Skip to content

Commit

Permalink
Fixes after review
Browse files Browse the repository at this point in the history
  • Loading branch information
@MagdaDziadosz
MagdaDziadosz committed Jun 11, 2024
1 parent d99665f commit cff808d
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 115 deletions.
62 changes: 28 additions & 34 deletions content/docs/reference/authentication/LDAP.md
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,35 @@
# LDAP

LDAP (Lightweight Directory Access Protocol) can be configured in
the `authentication` section of the Mirantis Kubernetes Engine (MKE) 4 config.
LDAP is disabled by default, to enable it set `enabled` to `true`.

You can configure LDAP (Lightweight Directory Access Protocol) for MKE 4
through the `authentication` section of the MKE configuration file.
To enable the service, set `enabled` to `true`.
The remaining fields in the `authentication.ldap` section are used to configure
the interactions with your LDAP server. For more details, refer to
[LDAP configuration](https://dexidp.io/docs/connectors/ldap/#configuration)
in the official Dex documentation.
the interactions with your LDAP server.
For more information, refer to the official DEX documentation
[LDAP configuration](https://dexidp.io/docs/connectors/ldap/#configuration).

The following table details the fields that you can configure in the
`authentication.ldap` section of the MKE 4 config:
The MKE configuration file `authentication.ldap` fields are detailed below:

| Field | Description |
|------------------------------------|----------------------------------------------------------------------------|
| `host` | Host and optional port of the LDAP server, in the `host:port` format. |
| `rootCA` | Path to a trusted root certificate file. |
| `bindDN` | Distinguished Name (DN) for an application service account. |
| `bindPW` | Password for an application service account. |
| `usernamePrompt` | Attribute to display in the password prompt. |
| `userSearch` | Settings to map user-entered username and password to an LDAP entry. |
| `userSearch.baseDN` | BaseDN from which to start the search. |
| `userSearch.filter` | Optional filter to apply for a user search of the directory. |
| `userSearch.username` | Username attribute to use for user entry comparison. |
| `userSearch.idAttr` | String representation of the user. |
| `userSearch.emailAttr` | Attribute to map to email. |
| `userSearch.nameAttr` | Attribute to map to display name of a user. |
| `userSearch.preferredUsernameAttr` | Attribute to map to preferred usernames. |
| `groupSearch` | Group search queries for groups given a user entry. |
| `groupSearch.baseDN` | BaseDN from which to start the search. |
| `groupSearch.filter` | Optional filter to apply for a group search of the directory. |
| `groupSearch.userMatchers` | Field pairs list to use to match a user to a group. |
| `groupSearch.nameAttr` | Group name. |
| Field | Description |
|------------------------------------|-----------------------------------------------------------------------|
| `host` | Host and optional port of the LDAP server, in the `host:port` format. |
| `rootCA` | Path to a trusted root certificate file. |
| `bindDN` | Distinguished Name (DN) for an application service account. |
| `bindPW` | Password for an application service account. |
| `usernamePrompt` | Attribute to display in the password prompt. |
| `userSearch` | Settings to map user-entered username and password to an LDAP entry. |
| `userSearch.baseDN` | BaseDN from which to start the search. |
| `userSearch.filter` | Optional filter to apply for a user search of the directory. |
| `userSearch.username` | Username attribute to use for user entry comparison. |
| `userSearch.idAttr` | String representation of the user. |
| `userSearch.emailAttr` | Attribute to map to email. |
| `userSearch.nameAttr` | Attribute to map to display name of a user. |
| `userSearch.preferredUsernameAttr` | Attribute to map to preferred usernames. |
| `groupSearch` | Group search queries for groups given a user entry. |
| `groupSearch.baseDN` | BaseDN from which to start the search. |
| `groupSearch.filter` | Optional filter to apply for a group search of the directory. |
| `groupSearch.userMatchers` | Field pairs list to use to match a user to a group. |
| `groupSearch.nameAttr` | Group name. |

LDAP example configuration:

Expand Down Expand Up @@ -59,16 +57,12 @@ authentication:
---
***Note***
Ports `5556` (dex) and `5555` (example-app) need to be available externally
to test the authentication flow.
To test authentication flow, ports `5556` (dex) and `5555` (example-app) must be externally available.

---

In the browser, perform the following steps to test the authentication flow:

1. Navigate to `http://{MKE hostname}:5555/login`.
2. Click **Login** to display the login page.
3. Select **Log in with LDAP**.
4. Enter the username and password for the LDAP server.
5. Click **Login**. If authentication is successful, you will be redirected to the client applications home page.
6. Successful authentication will redirect you back to the client applications home page.
40 changes: 14 additions & 26 deletions content/docs/reference/authentication/OIDC.md
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,18 @@
# OIDC

OpenID Connect (OIDC) can be configured in the `authentication` section of
the Mirantis Kubernetes Engine (MKE) 4 config.
OIDC is disabled by default, to enable it set `enabled` to `true`.

You can configure OIDC (OpenID Connect) for MKE 4 through the `authentication` section of the MKE configuration file. To enable the service, set 'enabled' to 'true'
The remaining fields in the `authentication.oidc` section are used to configure
the OIDC provider. Refer to [Configure Okta](#configure-okta) for
instructions on how to obtain the field values.
the OIDC provider.
For information on how to obtain the field values, refer to
**Create a new application in Okta** section of this document.

The following table details the fields that you can configure in the
`authentication.oidc` section of the MKE 4 config:
The MKE configuration file `authentication.oidc` fields are detailed below:

| Field | Description |
|----------------|----------------------------------------------------------------------------|
| `issuer` | OIDC provider root URL. |
| `clientID` | ID from the IdP application configuration. |
| `clientSecret` | Secret from the IdP application configuration. |
| Field | Description |
|----------------|-------------------------------------------------------------------|
| `issuer` | OIDC provider root URL. |
| `clientID` | ID from the IdP application configuration. |
| `clientSecret` | Secret from the IdP application configuration. |
| `redirect URI` | URI to which the provider will return successful authentications. |

OIDC example configuration:
Expand All @@ -33,8 +30,6 @@ authentication:
**To create a new application in Okta:**
Create a new application in Okta and use the following settings:
1. Select **OIDC - OpenID Connect** for **Sign-in method**.
2. Select **Web Application** for **Application Type**.
3. For **App integration name**, choose a name that you can easily remember.
Expand All @@ -44,26 +39,19 @@ Create a new application in Okta and use the following settings:
5. Click **Save** to generates the `clientSecret` and `clientID` in the `General` table of
the application.
6. Add the generated `clientSecret` and `clientID` values to your MKE configuration file.

Okta will generate the `clientSecret` and `clientID` on the `General` table of
the application. Add the generated values to your MKE 4 config.

Once the configuration is set, run the `mkectl apply` command with your config
file and wait for the cluster to be ready.
7. Run the `mkectl apply` command with your MKE configuration file.

**To test the Authentication flow:**

---
***Note***

"To test authentication flow, ports `5556` (dex) and `5555` (example-app) must be externally available.
To test authentication flow, ports `5556` (dex) and `5555` (example-app) must be externally available.

---

In the browser, perform the following steps to test the authentication flow:
1. Navigate to `http://{MKE hostname}:5555/login`
2. Click **Login** to display the login page.
3. Select **Log in with OIDC**.
4. Enter your credentials and click **Sign In**. If authentication is successful, you will be redirected to the client applications home page.
5. Successful authentication will redirect you back to the client applications home page.
4. Enter your credentials and click **Sign In**. If authentication is successful,
you will be redirected to the client applications home page.
Loading

0 comments on commit cff808d

Please sign in to comment.