while searching (showing the error username or password incorrect)
sAMAccountName=%u,OU=Administrative Accounts,OU=ADGroup,DC=CMP,DC=example,DC=com
Worked user query format is below
OU=Administrative Accounts,OU=ADGroup,DC=CMP,DC=example,DC=com Filter (sAMAccountName=%u)
Hi @renjith_tr
Unfortunately with the current release, users can only be mapped to DN’s using template. We’ll need to add query as well based on use cases like this for lookups based on attributes within the DN.
This isn’t a limitation of helm, but of the ldap settings which are allowed within the CouchbaseCluster spec.
On the upside, I suspect that what you really want to use here is ldap.groupsQuery because the usernames appear to be attributes of a constant DN (which is effectively a group).
Something like this might work…
ldap:
groupsQuery: OU=Administrative Accounts,OU=ADGroup,DC=CMP,DC=example,DC=com??one?(sAMAccountName=%u)
Then create a CouchbaseGroup resource with ldapGroupRef set to OU=Administrative Accounts,OU=ADGroup,DC=CMP,DC=example,DC=com
As a result, anytime a user within your ldapGroupRef tries to authenticate, couchbase will allow it as long as user is within referenced group.
Also with this approach you won’t have to create CouchbaseUser resources for each user that you are trying to authenticate.
See:
https://docs.couchbase.com/operator/2.0/reference-couchbasecluster.html#spec-security-ldap-authorizationenabled
and
https://docs.couchbase.com/server/6.5/manage/manage-security/configure-ldap.html#group-authorization-enablement
Hi Tommie, Thanks for your support. I actually needs the group query and user query separately to give access for users and give permission to the buckets using group. But unfortunately in the current release we can’t use the user query so I will try to setup using the user template and group query as you mentioned.
Thanks for your valuable information. And please let me know once the user query option available in the new versions.
Hi Gents! I have exactly same case like this question:
- Using Active Directory
- Being Able to configure LDAP with UI
- For “Map Username” section, I am using in UI “LDAP Search” which includes “Base” & “Filter”
- However, using the CouchbaseCluster CRD, there is couchbaseclusters.spec.security.ldap.userDNMapping … But not sure how to do the same like UI
I can see, as per today, that there are 2 YAML fields under ( couchbaseclusters.spec.security.ldap.userDNMapping) :
So it’s clear it’s “query” but how to put both “Base” & “Filter” seen in UI , under “userDNMapping.query” which is already a string , not an object.
@tommie Appreciate if we can have some examples regarding userDNMapping.query in CRD CouchbaseCluster