LDAP authentication v1

Suggest edits

EDB Postgres Distributed for Kubernetes supports LDAP authentication. LDAP configuration on EDB Postgres Distributed for Kubernetes relies on the implementation from EDB Postgres for Kubernetes (PG4K). See the PG4K documentation for the full context.

Important

Before you proceed, familiarize yourself with the LDAP authentication feature in the Postgres documentation.

With LDAP support, only the user authentication is sent to LDAP, so the user must already exist in the postgres database.

This example shows an LDAP configuration using simple bind mode in PGDGroup. The Postgres server uses prefix + username + suffix and password to bind the LDAP server to achieve the authentication.

spec:
  [...]
  cnp:
    postgresql:
      ldap: 
        server: 'ldap-service.ldap.svc.cluster.local'
        bindAsAuth:
          prefix: "uid="
          suffix: ",dc=example,dc=org"

This example shows configuring LDAP using search+bind mode in PGDGroup. In this mode, the Postgres instance is first bound to the LDAP using bindDN with its password stored in the secret bindPassword. Then Postgres tries to perform a search under baseDN to find a username that matches the item specified by searchAttribute. If a match is found, Postgres finally verifies the entry and the password against the LDAP server.

spec:
  [...]
  cnp:
    postgresql:
    ldap: 
        server: 'ldap-service.ldap.svc.cluster.local'
        bindSearchAuth: 
        baseDN: "dc=example,dc=org"
        bindDN: "cn=admin,dc=example,dc=org"
        searchAttribute: "uid"
        bindPassword:
            name: ldap-bind-password
            key: password
← Prev

Transparent Data Encryption (TDE)

↑ Up

EDB Postgres Distributed for Kubernetes

Next →

Examples of configuration