Skip to main content
Version 3.0.0

Security — OpenMetadata

LDAP Authentication

The tdp-openmetadata package supports LDAP authentication, allowing corporate directories to be used for login in OpenMetadata.

To enable this mode, use the values-tdp-ldap.yaml overlay and create a Kubernetes Secret with the bind password.

The configuration supports customization of user and group DNs, email and login attributes, LDAP group-to-role mappings, and truststore behavior.

Once enabled, users log in with their own LDAP credentials.

How to enable it

  1. Set ldap.enabled: true in values.yaml.
  2. Include the values-tdp-ldap.yaml overlay with the LDAP settings.

Example install/upgrade with the overlay:

Terminal input
helm upgrade --install <release> \
  oci://registry.tecnisys.com.br/tdp/charts/tdp-openmetadata \
  -n <namespace> --create-namespace \
  -f values.yaml \
  -f values-tdp-ldap.yaml

Prerequisites

  • LDAP server reachable from the Kubernetes cluster
  • Bind DN with permission to search users and groups
  • Kubernetes Secret containing the bind password

Kubernetes Secret for the bind password

Terminal input
kubectl create secret generic tdp-openmetadata-ldap-secret \
  --from-literal=bind-password=<PASSWORD> \
  -n <namespace>

Main configuration (values-tdp-ldap.yaml)

In the overlay, define the LDAP host, port, admin DN, user and group base DNs, attributes, and role mapping.

values-tdp-ldap.yaml
ldap:
  enabled: true

openmetadata:
  openmetadata:
    config:
      authentication:
        provider: ldap
        ldapConfiguration:
          host: "ldap.example.local"
          port: 389
          dnAdminPrincipal: "cn=admin,dc=example,dc=local"
          userBaseDN: "ou=users,dc=example,dc=local"
          groupBaseDN: "ou=groups,dc=example,dc=local"
          mailAttributeName: mail
          usernameAttributeName: uid
          groupAttributeName: memberOf
          authRolesMapping: '{"cn=tdp-admins,ou=groups,dc=example,dc=local": ["Admin"]}'
          sslEnabled: false
          truststoreConfigType: TrustAll

What this configuration covers

  • host, port, admin DN, and user/group base DNs
  • customizable attributes for email, username, and groups
  • LDAP group mapping to OpenMetadata roles through authRolesMapping
  • default truststore mode TrustAll, which does not require LDAPS but can be adjusted to match your environment

Access with LDAP

Terminal input
kubectl -n <namespace> port-forward service/<release> 8585:8585

Then open http://localhost:8585 and log in with the user's LDAP credentials.

For the full list of parameters, consult helm show values for the installed chart version and the official OpenMetadata documentation.