Configure LDAP providers to authenticate to clusters

This document is for platform administrators, or whoever manages identity setup in your organization. It explains how to configure your chosen Lightweight Directory Access Protocol (LDAP) identity provider for authentication to Kubernetes clusters that aren't on Google Cloud.

You can use LDAP to authenticate to Google Distributed Cloud and Google Distributed Cloud only.

Before you begin

Throughout this setup, you might need to refer to the documentation for your LDAP server. The following administrator guides explain configuration for some popular LDAP providers, including where to find the information you need to log in to the LDAP server:

Get LDAP login details

During the authentication flow for users, the cluster uses a service account secret to authenticate to the LDAP server and retrieve user details. There are two types of service accounts permitted in LDAP authentication, basic auth (using a username and password to authenticate to the server) or client certificate (using a client private key and client certificate). To find out which type is supported in your specific LDAP server, see its documentation. Generally, Google LDAP only supports a client certificate as the service account. OpenLDAP, Microsoft Active Directory and Microsoft Entra ID support only basic auth natively.

The following instructions show you how to create a client and get LDAP server login details for some popular providers. For other LDAP providers, see the server's administrator documentation.

Microsoft Entra ID/Active Directory

  1. Follow the UI instructions to create a new user account.
  2. Save the full user distinguished name (DN) and password for later.

Google LDAP

  1. Ensure that you are logged in to your Google Workspace or Cloud Identity account in accounts.google.com.
  2. Log in to the Google Admin console with the account.
  3. Select Apps - LDAP from the left menu.
  4. Click Add client.
  5. Add your chosen client name and description and click Continue.
  6. In the Access permissions section, ensure that the client has the appropriate permissions to read your directory and access user information.
  7. Download the client certificate and complete client creation. Downloading the certificate also downloads the corresponding key.

  8. Run the following commands in the relevant directory to base64 encode the certificate and key, substituting the file names of your downloaded certificate and key:

    cat CERTIFICATE_FILENAME.crt | base64 cat KEY_FILENAME.key | base64

  9. Save the encrypted certificate and key strings for later.

OpenLDAP

  1. Use the ldapadd command to add a new service account entry into the directory. Make sure that the account has permission to read the directory and access user information.
  2. Save the full user distinguished name (DN) and password for later.

What's next