Configure the LDAP authentication service
Set up the docker integration.
Description
By default, the Universal Control Plane is configured to use the managed user authentication service. UCP should instead be configured to use one or more external LDAP endpoints for authenticating users as this can enable more granular control over authentication and authorization.
Rationale
UCP’s built-in managed user authentication system only supports user creation, deletion and disablement. By using an external LDAP endpoint, you can have more control over the users, groups and other hierarchical organizations that can access and manipulate resources via UCP.
Audit
The UCP “Admin Settings” UI can be used to validate the LDAP integration has been enabled. The Docker CLI can be used to audit the LDAP integration. From a UCP “manager” node, execute the following commands to get the current configuration:
CURRENT_CONFIG_NAME=$(docker service inspect --format '{{ range $config := .Spec.TaskTemplate.ContainerSpec.Configs }}{{ $config.ConfigName }}{{ "\n" }}{{ end }}' ucp-agent | grep 'com.docker.ucp.config-')
docker config inspect --format '{{ printf "%s" .Spec.Data }}' $CURRENT_CONFIG_NAME | grep backend
The result should be backend = “ldap”.
You can configure LDAP integration via the UCP “Admin Settings” UI by following the instructions here. LDAP integration can also be enabled via a configuration file by following the instructions here.
Impact
None
Default value
By default, the built-in managed user database is enabled.
References
- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/
- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/external-auth/enable-ldap-config-file/
- http://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices
CIS controls
None
