{"id":28278515,"url":"https://github.com/sulochan/k8s-ldap","last_synced_at":"2026-04-15T07:36:40.784Z","repository":{"id":55121247,"uuid":"281355240","full_name":"sulochan/k8s-ldap","owner":"sulochan","description":"LDAP authn-authz webhook for Kubernetes.","archived":false,"fork":false,"pushed_at":"2021-01-08T13:41:55.000Z","size":1175,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-08-26T00:36:19.803Z","etag":null,"topics":["authentication","authentication-server","authorization","k8s","kubernetes","ldap","ldap-authentication"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sulochan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-21T09:33:57.000Z","updated_at":"2021-01-08T13:41:58.000Z","dependencies_parsed_at":"2022-08-14T12:40:22.362Z","dependency_job_id":null,"html_url":"https://github.com/sulochan/k8s-ldap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sulochan/k8s-ldap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sulochan%2Fk8s-ldap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sulochan%2Fk8s-ldap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sulochan%2Fk8s-ldap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sulochan%2Fk8s-ldap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sulochan","download_url":"https://codeload.github.com/sulochan/k8s-ldap/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sulochan%2Fk8s-ldap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31831847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T07:17:56.427Z","status":"ssl_error","status_checked_at":"2026-04-15T07:17:30.007Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authentication-server","authorization","k8s","kubernetes","ldap","ldap-authentication"],"created_at":"2025-05-21T08:15:39.424Z","updated_at":"2026-04-15T07:36:40.766Z","avatar_url":"https://github.com/sulochan.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## k8s-ldap\n\nLDAP Webhook authentication and authorisation plugin.\nk8s LDAP authn-authz middleware that can talk to your ldap server, and have configurable authentication and authorisation rules based on ldap groups or user specific overrides. \n\nTo run k8s-ldap:\n\n    1. openssl req -x509 -newkey rsa:2048 -nodes -subj \"/CN=localhost\" -keyout key.pem -out cert.pem\n    2. go build .\n    3. ./k8s-ldap \u003cyour ldap server address\u003e key.pem cert.pem\n    \n\nYour config file should be available in the same directory.\n\n##### Config.json :\nConfiguration options:\n1. **\"BindDomain\" : \"example.com\" (Optional)**\nBind Domain is only used if your username does not contain the domain. For example, if your username is jack.johnson, but you need\njack.johnson@example.com to be able to bind to ldap. Remove this from config if you simply want to bind with your username.\n2. **\"BaseDN\": \"dc=example,dc=com\" (Required)**\nThis is the BaseDN for the ldap domain, this is required.\n3. **\"Filter\": \"(\u0026(objectCategory=person)(objectClass=user)(samAccountName=%s))\" (Required)**\nYou can use a different filter to search for user to authenticate. This field is required.\n4. **\"MemberSearchAttribute\": \"memberOf\" (Required)**\nAttribue by which group membership is found in ldap, most of the time its simply \"memberOf\" or \"ismemberOf\". This field is required.\n\n5. **\"GroupRoles\" (Required)**\nGroup roles defines what permission this group has on the k8s API. For example, \"GroupRoles\": {\"group1\": [\"admin\"], \"group2\": [\"read\"]} will give members of group1 admin privileges (Read/Write/Delete) on all resources and verbs on your k8s cluster. Whereas members of group2 will only have read - List/Watch - privileges.\n\n6. **\"UserRoles\" (Optional)**\nUser roles can override group roles. If you have user within  a group that needs more privilege than the rest of the group you can define it here. You can also restrict access to a specific user(s) with the same logic.\n\n##### Configuring k8s cluster for LDAP Webhook :\nUse your cluster deployment tool to achieve the following or add the following fields to your k8s api server:\n\nAuthentication - is driven by 2 flags, namely:\n\n     --authentication-token-webhook-config-file\n     --authentication-token-webhook-cache-ttl\n\nAdd the following to your k8s-api manifest, pointing webhook-config-file to a yaml with the following content:\n \n \n\n    # Filename: webhook-authn-config.yaml\n    \n    # clusters refers to the remote service.\n    clusters:\n    - name: webhook-token-auth-cluster\n      cluster:\n        server: https://localhost:9191/authenticate\n        insecure-skip-tls-verify: true\n    \n    # users refers to the API server's webhook configuration.\n    users:\n    - name: webhook-token-auth-user\n    \n    current-context: webhook-token-auth\n    contexts:\n    - context:\n        cluster: webhook-token-auth-cluster\n        user: webhook-token-auth-user\n      name: webhook-token-auth\n\nSo your api-server configuration should consist of the following:\n\n    --authentication-token-webhook-config-file=webhook-authn-config.yaml\n    --authentication-token-webhook-cache-ttl=5m0s\n\nAuthorisation, similarly, is controlled by the following flags:\n\n    --authorization-webhook-config-file\n    --authorization-mode=Node,RBAC,Webhook\n\nAdd the follow lines to your api-server manifest, with authorization-webhook-config-file pointing to a yaml with the follwing content:\n\n    # Filename: webhook-authz-config.yaml\n    \n    # clusters refers to the remote service.\n    clusters:\n    - name: webhook-token-authz-cluster\n      cluster:\n        server: https://localhost:9191/authorize\n        insecure-skip-tls-verify: true\n    \n    # users refers to the API server's webhook configuration.\n    users:\n    - name: webhook-token-authz-user\n    \n    current-context: webhook-token-authz\n    contexts:\n    - context:\n        cluster: webhook-token-authz-cluster\n        user: webhook-token-authz-user\n      name: webhook-token-authz\n\nSo, your server-api configuration should consist of line that look similar to:\n\n    --authorization-webhook-config-file=webhook-authz-config.yaml\n    --authorization-mode=Node,RBAC,Webhook\n\nAt this point, you can look at both api-server logs, and k8s-ldap logs to see authentication and authorisation request getting process though the webhook middleware.\n# k8s-ldap\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsulochan%2Fk8s-ldap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsulochan%2Fk8s-ldap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsulochan%2Fk8s-ldap/lists"}