There are some methods natively supported such as basic auth , X509 certificates and webhook tokens.
Is there some workaround/project to use LDAP for user authentication with Kubernetes. I need users to be grouped in LDAP , and then use role binding to bind the group to a specific namespace with a role.
Yes you can integrate with LDAP, for example:
Using dex
With Torchbox's kube-ldap-authn (hint: read this post)
Vis keycloak
Also, there's a nice intro-level blog post to get you started.
Related
So, im doing research to know if its a good alternative to implement keycloak on the environment i'm working at.
Im using LDAP to manage users at my workingplace. I was wondering if is there a way to use keycloak as auth service in all upcoming systems and some of the existing ones. We are currently managing it with an IDP that we need to improve or replace, also there are some systems use their own login (this will eventually change).
The main problem i've crossed is that keycloak synchronizes against ldap and i dont want user data to be stored on keycloak, maybe if its only login data. User data is planned to be kept only on ldap's database in case that any userdata needs to be updated.
So is there a way to use keycloak only as an auth service fetching user credentials from ldap on every auth request?
pd: maybe i am mistaken on the meaning of what's an auth service an whats an IDP.
Actually it is not necessary that LDAP users are synced to Keycloak.
Keycloak supports both options
Importing and optionally syncing users from LDAP to Keycloak
or
Always getting the User info from LDAP directly.
But keycloak will always generate some basic federated user in it's database (e.g. for keeping up a session when using OpenID Connect - but you should not really care about that).
As far as I know (but I've not used that myself) you could also use keycloak to maintain the LDAP users data and write changes back to LDAP (see "Edit Mode" in Keycloak documentation)
Check Keycloak documentation regarding LDAP stuff to get more information https://www.keycloak.org/docs/6.0/server_admin/#_ldap
Beside the User-Data Topic, Keycloak provides a lot of different Protocols (like SAML and OpenIDConnect) to provide authentication for your services. So you could use different/multiple authentication protocols depending on your applications with just one "LDAP-Backend"
Searching through the Internet, I have seen that EKS only enables IAM authentication for IAM users.
Is it possible to configure client certificate authentication manually? I mean, create Kubernetes users and roles internally and not use IAM authentication.
Kubernetes supports several authentication modules, for example:
X509 client certificates
Service account tokens
OpenID Connect tokens
Webhook token authentication
Authenticating proxy, etc.
You can find more details regarding them in the official documentation.
However, Amazon EKS uses only one specific authentication method, an implementation of a webhook token authentication to authenticate Kube API requests. This webhook service is implemented by an open source tool called AWS IAM Authenticator, which has both client and server sides.
In short, the client sends a token (which includes the AWS IAM identity—user or role—making the API call) which is verified on the server-side by the webhook service.
So the answer to your question is: if you choose to use EKS you only have one authentication option which is IAM.
I hope it helps.
User is authenticated on website using LDAP. How do I automatically authenticate the same user on another website using LDAP. The two websites are on the same domain but separate websites- they both authenticate against same LDAP store. Is an authentication token somehow passed from one to next? Or the credentials or something..? Sort of new to LDAP auth...
You can not use LDAP to achieve Single Sign On. LDAP is an 'authentication protocol' and a 'data model'.
You either need a proprietary mechanism or some standards based technology like OIDC or SAML.
I am using in-memory DB for storing user details in WSO2 Identity server. I create couple of users via UI and now I want to authenticate those user using some external application.
Is there any available WSO2 service which takes User credentials and authenticate based on the details provided? I saw few articles where they mainly talking about User Stores. But there, I think, they directly connect to DB to compare the credentials.
There are multiple ways to authenticate a user from Identity Server. Easiest way is that you can call the admin service (SOAP service) for authentication (RemoteUserStoreManagerService/authenticate). Or you can create a OAuth application inside the IS and use resource owner grant type to pass the credentials and authenticate.
You can find admin service related information from here [1] and password grant related information from here [2]
Is there any available WSO2 service which takes User credentials and
authenticate based on the details provided?
I believe we've misused the Token API service ( /token with password OAuth profile) to request an OAuth code and the WSO2IS effectviely validates the user's credentials.
I suggest your application would stick to some authentication and authorization standards supported by the WSO2IS, such as OAuth 2.0 or SAML.
Now I'm trying to transform two website systems to SSO authentication using WSO2 Identity Server ,these two systems have
their own authentication,one of them use spring-security to control the url Authorities,i've just cut the spring-security intercept and successfully implement SSO authentication,now I wonder if I can implement SSO integrated with spring-security ,what confuse me is the two different systems have different User entity and their own authorization strategy,should I change the struct of them to the same now ?
you can create roles of both the applications in Identity server and assign them to an user. For example, If a user has role as ADMIN in application1 and USER in application2, you can assign both the roles to the same user in ID server.
I think Spring security authentications used in your applications won't be affected because you will use only Principal values to authenticate user.