$ ldapsearch -x \ -b dc=example,dc=com \ -D "cn=<SA-CN>,dc=example,dc=com" \ -w <SA-PASS> "(cn=<some-user-cn>)"
Twistlock can integrate with OpenLDAP, an open source implementation of the Lightweight Directory Access Protocol.
Integrating Twistlock with OpenLDAP lets users access Twistlock using their LDAP credentials, and lets admins define granular access control rules to Docker Engine, Docker Swarm, and Kubernetes using existing LDAP identities.
With OpenLDAP integration, you can:
Re-use the identities and groups already set up in your OpenLDAP directory.
Extend your organization’s access control logic to the management of Docker containers.
For example, you could specify that only members of the group Dev Ops Admins can start and stop containers in the production environment. For more information, see the articles for setting up role-based access control for Docker Engine. and Kubernetes.
This procedure shows you how to integrate OpenLDAP with Twistlock.
You have installed OpenLDAP 2.4.44 or later. Twistlock has been tested with version 2.4.44. Integration with older versions should work as well, but is not officially supported.
In your LDAP directory, create a service account that has admin privileges and that can run ldapsearch queries.
This admin account will be used by Twistlock to authenticate users in your LDAP directory. It should be able to control the entire domain, and should therefore be created under the root OU.
Verify that the service account can query your LDAP directory.
Run ldapsearch, passing it the credentials for your service account, and query your directory for a user:
$ ldapsearch -x \ -b dc=example,dc=com \ -D "cn=<SA-CN>,dc=example,dc=com" \ -w <SA-PASS> "(cn=<some-user-cn>)"
Where:
<SA-CN>
|
Common name for the Twistlock service account. |
<SA-PASS>
|
Password for the Twistlock service account. |
<some-user-cn>
|
Common name for a user in your LDAP directory. |
Open Console, and go to Manage > Authentication > LDAP.
Set Integrate LDAP users and groups with Twistlock to Enabled.
For Authentication type, select OpenLDAP.
For Path to LDAP service, enter the LDAP server and port number in the following format:
For secure connections over TLS: ldaps://<server-dns>:<port-number>
.
For insecure connections: ldap://<server-dns>:<port-number>
For Search base, enter the base DN for your users and groups.
(OPTIONAL) For User identifier, specify an attribute to be used to match users.
For example, enter uid to match users based on their user IDs.
For Service account UPN, enter the DN for your Twistlock service account.
For Service account password, enter the password for the Twistlock service account.
For CA certificate, provide the CA certificate used to sign the LDAPS certificate on the server.
Twistlock uses the CA certificate to validate the LDAPS certificate and prevent man-in-the-middle attacks. If you are using an insecure connection or do not wish to validate the LDAPS certificate, leave this field blank.
Click Save.
Console verifies all your parameters with the server. If a connection cannot be established, an error message is shown and no parameters are saved.
To verify the integration with OpenLDAP:
Open Console.
If you are logged into Console, log out.
Log in to Console using the credentials of an existing OpenLDAP user.
If the log in is successful, you are directed to a view appropriate for the user’s role. Users with the User role are directed to a single page, Configure > Clients, from where they can download the certs required to access a Twistlock-protected container environment.
For troubleshooting guide to OpenLDAP related issues, refer to https://docs.twistlock.com/docs/latest/troubleshooting/Active_Directory/openldap.html