The Google Secure LDAP service provides a simple and secure way to connect your LDAP-based applications and services to Cloud Identity or Google Workspace.
Boundary now includes an LDAP auth method which allows it to delegate authentication to an LDAP directory.
The first time a user successfully authenticates using an LDAP auth method, a new LDAP account is created using the user’s account login name.
LDAP managed groups allow administrators to assign roles within Boundary based on an LDAP account’s group memberships.
The tutorial provides a basic example of setting up Google Secure LDAP as an authentication method and it assumes you already have Boundary up and running, as well as access to Google Secure LDAP so you can add LDAP clients.
1) Add LDAP client. Define the access permissions as per your use case and download the generated certificate.
The required connection parameters for the auth method to work with Google Secure LDAP are:
urls: (string, required) - A set of LDAP URLs that specifies a set of LDAP servers to connect to. In this case, we need to use: ldaps://ldap.google.com
user-dn: (string, required) - Base DN under which to perform user search. In this case, we need to use: dc=domain,dc=com where we need to replace the values with the our own domain name.
user-attr: (string, required) - Attribute on user attribute entry matching the username passed when authenticating. Examples: cn
upn-domain: (string, optional) - Specifies the userPrincipalDomain used to construct the UPN string for the authenticating user.
client-certificate: (string, required) - Client certificate to provide to the LDAP server for mTLS connections, must be x509 PEM encoded. That would be the certificate you have downloaded in Step 1 above.
client-certificate-key: (string, required) - Client certificate private key used with the ClientTLSCert for mTLS connections to the LDAP server, must be x509 PEM encoded. That would be the certificate key you have downloaded in Step 1 above.
If you are using CLI to configure the auth method, then you can use the following snippet:
boundary auth-methods create ldap \
-urls "ldaps://ldap.google.com" \
-user-dn "dc=domain,dc=com" \
-user-attr "cn" \
-upn-domain "domain.com" \
-client-certificate file://path-to-ldap-client-certificate.crt \
-client-certificate-key file://path-to-ldap-client-certificate-key.key \
Make sure to adjust the bolded values.
If you are having trouble with binding, or you receive 401 Unauthenticated errors, you can review the LDAP log events within Google, or you can also contact us, so we can look at the logs from the controller's end.