Pinniped Documentation
Active Directory Configuration
This describes the default values for the ActiveDirectoryIdentityProvider
user and group search. For more about ActiveDirectoryIdentityProvider
configuration, see the API reference documentation.
spec.userSearch.base
Default Behavior: Queries the Active Directory host for the defaultNamingContext.
Implications: Searches your entire domain for users. It may make sense to specify a subtree as a search base if you wish to exclude some users for security reasons or to make searches faster.
spec.userSearch.attributes.username
Default Behavior: The userPrincipalName
attribute will become the user’s Kubernetes username.
spec.userSearch.attributes.uid
Default Behavior: The objectGUID
attribute will be used to uniquely identify users.
spec.userSearch.filter
Default Behavior:
"(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={})(userPrincipalName={}))(sAMAccountType=805306368))"
Requires the following of the Active Directory entry of the user specified:
- is a person.
- is not a computer.
- is not shown in advanced view only (which would likely mean its a system created service account with advanced permissions).
- either the
sAMAccountName
, theuserPrincipalName
, or themail
attribute matches the input username. - the
sAMAccountType
is for a normal user account.
spec.groupSearch.base
Default Behavior: Queries the Active Directory host for the defaultNamingContext.
Implications: Searches your entire domain for groups. It may make sense to specify a subtree as a search base if you wish to exclude some groups for security reasons or to make searches faster.
spec.groupSearch.attributes.groupName
Default Behavior: The attribute that will become the user’s groups in Kubernetes will look like sAMAccountName@domain
(where domain is constructed from the domain components of the group).
spec.groupSearch.filter
Default Behavior:
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={}))
Requires the following of the Active Directory entrys that will represent the groups:
- is a group.
- has a member that matches the DN of the user we successfully logged in as, including indirectly through nested groups.
Implications: Nested group search may be slow. If you are having performance issues during login, you can change the filter to the following:
(&(objectClass=group)(member={}))