Remote directories
EDA supports the use of external directories that the system can use to authenticate users who were not created locally on the system.
EDA only supports unsychronized mode for Keycloak federation providers. This mode imports users and groups into EDA's Keycloak database, but does not write local changes back to the Lightweight Directory Access Protocol (LDAP) server.
Federated users are imported the first time a user logs in or when the user list is read via the EDA API/UI. Additionally, periodic sync of created and updates users may be configured.
The EDA API does not expose the full synchronization options from Keycloak to the federation provider. If full synchronization is required, it can be triggered via the Keycloak Administration Console.
EDA API server blocks all edits to federated users except for adding or removing the user to local groups. Local changes to federated groups are not supported; federated group membership must be configured on the LDAP server.
Configuring remote directories
- the configuration of up to five directories
- LDAP and Active Directory directories
- user synchronization from the directory
- group synchronization from the directory and user group membership mapping
- limiting imported users and groups using LDAP filters
When a remote directory is configured, system administrators can continue to create local users in EDA.
Configuring TLS truststore for remote directories
ldap-ca-secret
of type Opaque
in the EDA base
namespace with a base64 encoded PEM certificate in the ca
field.
For example:apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: ldap-ca-secret
namespace: eda-system #Enter the base namespace of your EDA installation
data:
ca: <base64(certificate authority)> # Base64 encoded PEM certificate
EDA
monitors this secret and if it changes, EDA updates the certificate authority
information used by Keycloak. Modifying the authority information results in a
restart of the Keycloak server.