Overview of LDAP Servers¶
StarlingX can be configured to use an LDAP compatible server, like a remote Windows Active Directory server or the Local LDAP server, to authenticate users of the Kubernetes API, using the oidc-auth-apps application.
The Local LDAP server is present in StarlingX deploys. This server runs on the controllers. The only exception is the DC environments, where this LDAP server runs only on the SystemController’s controllers, it is not present in the subcloud’s controllers.
The oidc-auth-apps application installs a proxy OIDC identity provider that can be configured to proxy authentication requests to an LDAP’s identity provider, such as Windows Active Directory or Local LDAP. For more information, see https://github.com/dexidp/dex. The oidc-auth-apps application also provides an OIDC client for accessing the username and password OIDC login page for user authentication and retrieval of tokens. An oidc-auth CLI script can also be used for OIDC user authentication and retrieval of tokens.
In addition to installing and configuring the oidc-auth-apps application, the admin must also configure Kubernetes cluster’s kube-apiserver to use the oidc-auth-apps OIDC identity provider for validation of tokens in Kubernetes API requests.