LDAP
Health Check
Mission Control integrates with LDAP directories to monitor authentication infrastructure.
Health Check
Use cases:
- Verify LDAP/Active Directory connectivity and authentication
- Validate bind credentials before they expire
- Search for users and groups to confirm directory availability
- Monitor directory replication by checking user existence across replicas
- Alert when LDAP services become unavailable
Basic Connection Check
Test LDAP connectivity, authentication, and user searches.
ldap.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: ldap-pass
spec:
schedule: "@every 5m"
ldap:
- url: ldap://apacheds.canaries.svc.cluster.local:10389
name: ldap user login
username:
value: uid=admin,ou=system
password:
value: secret
bindDN: ou=users,dc=example,dc=com
userSearch: "(&(objectClass=organizationalPerson))"
- url: ldap://apacheds.canaries.svc.cluster.local:10389
name: ldap group login
username:
value: uid=admin,ou=system
password:
value: secret
bindDN: ou=groups,dc=example,dc=com
userSearch: "(&(objectClass=groupOfNames))"
Configuration Options
| Field | Description | Default |
|---|---|---|
connection | Connection URL that supplies the LDAP server URL and credentials. | Optional |
url | LDAP server URL, such as ldap:// or ldaps://. Required unless connection supplies the URL. | Optional |
bindDN | Base DN for the LDAP search. | Required |
username | Bind username. Required unless connection supplies the username. | Optional |
password | Bind password. Required unless connection supplies the password. | Optional |
userSearch | LDAP search filter. | Optional |
skipTLSVerify | Skip TLS certificate verification | false |
Common LDAP Filters
# Find user by username
(uid=johndoe)
# Find user by email
(mail=john@example.com)
# Find all users in a group
(&(objectClass=user)(memberOf=cn=developers,ou=groups,dc=example,dc=com))
# Active Directory: Find by sAMAccountName
(sAMAccountName=johndoe)
# Find enabled AD users
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# Find users modified in last 24 hours
(&(objectClass=user)(whenChanged>=20240101000000.0Z))