Scroll to top

Influxdb Enterprise LDAP


LimePoint can help you deploy complex platform solutions to meet regulatory and compliance requirements. For example, we helped a client secure an on-premise InfluxDB Enterprise cluster with AzureAD-integrated RBAC by implementing fine-grained authorisation over LDAP (Lightweight Directory Access Protocol).

In this post, we will look at configuring LDAP in InfluxDB at a high level with some deep dives into the complicated aspects.

InfluxDB LDAP

Metanode & Raft db

Metanode stores metadata, including authentication data, in a Raft database on disk. Enabling LDAP involves setting the configuration on the meta config files as well as separately on the Raft db.

The following are the high level steps:

  1. Enable ldap auth in the meta node config files on all nodes ({influxdb-config}/influxdb-meta.conf)
  2. Create LDAP config file (generate sample file using influxd-ctl)
  3. Verify the LDAP config file (again using influx-ctl)
  4. Apply the LDAP config file on any one meta node (using influx-ctl. This sets the value in the Raft db)

It seems straightforward. However, some gotchas can make this deployment quite complex.

Sample LDAP configuration for a quick start

# Sample TOML for ldap config.
# First, save this file and edit it for your LDAP server.
# Then test the config with: influxd-ctl ldap verify -ldap-config /path/to/ldap.toml
# Finally, upload the config to the cluster with: influxd-ctl ldap set-config /path/to/ldap.toml
#
# Note: the meta nodes must be configured with meta.ldap-allowed = true
# and the data nodes must be configured with http.auth-enabled = true

enabled = true

[[servers]]
  host = "ldap.example.com"
  port = 389

  # Credentials to use when searching for a user or group.
  bind-dn = "cn=read-only-admin,dc=example,dc=com"
  bind-password = "read-only-admin's password"

  # Base DNs to use when applying the search-filter to discover an LDAP user.
  search-base-dns = [
    "dc=example,dc=com",
  ]

  # LDAP filter to discover a user's DN.
  # %s will be replaced with the provided username.
  search-filter = "(uid=%s)"
  # On Active Directory you might use "(sAMAccountName=%s)".

  # Base DNs to use when searching for groups.
  group-search-base-dns = ["ou=groups,dc=example,dc=com"]

  # LDAP filter to identify groups that a user belongs to.
  # %s will be replaced with the user's DN.
  group-membership-search-filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))"
  # On Active Directory you might use "(&(objectClass=group)(member=%s))".

  # Attribute to use to determine the "group" in the group-mappings section.
  group-attribute = "ou"
  # On Active Directory you might use "cn".

  # LDAP filter to search for groups during cache warming.
  # %s will be replaced with the "group" value in the group-mappings section.
  group-search-filter = "(&(objectClass=groupOfUniqueNames)(ou=%s))"

  # Attribute on group objects indicating membership.
  # Used during cache warming, should be same as part of the group-membership-search-filter.
  group-member-attribute = "uniqueMember"

  # Groups whose members have admin privileges on the influxdb servers.
  admin-groups = ["influx-admins"]

  # Mapping LDAP groups to Influx roles.
  # All Influx roles need to be manually created to take effect.
  [[servers.group-mappings]]
    group = "app-developers"
    role = "app-metrics-rw"

  [[servers.group-mappings]]
    group = "web-support"
    role = "web-traffic-ro"

1. Use JWT secret when working with LDAP

You could get away with basic auth when verifying and setting the config.

influxd-ctl -auth-type basic -user admin -pwd admin ldap verify -ldap-config ldap-config.toml
influxd-ctl -auth-type basic -user admin -pwd admin ldap set-config ldap-config.toml

But once its in the Raft db, you’ll need to use jwt for the influxd-ctl commands. The auth-type of “basic” doesn’t work when ldap is configured.

influxd-ctl -auth-type jwt -secret "mysupersecretstring" show

2. Disabling the ldap config is a multi-step process

From the meta node, edit ldap config file and set

enabled = false

Verify syntax and then load the config into the raft database

influxd-ctl ldap verify -ldap-config ldap.toml
influxd-ctl ldap set-config ldap.toml

Then disable LDAP in each meta-node’s config file (/etc/influxdb/influxdb-meta.conf)

meta.ldap-allowed = false

And then restart Influx on each node

service influxdb-meta restart

3. Group membership search filter

InfluxDB authentication code MUST use the dn, and not the cn field when looking for group membership. This means the search filter to the LDAP server should look like “(memberUid=uid=adminuser1,ou=people,dc=ldapmock,dc=local)” where uid=… is the dn.

filter="(&(objectClass=posixGroup)(memberUid=uid=adminuser1,ou=people,dc=ldapmock,dc=local))"

Below are screenshots from the LDAP server. The first one below shows the expected structure “dn” for the search attribute, which is “memberUid” in this example.

ldap-server-group-member

Below is an incorrect structure with just the “cn” (developer1) in the search attribute.

incorrect-ldap-server-group-member

4.Warming up the LDAP cache

The ldap warm-cache command is your friend when you suddenly start seeing 403 errors and unauthorized errors inconsistently on a datanode.

influxd-ctl -auth-type jwt -secret mysuperscretstring ldap warm-cache

Conclusion

Navigating the complexities of securing InfluxDB Enterprise doesn’t have to be a solitary journey. Whether you’re just starting out or looking to optimise an existing setup, LimePoint offers the expertise and support to ensure your deployment meets the highest standards of security and compliance.

Have questions or need personalised assistance? Contact LimePoint today for a consultation and discover how we can help streamline your platform solutions.

Related posts

Post a Comment

Your email address will not be published. Required fields are marked *