With Portainer community edition, some features are not available.<\/p>\n\n\n\n
Integrate Portainer with OpenLDAP for Authentication<\/h2>\n\n\n\n
To begin with, ensure you have a Portainer and OpenLDAP already installed and setup.<\/p>\n\n\n\n
You can use some of our tutorials below;<\/p>\n\n\n\n
Install Portainer on Linux<\/h3>\n\n\n\n
Install and Setup Portainer in Linux<\/a><\/p>\n\n\n\n Install and Configure OpenLDAP for Authentication<\/a><\/p>\n\n\n\n To make the account and access management easy, you can create specific groups on OpenLDAP.<\/p>\n\n\n\n Each user that needs to access and manage various container environments via the Portainer web interface can belong to a specific OpenLDAP group.<\/p>\n\n\n\n As per the guide below, we have created two groups, How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n Confirming the groups and members;<\/p>\n\n\n\n Devops Group<\/p>\n\n\n\n Sample output;<\/p>\n\n\n\n The individual users have the memberOf attributes defined;<\/p>\n\n\n\n Admins Group;<\/p>\n\n\n\n Sample output;<\/p>\n\n\n\n The individual users have the memberOf attributes defined;<\/p>\n\n\n\n To make access to various Portainer environments easy, you need to create the exact teams names as the OpenLDAP groups on Portainer.<\/p>\n\n\n\n In our OpenLDAP, we have two groups, admins and devops.<\/p>\n\n\n\n Thus, login to Portainer and navigate to Users > Teams<\/strong> and create teams whose names matches<\/strong> the OpenLDAP group names.<\/p>\n\n\n\n Head over to Portainer web interface and navigate to Settings > Authentications > Click LDAP (LDAP Authentication)<\/strong>.<\/p>\n\n\n\n Server type, Custom<\/strong>, is selected by default on the community edition version.<\/p>\n\n\n\n Next, configure OpenLDAP server connection details;<\/p>\n\n\n\n Configure OpenLDAP SSL\/TLS connection<\/p>\n\n\n\n Now, logout and test login using OpenLDAP accounts. We will login as LDAP user alex, with host=portainer attribute entry.<\/p>\n\n\n\n And there you go! No permissions given yet!<\/p>\n\n\n\n Log out and re-login as admin to continue with access management setup.<\/p>\n\n\n\n You can now grant access to various Portainer environments to various OpenLDAP user groups\/users depending on your setup.<\/p>\n\n\n\n For example, let’s make Alex and Administrator for Portainer at large;<\/p>\n\n\n\n Under Users, you will see user alex or any other user who has logged in and authentication<\/strong> method is LDAP<\/strong>.<\/p>\n\n\n\n To grant Alex Portainer system wide admin access, click on the username alex and toggle the Administrator button on to make alex admin.<\/p>\n\n\n\n Save the changes by clicking Save<\/strong> button. Alex is now Portainer system wide administrator.<\/p>\n\n\n\n To avoid having to grant each individual user access to specific environments, you can utilize the groups created before. Remember we had two groups, admins<\/strong> and devops<\/strong> created both on LDAP and Portainer.<\/p>\n\n\n\n Thus, you can grant access to various endpoints to users based on their group names.<\/p>\n\n\n\n As you can see, at the moment, we only have the local Portainer docker environment connected;<\/p>\n\n\n\n Now that we have two groups of users, lets grant users in admins\/devops groups access to local environment.<\/p>\n\n\n\n Thus, under Environment<\/strong> > Groups<\/strong> > local environment<\/strong> > click Manage access<\/strong>. Under Create Access<\/strong> > Select user(s) and\/or team(s)<\/strong> > Select teams. Ability to select roles other than standard user is not possible on community edition<\/em>.<\/p>\n\n\n\n and click Create access.<\/p>\n\n\n\n You can also give access to specific components of the Portainer environment.<\/p>\n\n\n\n For example, click Home > Open specific environment e.g local > Stacks\/Volumes\/Networks\/Containers > you can give access accordingly.<\/p>\n\n\n\n So take for example, to restrict access to Portainer containers, navigate to containers under local environment > click Portainer container name > Access Control > Change ownership > Restricted > Authorized teams > Select appropriate teams.<\/p>\n\n\n\n Update ownership.<\/p>\n\n\n\n See screenshot below for restriction of the Volumes on the local environment to users in admins groups only;<\/p>\n\n\n\n If you login as a user in devops group, you wouldnt be able to access the restricted volume;<\/p>\n\n\n\n See johndoe from devops group cannot access volumes;<\/p>\n\n\n\nInstall OpenLDAP Server on Linux<\/h3>\n\n\n\n
Create OpenLDAP Portainer Access Groups<\/h3>\n\n\n\n
devops<\/code><\/strong> and admins<\/code><\/strong> on OpenLDAP;<\/p>\n\n\n\nldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -QQQ \\\n-b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" cn=devops<\/code><\/pre>\n\n\n\n\ndn: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: devops\nmember: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\nmemberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\nldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -QQQ \\\n-b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" cn=admins<\/code><\/pre>\n\n\n\n\ndn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: admins\nmember: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\nldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=* memberOf -QQQ -LLL<\/code><\/pre>\n\n\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\nCreate OpenLDAP Teams Groups on Portainer<\/h3>\n\n\n\n
![\"Integrate](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-teams.png\" "\\"\\"")
<\/figure><\/div><\/a><\/div>\n\n\n\nConnect Portainer to OpenLDAP Server<\/h3>\n\n\n\n
![\"Integrate](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/Portainer-LDAP-Authentication-option.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n\n
![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-ldap-configuration.png\" "\\"\\"")
<\/figure>\n\n\n\n\n
\n
dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/strong><\/li>uid<\/code><\/strong> in our LDAP setup.<\/li>(|(memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)(memberOf=cn=devops,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)(host=portainer))<\/strong><\/code><\/li><\/ul>\n\n
ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=alex host -QQQ -LLL<\/code><\/pre>\n\n\n\ndn: uid=alex,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nhost: portainer<\/strong><\/code><\/pre>\n\n\n\n\n
\n
![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-ldap_security-users-groups.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n\n
Test Login to Portainer using OpenLDAP Account<\/h3>\n\n\n\n
![\"Integrate](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/test-portainer-ldap-based-user-login.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-ldap-user-login.png\" "\\"\\"")
<\/figure><\/div><\/a><\/div>\n\n\n\nGrant Portainer Environment\/Endpoints Access to LDAP Users<\/h3>\n\n\n\n
![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/Portainer-ldap-users.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/grant-user-admin-rights.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-environments-local.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-create-team-access.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/portainer-environment-access-restriction.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/restrict-access-to-volumes-portainer.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n
![\"\"](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/06\/restricted-volume-access-to-ldap-users.png\" "\\"\\"")
<\/figure><\/a><\/div>\n\n\n\n