PricingSign inRequest a Demo

Azure LDAP

Configure Bindplane to use Azure Entra LDAP as an authentication backend

Bindplane's LDAP authentication support can be configured to work with Azure Entra ID.

This guide will walk you through the process of configuring Bindplane to use Azure Entra's LDAP functionality as an authentication backend.

Prerequisites

You must have access to an existing Azure account, with permissions to manage users and Microsoft Entra Domain Services.

You must create or have access to an existing Domain Service. You can follow this Microsoft tutorial.

If running outside of Azure, you must enable "secure LDAP" and "Allow secure LDAP access over the internet". See the documentation for details.

You must have DNS configured so the Bindplane server can resolve the Azure Entra Domain Services hostname.

Bindplane Configuration

Bindplane can be configured using the Initialization Command when operating Bindplane on a Linux server. If using Kubernetes, see the Kubernetes configuration section.

Initialization Command

On your Bindplane server, execute the init command.

sudo BINDPLANE_CONFIG_HOME=/var/lib/bindplane \
    /usr/local/bin/bindplane init server \
    --config /etc/bindplane/config.yaml

Follow the prompts until you reach the authentication questions.

  • Select "Active Directory" when prompted for an authentication method.

  • Provide your Directory Services IP address.

    • If Bindplane is operating outside of the Azure environment, provide the "Secure LDAP external IP addresses".

  • Provide the LDAP port.

    • 389 if operating within the Azure environment, without TLS.

    • 636 if operating with TLS, from within or outside of the Azure environment.

If you want to use TLS, choose yes when prompted. TLS is required when operating outside of the Azure environment. It is recommended that you select "No" when prompted to skip TLS verification and provide a certificate authority in the next prompt.

If using TLS, you must choose yes when prompted for mutual TLS, and private a certificate and private key.

NOTE

The certificate authority and mutual TLS keypair files must be readable by the bindplane Linux user.

When prompted to configure the "Base DN", provide your domain services base dn. For example, if your Domain services name is bindplane-ldap.onmicrosoft.com, your Base DN will be dc=bindplane-ldap,dc=onmicrosoft,dc=com

NOTE

The Base DN can be extended to include organizational units, using the following syntax: ou=myou,dc=bindplane-ldap,dc=onmicrosoft,dc=com

When prompted for the Use Search Filter, input (userPrincipalName=%s). This will allow users to log in to Bindplane using their Entra ID email address. e.g. [email protected].

When prompted for the bind username and password, provide the user principal and password for your bind user. This user must have permission to bind to the domain services LDAP server.

Example Configuration

Once the configuration is initialized, the auth section will look like this:

auth:
  type: active-directory
  ldap:
    protocol: ldaps
    server: bindplane-ldap.onmicrosoft.com
    port: "636"
    baseDN: dc=bindplane-ldap,dc=onmicrosoft,dc=com
    bindUser: [email protected]
    bindPassword: mypassword
    searchFilter: (userPrincipalName=%s)
    tls:
      tlsCert: /etc/bindplane/azure_ldap/bindplane.crt
      tlsKey: /etc/bindplane/azure_ldap/bindplane.key
      tlsCa:
        - /etc/bindplane/azure_ldap/ca.crt

In this example, the domain services hostname is bindplane-ldap.onmicrosoft.com and the certificate is valid for the hostname bindplane-ldap.onmicrosoft.com.

The TLS certificates and private key are located at /etc/bindplane/azure_ldap with the following permissions.

-rw-r--r-- 1 bindplane bindplane  737 Apr 23 12:42 bindplane.crt
-rw-r--r-- 1 bindplane bindplane  227 Apr 23 12:42 bindplane.key
-rw-r--r-- 1 bindplane bindplane  619 Apr 23 12:42 ca.crt

High Availability

If operating Bindplane in high availability, make sure the configuration changes to the auth section of the configuration file are copied to the other servers.

Kubernetes

The Bindplane Helm Chart v1.10.0 or newer supports Azure LDAP. See the Readme and the Initialization section on this page for details on each option.

Before you begin, make sure a secret containing the TLS certificates exists in the namespace that Bindplane is deployed to.

kubectl create secret generic ldap-tls \
  --from-file ca.crt \
  --from-file bindplane.crt \
  --from-file bindplane.key

Update your values file with the following options. Make sure to update them to reflect your environment.

auth:
  type: active-directory
  ldap:
    protocol: ldaps
    server: bindplane-ldap.onmicrosoft.com
    port: "636"
    baseDN: dc=bindplane-ldap,dc=onmicrosoft,dc=com
    bindUser: [email protected]
    bindPassword: mypassword
    searchFilter: (userPrincipalName=%s)
    tls:
      insecure: false
      ca:
        secret: ldap-tls
        subPath: ca.crt
      clientKeyPair:
        secret: ldap-tls
        crtSubPath: bindplane.crt
        keySubPath: bindplane.key

Update your Helm deployment with the new options.

Troubleshooting

You can use the ldapsearch utility to interface with Azure LDAP. It is useful for validating your certificate, bind user, and base DN.

Example usage:

export LDAPTLS_CERT="bindplane.crt"
export LDAPTLS_KEY="bindplane.key"
export LDAPTLS_CACERT="ca.crt"

ldapsearch \
    -x \
    -H ldaps://ldap.bindplane-ldap.onmicrosoft.com \
    -D [email protected] \
    -w 'password' \
    -b "dc=bindplane-ldap,dc=onmicrosoft,dc=com"

Make sure to update the LDAP connection string (-H), bind user (-D) bind password (-w) and base dn (-b).

Resources

PreviousPostgres TLSNextAdd Users to Cloud

Last updated

Was this helpful?