Skip to content

Use LDAP external authentication for Aerospike on Kubernetes

For the complete documentation index see: llms.txt

All documentation pages available in markdown.

This example creates a cluster where Aerospike is configured to use the Lightweight Directory Access Protocol (LDAP) for external authentication. For details about LDAP in Aerospike, see Aerospike Access Control.

Prerequisites

Preinstalled LDAP server cluster that is reachable from the Kubernetes pods. This could be internal or external to the Kubernetes cluster.

Aerospike cluster using LDAP

To create an Aerospike Cluster that uses LDAP, see the following aerospikeConfig section from a sample CR file. The security.ldap section here uses demo values from a sample configuration. Adapt this section to use the appropriate configuration for your LDAP server. The sample sets disable-tls: true for the demo OpenLDAP deployment only. For production LDAP, configure TLS and set disable-tls: false. For more details see the available LDAP configuration parameters.

aerospikeConfig:
  service:
    feature-key-file: /etc/aerospike/secret/features.conf
  security:
    ldap:
      query-base-dn: 'dc=example,dc=org'
      server: ldap://openldap.default.svc.cluster.local:1389
      disable-tls: true
      query-user-dn: "cn=admin,dc=example,dc=org"
      query-user-password-file: /etc/aerospike/secret/ldap-passwd.txt
      user-dn-pattern: 'cn=${un},ou=users,dc=example,dc=org'
      role-query-search-ou: true
      role-query-patterns:
        - '(&(objectClass=groupOfNames)(member=cn=${un},ou=users,dc=example,dc=org))'
      polling-period: 10
  network:
    service:
      tls-name: aerospike-a-0.test-runner
      tls-authenticate-client: false
      tls-port: 4333
    heartbeat:
      tls-name: aerospike-a-0.test-runner
      tls-port: 3012
    fabric:
      tls-name: aerospike-a-0.test-runner
      tls-port: 3011
    tls:
      - name: aerospike-a-0.test-runner
        cert-file: /etc/aerospike/secret/svc_cluster_chain.pem
        key-file: /etc/aerospike/secret/svc_key.pem
        ca-file: /etc/aerospike/secret/cacert.pem
  namespaces:
    - name: test
      replication-factor: 2
      storage-engine:
        type: memory
        data-size: 1073741824

For the full CR file, see the example LDAP authentication CR.

This and other example CRs are available in the main Aerospike Kubernetes Operator repository.

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Verify that the cluster reaches Completed phase and that LDAP authentication works for a user from your LDAP directory:

Terminal window
kubectl -n aerospike wait --for=jsonpath='{.status.phase}'=Completed aerospikecluster/aerocluster --timeout=300s
asadm -h AEROSPIKE_HOST:PORT -U LDAP_USER --auth external
Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?