User and Group Management using OpenLDAP

Okay, I've started to run into an issue. You see, in my cloud, I have all these applications and services, and each one has its own user account and login. For example, my OpenSense server uses a root user. And it would be kind of nice if I could consolidate all my user accounts into one place. That's where an LDAP server comes into play. The technology I'll be using is called Open LDAP and I'll be installing it in my Kubernetes cluster that I use for shared services. So what is LDAP and how does it work? LDAP stands for lightweight directory access protocol. Let's start by looking at the directory part of the acronym. The directory is structured as a hierarchy of objects. At the top we have our root object which is called an organization. In my case, I'll be using my heavy metal clouds organization name. One step down is an organizational unit. I'll have two of these. The first one is for user accounts that'll be called people. The second one will be used for group membership and it'll be called groups. Under the people object, I'll create all my users. For the groups, I'll keep it simple and start with just two. One for admin operations and one for readonly users. To navigate this structure, each object has a distinguished name or DN, which is the full address path used to identify the object. Next, I'll hop on my shared services cluster and start to build out the open LDAP server. At this point, I'll assume you already have a few dependencies in place. Number one, a working Kubernetes cluster. Number two, a TLS certificate and private key. and three, a working knowledge at Helm, which I'll use to install the LDAP service. As always, I'll have all the instructions and commands in my GitHub page link in the description below. I'll start by creating a new namespace in Kubernetes. And just like my last video, I'll create a secret for my TLS certificate and key. By the way, check out my videos on TLS if you want to learn more about the certificate creation process. With the certificates in place, let's take a look at the Helm values file. Now, this is a really big file, so I'll just walk through some of the important sections. At the top, we have some global settings, including an admin user and the ports that LDAP will be using. Typically, LDAP uses port 389 and 636, where 636 is used for secure connections. A little further down, you can see the Docker image used by the LDAP server. I could skip a lot of these sections and just go with the defaults. Okay, here we go. The custom LDF file section is where things start to get interesting. LDF files are used to configure LDAP using simple configurations and they look something like this. One nice thing about the open LDAP Helmchart is that it integrates LDF configurations directly in the values file. Let's take a look at each section to get started. This top section configures the root object of our directory which is located here. Next, we have the organizational unit object for people. Scrolling down a bit, we define the users that will go under the people object. And here's an LDAP diagram to help visualize what's going on. Okay, let's keep going. Here's another organizational unit for the groups. Going back to our diagram again, these are the objects we're creating. All right, there's one last section. This is for access control list or ACL's. This is where you define the permissions for the LDAP tree. The permissions are applied in a top- down fashion, so the order is important. At the top, we're granting access to the process running open LDAP. The next ACL gives some rate permissions to the IT group. And finally, we have some remaining permissions for things like readonly access. Now that the LDF configurations are in place, let's keep scrolling down. This section will use a storage class to persist the LDAP data. Toward the bottom of the values file, there's a section to install an app called PHP LDAP admin. This is a nice web-based tool to manage our LDAP tree. Now that the values file is configured, it's time to install open LDAP using Helm. I'll use this command which points to my values file. Finally, I need to expose LDAP outside my Kubernetes cluster. Since LDAP uses ports other than 443, I'll use a load balancer. To set up the load balancer, I'll use this command. Okay, we're almost done. The last thing I want to do is set up a DNS record for that LDAP admin tool. Hopping on OpenSense, I'll create a DNS entry. The host will be phpapadmin and the domain is heavy metalcloud. The IP will be the address of my ingress controller, which is 192.168.3.20. Now it's time to test this out. I'll point my browser to that DNS entry I just created. Next, I'll log in as root. And from here, you can navigate the LDAP tree. Here are the groups. And just below are the users that we created. All right. Now I can manage my user accounts and groups in a single place. In my next video, I'll start to build out my application cluster starting with Proxmox. Thanks for stopping by and I'll see you in the next video.

In this video, I’ll show you how to consolidate all your application and service logins into a single source of truth using OpenLDAP. We’ll deploy the LDAP server directly into a Kubernetes shared services cluster using Helm, securing it with TLS, and managing it all through a user-friendly web interface. We cover the basics of LDAP hierarchy (Organizations, People, and Groups), how to configure LDIF files within Helm values, and setting up persistent storage so your user data stays safe. 🔔 **Subscribe** for more hands‑on cloud tutorials! *To follow along, check out my GitHub page! All the commands and instructions from this video are in a README file:* *https://github.com/heavy-metal-cloud/youtube/tree/main/videos/build-your-own-cloud-series/08-openldap* 00:00:00 - Intro 00:00:42 - Understanding LDAP Hierarchy 00:02:14 - Setting up the Helm Values file 00:02:56 - Configuring LDIF 00:04:32 - Installing OpenLDAP using Helm 00:05:20 - Verify that everything works Links referenced in this video: https://openldap.org/ https://github.com/jp-gouin/helm-openldap Amazon Affiliate Links - The Cloud Hardware: https://amzn.to/49GQo81 https://amzn.to/48c5nUT https://amzn.to/48bkX38 https://amzn.to/43Qeh9o https://amzn.to/43J6TfV https://amzn.to/4p7dsBx