Set up an LDAP provider for GKE Identity Service

This document explains how to set up your preferred Lightweight Directory Access Protocol (LDAP) provider for use with GKE Identity Service. To find out more about GKE Identity Service, see the overview.

This document is for platform administrators, or whoever manages identity setup in your organization. If you are a cluster administrator or application operator, you or your platform administrator must follow this section before you start Configure clusters for GKE Identity Service with LDAP.

GKE Identity Service with LDAP can presently be used with GKE on VMware and GKE on Bare Metal only.

Before you begin

Throughout this setup, you might need to refer to the documentation for your LDAP server. The following administrator guides explain configuration for some popular LDAP providers, including where to find the information you need to log in to the LDAP server:

Get LDAP login details

GKE Identity Service needs a service account secret to authenticate to the LDAP server and retrieve user details. There are two types of service accounts permitted in LDAP authentication, basic auth (using a username and password to authenticate to the server) or client certificate (using a client private key and client certificate). To find out which type is supported in your specific LDAP server, see its documentation. Generally, Google LDAP only supports a client certificate as the service account. OpenLDAP, Microsoft Active Directory and Azure AD support only basic auth natively.

The following instructions show you how to create a client and get LDAP server login details for some popular providers. For other LDAP providers, see the server's administrator documentation.

Azure AD/Active Directory

  1. Follow the UI instructions to create a new user account.
  2. Save the full user distinguished name (DN) and password for later.

Google LDAP

  1. Ensure that you are logged in to your Google Workspace or Cloud Identity account in accounts.google.com.
  2. Log in to the Google Admin console with the account.
  3. Select Apps - LDAP from the left menu.
  4. Click Add client.
  5. Add your chosen client name and description and click Continue.
  6. In the Access permissions section, ensure that the client has the appropriate permissions to read your directory and access user information.
  7. Download the client certificate and complete client creation. Downloading the certificate also downloads the corresponding key.

  8. Run the following commands in the relevant directory to base64 encode the certificate and key, substituting the file names of your downloaded certificate and key:

    cat CERTIFICATE_FILENAME.crt | base64
cat KEY_FILENAME.key | base64

  9. Save the encrypted certificate and key strings for later.

OpenLDAP

  1. Use the ldapadd command to add a new service account entry into the directory. Make sure that the account has permission to read the directory and access user information.
  2. Save the full user distinguished name (DN) and password for later.

What's next?

Ensure that the cluster administrator who is setting up GKE Identity Service has the LDAP server login details from the previous step, or proceed yourself to Configure clusters for GKE Identity Service with LDAP.