daa431e385
This commit does 2 changes in the OIDC app docs: 1) The docs were updated to be explicit about the OIDC app being compatible with LDAP servers and not only with the Windows Active Directory; 2) The page "Centralized OIDC Authentication Setup for Distributed Cloud" was renamed to "Centralized vs Distributed OIDC Authentication Setup" and was moved in the index of pages to be right below the first page "Overview of LDAP Servers". The idea is to use this page as a entry point for someone learning about the OIDC app, because every user must decide between a centralized and a distributed setup and because this page has links to all other pages except "Deprovision LDAP Server Authentication". Story: 2010738 Task: 49455 Change-Id: I61c5b7f322ac8159b649c70eeaa0195d97ab12c7 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
32 lines
1.4 KiB
ReStructuredText
32 lines
1.4 KiB
ReStructuredText
|
|
.. tvb1581377605743
|
|
.. _overview-of-ldap-servers:
|
|
|
|
========================
|
|
Overview of LDAP Servers
|
|
========================
|
|
|
|
|prod-long| can be configured to use an |LDAP| compatible server, like a remote
|
|
Windows Active Directory server or the Local |LDAP| server, to authenticate
|
|
users of the Kubernetes API, using the **oidc-auth-apps** application.
|
|
|
|
The Local |LDAP| server is present in |prod| deploys. This server runs on the
|
|
controllers. The only exception is the |DC| environments, where this |LDAP|
|
|
server runs only on the SystemController's controllers, it is not present in
|
|
the subcloud's controllers.
|
|
|
|
The **oidc-auth-apps** application installs a proxy |OIDC| identity provider
|
|
that can be configured to proxy authentication requests to an |LDAP|'s identity
|
|
provider, such as Windows Active Directory or Local |LDAP|. For more
|
|
information, see `https://github.com/dexidp/dex
|
|
<https://github.com/dexidp/dex>`__. The **oidc-auth-apps** application also
|
|
provides an |OIDC| client for accessing the username and password |OIDC| login
|
|
page for user authentication and retrieval of tokens. An **oidc-auth** CLI
|
|
script can also be used for |OIDC| user authentication and retrieval of tokens.
|
|
|
|
In addition to installing and configuring the **oidc-auth-apps**
|
|
application, the admin must also configure Kubernetes cluster's
|
|
**kube-apiserver** to use the **oidc-auth-apps** |OIDC| identity provider for
|
|
validation of tokens in Kubernetes API requests.
|
|
|