Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Note: All commands are written for juju >= v.3.0

If you are using an earlier version, check the Juju 3.0 Release Notes.

LDAP is available on channels: 14/edge and 16/edge, from revision 600.

How to enable LDAP authentication

LDAP (Lightweight Directory Access Protocol) enables centralized authentication for PostgreSQL clusters, reducing the overhead of managing local credentials and access policies.

This guide goes over the steps to integrate LDAP as an authentication method with the PostgreSQL charm, all within the Juju ecosystem.

Deploy an LDAP server in a K8s environment

Disclaimer: In this guide, we use self-signed certificates provided by the self-signed-certificates operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Switch to the Kubernetes controller:

juju switch <k8s_controller>

Deploy the GLAuth charm:

juju add-model glauth
juju deploy self-signed-certificates
juju deploy postgresql-k8s --channel 14/stable --trust
juju deploy glauth-k8s --channel edge --trust

Integrate (formerly known as “relate”) the three applications:

juju integrate glauth-k8s self-signed-certificates
juju integrate glauth-k8s postgresql-k8s

Deploy the GLAuth-utils charm, in order to manage LDAP users:

juju deploy glauth-utils --channel edge --trust

Integrate (formerly known as “relate”) the two applications:

juju integrate glauth-k8s glauth-utils

Expose cross-controller URLs

Enable the required micro-k8s plugin:

IPADDR=$(ip -4 -j route get 2.2.2.2 | jq -r '.[] | .prefsrc')
sudo microk8s enable metallb $IPADDR-$IPADDR

Deploy the Traefik charm, in order to expose endpoints from the K8s cluster:

juju deploy traefik-k8s --trust

Integrate (formerly known as “relate”) the two applications:

juju integrate traefik-k8s glauth-k8s:ingress

Expose cross-model relations

To offer the GLAuth interfaces, run:

juju offer glauth-k8s:ldap ldap
juju offer glauth-k8s:send-ca-cert send-ca-cert

Enable LDAP

Switch to the VM controller:

juju switch <lxd_controller>:postgresql

To have LDAP offers consumed:

juju consume <k8s_controller>:admin/glauth.ldap
juju consume <k8s_controller>:admin/glauth.send-ca-cert

To have LDAP authentication enabled, integrate the PostgreSQL charm with the GLAuth charm:

juju integrate postgresql:ldap ldap
juju integrate postgresql:receive-ca-cert send-ca-cert

Map LDAP users to PostgreSQL

To have LDAP users available in PostgreSQL, provide a comma separated list of LDAP groups to already created PostgreSQL authorization groups. To create those groups before hand, refer to the Data Integrator charm page.

juju config postgresql ldap_map="<ldap_group>=<psql_group>"

Disable LDAP

You can disable LDAP removing the following relations:

juju remove-relation postgresql.receive-ca-cert send-ca-cert
juju remove-relation postgresql.ldap ldap
Previous Enable TLS Next Enable plugins/extensions

Last updated a day ago. Help improve this document in the forum.