On my adventure to centralize authentication around my applications, I have Portainer up next. I use this application to help manage my docker containers and images across my docker swarm cluster and on my unRAID server. Portainer has some basic LDAP authentication capabilities built in for free, and a large amount of capability behind paid services and plugins. For this, I will be using the free capabilities.
First we have a warning, this doesn’t work with the Arm builds of Portainer. I tried getting Portainer to authenticate against my LDAP directory on my raspberry pi docker cluster to no success. I did research a tad on it as well, and it looks to be a limitation on Arm.
I don’t have proper certificates on my LDAP server at the moment, so for the time being, I will be disabling the certificate verification on Portainer. While this isn’t the more secure setup, I would rather my LDAP authentications be done on an encrypted connection, even if it is with a self signed certificate. For those of you with proper certificates, make sure to turn off the “Skip Verification” option.
Go to Settings → Authentication, Select LDAP
- LDAP Server: ucs.rapternet.us:7389
- Anonymous: Off
- Reader DN: uid=auth-portainer,cn=users,dc=rapternet,dc=us
- Passwd: Cool Password
- Use StartTLS: Yes
- Skip Verification: Yes
- Automatic user prov: Yes
- Base DN: cn=users,dc=rapternet,dc=us
- Username attribute: uid
- User Search Filter: \<blank\>
Portainer does provide some authorization control in the free tier using the teams within the application. A team can be setup matching the name to an LDAP group, allowing a user logging in with that group to be provided access to the team. The team can then be linked to a docker node, allowing anyone on that team to manage the node. While this does not provide granular controls, it does provide some basic functionality which is fine for a lab environment.
- Sidebar: Users → Teams, create a team that matches the LDAP group name
- Sidebar: Endpoints, find the node you want the group to manage, select “Manage Access”
- Select the team in the “Select users and/or teams” dropdown
- Click “Create Access”
I created a team matching the name of the administrators group and linked that to the docker node, which provided a bit of automated policy on login. The free tier of Portainer however has no way to provide better role control, so theres no way to automatically flag a user as an administrator. For my user, I had to set that flag manually on the domain administrator using the portainer managed default admin. Most of this capability is in the paid plugin.
I needed to configure the group search configuration in the settings. Before doing so however, I need to know what the group membership attribute is for my LDAP server. A quick ldap search on a group and I get the answer, uniqueMember.
Administrator@ucs:~$ ldapsearch -xLLL -D uid=auth-grafana,cn=users,dc=rapternet,dc=us -W cn=administrators Enter LDAP Password: dn: cn=Administrators,cn=Builtin,dc=rapternet,dc=us sambaGroupType: 2 cn: Administrators objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group sambaSID: S-1-5-32-544 gidNumber: 5052 univentionGroupType: -2147483643 description: Administrators have complete and unrestricted access to the compu ter/domain memberUid: Administrator uniqueMember: cn=domain admins,cn=groups,dc=rapternet,dc=us uniqueMember: cn=enterprise admins,cn=groups,dc=rapternet,dc=us uniqueMember: uid=administrator,cn=users,dc=rapternet,dc=us
Now its time to configure the group under Settings → Authentication. Since I wanted to call out the administrators group specifically, I used a filter on (cn=Administrators), everything else being relatively default for my domain.
- Group Base DN: cn=builtin,dc=rapternet,dc=us
- Group Membership Attrib: uniqueMember
- Group Filter: (cn=Administrators)
Authentication to LDAP on Portainer was an easy task to complete. The difficulty came when I wanted my LDAP administrators group to have administrator access on my Portainer instance by default. While I didn’t find a way to do this, I did find a way to have my administrators group have the docker node setup by default using the Portainer team. This was at least a step in the right direction. Using more LDAP groups, I could see having nodes setup with certain teams in Portainer, providing access based on the LDAP groups on the free tier of the system.