Skip to main content

LDAP Support in CoreOS dex: An Open Source Journey

This exploratory community work provided useful research to the Dex team and helped illuminate the problem space. We'll be announcing new features in LDAP integration in the Tectonic enterprise Kubernetes distribution during November, 2016. In the meantime, this post should be considered informational, and the LDAP features discussed considered site-specific and not generally available.

Today features a guest blog post from Frode Nordahl, contributor to and user of dex, a standards-based identity provider and authentication open source solution maintained by CoreOS. Released in September 2015, dex is a central index of users that other pieces of software can authenticate against. Today introduces dex v0.3.0, which adds LDAP support and OpenID Connect dynamic client registration.

PowerTech Information Systems AS is a leading telecom operator in Norway and has been delivering commercial Internet services for the past 23 years. We set out to build a modern identity infrastructure to facilitate both the development of our next generation REST-/SOA-based software platform and to offer single-sign-on (SSO) for our services to employees and customers.

Every project starts with the need for authentication and authorization – be it for internally developed software, integration of internally hosted open source or proprietary software, or externally hosted software. And many on-premises and cloud-hosted software packages have support for and encourage the use of Identity Federation. This enables trust for a user token across multiple systems and organizations.

Federated Identity concepts allow us to create a single secure source of logon information with uniform policies and end-user experience across a wide range of software and platforms. It also avoids the risk of being locked to using all software from any one single vendor. At the same time, identity federation practices also avoid the complexity and hassle of keeping multiple, often proprietary, per system user-information databases synchronized.

The points mentioned above makes identity an integral part of our infrastructure and therefore we carefully considered our options when seeking a modern identity infrastructure solution.

Seeking a Standards-based Solution

We are proponents of building a standards-based infrastructure and key requirements for our choice of identity standards include that the solutions:

  • Are based on an open, secure and free/non-patent-encumbered standard
  • Have healthy uptake in the community with a diversity of stakeholders
  • Use technology with high probability of a long lifetime expectancy
  • Enable federated identity across a number of identity providers
  • Avoid expensive database round-trips by using cryptography verifiable identity tokens

With these key requirements in mind, it appeared that OpenID Connect answers all of these needs. In fact, we see it has the potential of replacing more complicated federation protocols like SAML in near future.

Focusing on standards-based solutions, key requirements for our choice of software also included that it be:

  • Open source with an open shared development process
  • Well-maintained and written using modern techniques in modern languages
  • Focused on doing one thing, and doing it great
  • Easily integrated to be a building block amongst our other core services

We evaluated a lot of different solutions ranging from pure reference implementations – where we would have needed to develop most of the actual functionality ourselves – to solutions that attempt to be everything to all people and may end up being too complex or dictate too much of how our infrastructure should behave.

We selected CoreOS dex because it is a secure and robust central index that fit our needs well. We found most of our needs fulfilled.

Identity Building Blocks: Bringing LDAP Support to dex

The identity infrastructure we are building has LDAP as one of its building blocks. While LDAP has been around a long time and some might say it has passed its prime, it actually still is really good at being a directory of people and things that you want to identify, authenticate and authorize. There are multiple LDAP software packages that have excellent performance, flexibility and high availability through replication.

CoreOS dex did not have support for LDAP, but it did have a pluggable framework for connectors that allows it to use a variety of sources for authenticating users. It was also clear to us from the announcement of dex that LDAP support was one of the items on the wish list. So, we decided to write a LDAP connector for dex and share it with the community.

We have multiple reasons for doing this:

  • We required LDAP support for our modernized infrastructure.
  • We realized dex's potential to solve some key problems, and liked that it is freely available to us.
  • dex needed LDAP support, and because it is written in the open, we became contributors to the project to add the support. Why not provide something back?
  • Upstreaming code means more eyes on the code. This in turn leads to better tested, more secure and less error-prone code.

The LDAP connector allows you to use dex to host authentication of your users backed by a LDAP directory. You can use search filters to allow authentication with arbitrary LDAP attributes, for example e-mail address, and you are not confined to have your users remember and log on with their account name. The search filters also allows you to configure simple authorization schemes to control access to your services.

Here is an example LDAP configuration (static/fixtures/connectors.json):

{
    "type": "ldap",
    "id": "ldap",
    "serverHost": "ldap.server.hostname",
    "serverPort": 389,
    "baseDN": "ou=People,dc=example,dc=com",
    "emailAttribute": "mail",
    "useTLS": true,
    "searchBeforeAuth": true,
    "searchFilter": "(mail=%u)",
    "searchBindDN": "cn=ldapauth,dc=example,dc=com",
    "searchBindPw": "secrete"
}

The full range of options is available in the connector documentation.

Join the Community

Working with the CoreOS team and the community on the LDAP connector was a great experience and proved the viability of working in open source. Feedback on pull requests with suggestions, pointers in the right direction when you're stuck, and constructive comments on actual code helps everyone involved drive the project forward. We will continue to work with the CoreOS team and community and hope to add more features to the LDAP connector and other areas as dex continues to evolve.

What we would like to see next is:

  • Automatic registration on first logon (#310)
  • Authorization and Group support with interface to connectors (#175)
  • Verification through additional sources other than email (such as SMS)
  • Further evolution to improve the User Manager interface
  • N-factor authentication using multiple connectors or OTPs through verified outlets (#352)

Get involved and try out the LDAP connector today. Contribute to dex and join the community here.


About my employer, PowerTech Information Systems AS

PowerTech Information Systems AS is the oldest still living independent Telecom operator in Norway. Despite the fact that we are a regional operator with main focus in the Oslo/Akershus area, we currently rank as the third largest B2B Fiber provider in Norway.

About the author, Frode Nordahl

I have worked in tech for the past two decades. I eagerly embrace the technologies disrupting our industry, not to say the world, as we know it, and welcome the ever-increasing pace of change. Where there is change, there is opportunity. Software defines everything and we are privileged to be in the middle of a golden age for building software to take advantage of that.