Skip to main content
Version: 3.0

LDAP

  1. Choose DEX_HOSTNAME And Configure DNS

    Loft uses the CNCF project dex for single sign-on.

    The easiest case is this one:

    • $LOFT_HOSTNAME = loft.mycompany.tld (where Loft is running)
    • $DEX_HOSTNAME = dex.mycompany.tld (where dex should be running)
  2. Create Dex Config For LDAP

    Create the file dex-config.yaml with the following dex configuration:

    ingress:
    enabled: true
    hosts:
    - host: dex.yourcompany.tld # Use $DEX_HOSTNAME
    paths:
    - path: /
    config:
    issuer: https://dex.yourcompany.tld # "https://" + $DEX_HOSTNAME
    connectors:
    - type: ldap
    id: ldap
    name: LDAP
    config:
    host: myldap.company.tld:636 # Your LDAP server hostname:port
    # insecureNoSSL: true # Not recommended but required if not using TLS (port 389)
    # insecureSkipVerify: true # Not recommended but required for self-signed certificates
    # rootCAData: ( base64 encoded PEM file )
    # startTLS: true # Use ldap:// instead of ldaps:// protocol

    # The DN and password for an application service account. The connector uses
    # these credentials to search for users and groups. Not required if the LDAP
    # server provides access for anonymous auth.
    # Please note that if the bind password contains a `$`, it has to be saved in an
    # environment variable which should be given as the value to `bindPW`.
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
    bindPW: password

    # User search maps a username and password entered by a user to a LDAP entry.
    userSearch:
    # BaseDN to start the search from. It will translate to the query
    # "(&(objectClass=person)(uid=<username>))".
    baseDN: cn=users,dc=example,dc=com
    # Optional filter to apply when searching the directory.
    filter: "(objectClass=person)"
    # username attribute used for comparing user entries. This will be translated
    # and combined with the other filter as "(<attr>=<username>)".
    username: uid
    # The following three fields are direct mappings of attributes on the user entry.
    # String representation of the user.
    idAttr: uid
    # Required. Attribute to map to Email.
    emailAttr: mail
    # Maps to display name of users. No default value.
    nameAttr: name

    # Group search queries for groups given a user entry.
    groupSearch:
    # BaseDN to start the search from. It will translate to the query
    # "(&(objectClass=group)(member=<user uid>))".
    baseDN: cn=groups,dc=freeipa,dc=example,dc=com
    # Optional filter to apply when searching the directory.
    filter: "(objectClass=group)"
    # Represents group name.
    nameAttr: name
    # Following list contains field pairs that are used to match a user to a group. It adds an additional
    # requirement to the filter that an attribute in the group must match the user's
    # attribute value.
    userMatchers:
    - userAttr: uid
    groupAttr: member
    staticClients:
    - name: Loft
    id: loft # Define a $DEX_CLIENT_ID
    secret: XXXXXXXXXXXXXX # Define a $DEX_CLIENT_SECRET (can be any secret key)
    redirectURIs:
    - 'https://loft.mycompany.tld/auth/oidc/callback' # Loft URL + /auth/oidc/callback
    oauth2:
    skipApprovalScreen: true
    web:
    http: 0.0.0.0:5556
    storage:
    type: kubernetes
    config:
    inCluster: true

    For details about configuring dex for LDAP, take a look at the dex documentation for LDAP.

  3. Deploy Dex via Helm

    After creating the file dex-config.yaml, you can now install dex via helm:

    helm install dex dex --repo https://charts.dexidp.io \
    --create-namespace --namespace dex \
    -f dex-config.yaml \
    --wait
  4. Configure Loft To Use Dex For Authentication

    To tell Loft to use dex for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

    auth:
    oidc:
    issuerUrl: https://dex.mycompany.tld # Use $DEX_HOSTNAME (see above)
    clientId: "" # Use $DEX_CLIENT_ID (see above)
    clientSecret: "" # Use $DEX_CLIENT_SECRET (see above)
    type: "github" # Optional: SSO Login Button Icon ("", github, gitlab, microsoft, google)
    usernameClaim: "email" # Optional: Which part of the dex token to use as Loft username (default: email)
    usernamePrefix: "" # Optional: Add prefix to usernameClaim for Loft username
    groupsClaim: "groups" # Optional: Add Kubernetes groups for this user
    groupsPrefix: "loft-" # Optional: Prefix for Kubernetes groups
    caFile: "" # Optional: Path to a CA cert of dex within the Loft container (default: '')
  5. Authenticate via Dex + LDAP

    After saving the new Loft configuration, Loft will restart itself and you should be able to log in via LDAP and dex.

  6. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
    oidc: ... # This is your SSO configuration (make sure this is working!)
    password:
    disabled: true # Disable password-based authentication