Skip to main content
Version: 1.15

LDAP Authentication

STEP 1

Choose DEX_HOSTNAME And Configure DNS

Loft uses the CNCF project dex for single sign-on.

The easiest case is this one:

  • $LOFT_HOSTNAME = loft.mycompany.tld (where Loft is running)
  • $DEX_HOSTNAME = dex.mycompany.tld (where dex should be running)
STEP 2

Create Dex Config For LDAP

Create the file dex-config.yaml with the following dex configuration:

ingress:
  enabled: true
  hosts:
  - dex.yourcompany.tld                                   # Use $DEX_HOSTNAME
config:
  issuer: https://dex.yourcompany.tld                     # "https://" + $DEX_HOSTNAME
  connectors:
  - type: ldap
    id: ldap
    name: LDAP
    config:
      host: myldap.company.tld:636                        # Your LDAP server hostname:port
      # insecureNoSSL: true                               # Not recommended but required if not using TLS (port 389)
      # insecureSkipVerify: true                          # Not recommended but required for self-signed certificates
      # rootCAData: ( base64 encoded PEM file )
      # startTLS: true                                    # Use ldap:// instead of ldaps:// protocol

      # The DN and password for an application service account. The connector uses
      # these credentials to search for users and groups. Not required if the LDAP
      # server provides access for anonymous auth.
      # Please note that if the bind password contains a `$`, it has to be saved in an
      # environment variable which should be given as the value to `bindPW`.
      bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
      bindPW: password

      # User search maps a username and password entered by a user to a LDAP entry.
      userSearch:
        # BaseDN to start the search from. It will translate to the query
        # "(&(objectClass=person)(uid=<username>))".
        baseDN: cn=users,dc=example,dc=com
        # Optional filter to apply when searching the directory.
        filter: "(objectClass=person)"
        # username attribute used for comparing user entries. This will be translated
        # and combined with the other filter as "(<attr>=<username>)".
        username: uid
        # The following three fields are direct mappings of attributes on the user entry.
        # String representation of the user.
        idAttr: uid
        # Required. Attribute to map to Email.
        emailAttr: mail
        # Maps to display name of users. No default value.
        nameAttr: name

      # Group search queries for groups given a user entry.
      groupSearch:
        # BaseDN to start the search from. It will translate to the query
        # "(&(objectClass=group)(member=<user uid>))".
        baseDN: cn=groups,dc=freeipa,dc=example,dc=com
        # Optional filter to apply when searching the directory.
        filter: "(objectClass=group)"
        # Represents group name.
        nameAttr: name
        # Following list contains field pairs that are used to match a user to a group. It adds an additional
        # requirement to the filter that an attribute in the group must match the user's
        # attribute value.
        userMatchers:
        - userAttr: uid
          groupAttr: member
  staticClients:
  - name: Loft
    id: loft                                              # Define a $DEX_CLIENT_ID
    secret: XXXXXXXXXXXXXX                                # Define a $DEX_CLIENT_SECRET (can be any secret key)
    redirectURIs:
    - 'https://loft.mycompany.tld/auth/oidc/callback'     # Loft URL + /auth/oidc/callback
  oauth2:
    skipApprovalScreen: true
  web:
    http: 0.0.0.0:5556
  storage:
    type: kubernetes
    config:
      inCluster: true

For details about configuring dex for LDAP, take a look at the dex documentation for LDAP.

STEP 3

Deploy Dex via Helm

After creating the file dex-config.yaml, you can now install dex via helm:

helm install dex dex --repo https://wiremind.github.com/wiremind-helm-charts \
  --create-namespace --namespace dex \
  -f dex-config.yaml \
  --wait
STEP 4

Configure Loft To Use Dex For Authentication

To tell Loft to use dex for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:
  oidc:
    issuerUrl: https://dex.mycompany.tld  # Use $DEX_HOSTNAME (see above)
    clientId: ""                          # Use $DEX_CLIENT_ID (see above)
    clientSecret: ""                      # Use $DEX_CLIENT_SECRET (see above)
    type: "github"                        # Optional: SSO Login Button Icon ("", github, gitlab, microsoft, google)
    usernameClaim: "email"                # Optional: Which part of the dex token to use as Loft username (default: email)
    usernamePrefix: ""                    # Optional: Add prefix to usernameClaim for Loft username
    groupsClaim: "groups"                 # Optional: Add Kubernetes groups for this user
    groupsPrefix: "loft-"                 # Optional: Prefix for Kubernetes groups
    caFile: ""                            # Optional: Path to a CA cert of dex within the Loft container (default: '')
STEP 5

Authenticate via Dex + LDAP

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via LDAP and dex.

STEP 6

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:
  oidc: ...             # This is your SSO configuration (make sure this is working!)
  password:
    disabled: true      # Disable password-based authentication