LDAP External Authentication
This example creates a cluster where Aerospike is configured to use LDAP for external authentication. For details see Aerospike Access Control.
Prerequisites
Preinstalled LDAP server cluster that is reachable from the Kubernetes pods. This could be internal or external to the Kubernetes cluster.
Aerospike cluster using LDAP
To create an Aerospike Cluster that uses LDAP, see the sample aerospikeConfig section from an Aerospike CR below:
.
.
.
aerospikeConfig:
logging:
- name: /var/log/aerospike/aerospike.log
any: info
service:
feature-key-file: /etc/aerospike/secret/features.conf
security:
ldap:
# The patterns are based on the demo OpenLDAP deployment.
# You need to adapt them to your setup.
query-base-dn: 'dc=example,dc=org'
server: ldap://openldap.default.svc.cluster.local:1389
disable-tls: true
query-user-dn: "cn=admin,dc=example,dc=org"
query-user-password-file: /etc/aerospike/secret/ldap-passwd.txt
user-dn-pattern: 'cn=${un},ou=users,dc=example,dc=org'
role-query-search-ou: true
role-query-patterns:
- '(&(objectClass=groupOfNames)(member=cn=${un},ou=users,dc=example,dc=org))'
polling-period: 10
network:
service:
tls-name: aerospike-a-0.test-runner
tls-authenticate-client: false
tls-port: 4333
heartbeat:
tls-name: aerospike-a-0.test-runner
tls-port: 3012
fabric:
tls-name: aerospike-a-0.test-runner
tls-port: 3011
tls:
- name: aerospike-a-0.test-runner
cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
key-file: /etc/aerospike/secret/svc_key.pem
ca-file: /etc/aerospike/secret/cacert.pem
namespaces:
- name: test
memory-size: 3000000000
replication-factor: 2
storage-engine:
type: memory
Adapt the LDAP section to use configuration appropriate to your LDAP server. For more details see the available LDAP configuration parameters.
For the full CR file, see the example LDAP authentication CR.
This and other example CRs are stored in the main Aerospike Kubernetes Operator repository.
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml