OpsChain LDAP

MintPress can utilise an LDAP database for user authorisation and authentication. After following this guide you should know how to:

adjust MintPress's LDAP group membership caching feature
configure MintPress to use an external LDAP/AD database

LDAP group membership caching

By default, MintPress will cache a user's LDAP group membership for 1 minute to reduce the volume of LDAP requests.

Disable caching

To disable group membership caching, update the system configuration settings with "ldap": { "cache_ttl": 0 } and restart the OpsChain API.

Increase cache life

To increase the cache life, update the system configuration settings with the number of seconds you require the cache to be valid. The following example would increase the cache life to 5 minutes.

{
  "ldap": { "cache_ttl": 300 }
}

Configuring an external LDAP

This guide takes you through how to use an external LDAP server with MintPress.

After following this guide you should know how to:

configure MintPress to use an external LDAP server for authentication
disable the supplied OpsChain LDAP server

Disable the supplied OpsChain LDAP server

By default, MintPress will use the LDAP server in the opschain-ldap pod for user authentication. To disable the opschain-ldap service, edit your values.yaml file and alter the ldap.enabled setting to be false.

  ldap:
    enabled: false

note

If you modify this setting post-installation, you will need to redeploy MintPress with the command used for patching.

Alter the OpsChain LDAP configuration

See the configuring MintPress guide for details of the LDAP settings that can be adjusted to enable the use of an external LDAP server. Update the system configuration settings with the relevant LDAP options to override the default values.

info

An example Active Directory configuration appears at the end of this document.

Restart OpsChain API

If you're updating the LDAP configuration within the MintPress UI or API, you can restart the OpsChain API server to allow the new LDAP configuration to take effect.

kubectl rollout restart -n mintpress deployment.apps/opschain-api

To avoid issues on your next patch, ensure you also update the LDAP settings in your values.yaml file to match the new configuration.

Example Active Directory configuration

The following example settings allow MintPress to utilise an Active Directory for user authentication:

{
  "ldap": {
    "host": "ad-server",
    "port": 389,
    "domain": "myopschain.io",
    "base_dn": "DC=myopschain,DC=io",
    "user_base": "CN=Users,DC=myopschain,DC=io",
    "user_attribute": "sAMAccountName",
    "group_base": "DC=myopschain,DC=io",
    "group_attribute": "member",
    "admin": "CN=Administrator,CN=Users,DC=myopschain,DC=io",
    "password": "AdministratorPassword!",
    "hc_user": ""
  }
}

The equivalent of these settings in the env section of your values.yaml file would be:

env:
  OPSCHAIN_LDAP_HOST: ad-server
  OPSCHAIN_LDAP_PORT: 389
  OPSCHAIN_LDAP_DOMAIN: myopschain.io
  OPSCHAIN_LDAP_BASE_DN: DC=myopschain,DC=io
  OPSCHAIN_LDAP_USER_BASE: CN=Users,DC=myopschain,DC=io
  OPSCHAIN_LDAP_USER_ATTRIBUTE: sAMAccountName
  OPSCHAIN_LDAP_GROUP_BASE: DC=myopschain,DC=io
  OPSCHAIN_LDAP_GROUP_ATTRIBUTE: member
  OPSCHAIN_LDAP_ADMIN: CN=Administrator,CN=Users,DC=myopschain,DC=io
  OPSCHAIN_LDAP_PASSWORD: AdministratorPassword!
  OPSCHAIN_LDAP_HC_USER:

LDAP group membership caching​

Disable caching​

Increase cache life​

Configuring an external LDAP​

Disable the supplied OpsChain LDAP server​

Alter the OpsChain LDAP configuration​

Restart OpsChain API​

Example Active Directory configuration​