How to enable LDAP authentication

LDAP (Lightweight Directory Access Protocol) enables centralized authentication for PostgreSQL clusters, reducing the overhead of managing local credentials and access policies.

This guide goes over the steps to integrate LDAP as an authentication method with the PostgreSQL-K8s charm, all within the Juju ecosystem.

Deploy an LDAP server

Deploy the GLAuth charm:

juju add-model glauth
juju deploy self-signed-certificates
juju deploy postgresql-k8s --channel 14/stable --trust
juju deploy glauth-k8s --channel edge --trust

Integrate (formerly known as “relate”) the three applications:

juju integrate glauth-k8s self-signed-certificates
juju integrate glauth-k8s postgresql-k8s

Deploy the GLAuth-utils charm, in order to manage LDAP users:

juju deploy glauth-utils --channel edge --trust

Integrate (formerly known as “relate”) the two applications:

juju integrate glauth-k8s glauth-utils

Expose cross-model relations

To offer the GLAuth interfaces, run:

juju offer glauth-k8s:ldap ldap
juju offer glauth-k8s:send-ca-cert send-ca-cert

Enable LDAP

Switch to the Kubernetes controller:

juju switch <k8s_controller>:postgresql

To have LDAP offers consumed:

juju consume admin/glauth.ldap
juju consume admin/glauth.send-ca-cert

To have LDAP authentication enabled, relate the PostgreSQL charm with the GLAuth charm:

juju integrate postgresql-k8s:ldap ldap
juju integrate postgresql-k8s:receive-ca-cert send-ca-cert 

Map LDAP users to PostgreSQL

To have LDAP users available in PostgreSQL, provide a comma separated list of LDAP groups to already created PostgreSQL authorization groups. To create those groups before hand, refer to the Data Integrator charm page.

juju config postgresql-k8s ldap_map="<ldap_group>=<psql_group>"

Disable LDAP

You can disable LDAP by removing the following relations:

juju remove-relation postgresql-k8s:receive-ca-cert send-ca-cert
juju remove-relation postgresql-k8s:ldap ldap