Skip to main content
Version Next

Security — OpenMetadata

The tdp-openmetadata chart supports basic authentication (default) and LDAP via openmetadata.config.authentication.*.

Basic Authentication (Default)

By default, OpenMetadata uses internal authentication with the user admin@open-metadata.org. After the first login, change the administrator password through the UI.

warning

Do not use the default password in production environments. Change it immediately after the first installation.

LDAP Configuration

Overview

OpenMetadata supports LDAP authentication as an alternative to the basic method. The LDAP configuration is implemented through the overlay values-tdp-ldap.yaml, enabling integration with corporate LDAP directories.

Prerequisites

  • LDAP server accessible from the Kubernetes cluster
  • Bind DN with permissions to search users and groups
  • Kubernetes Secret containing the bind DN password

Basic Configuration

1. Enable LDAP

In values.yaml:

ldap:
  enabled: true

2. Configure LDAP Parameters

In values-tdp-ldap.yaml:

values-tdp-ldap.yaml
openmetadata:
  openmetadata:
    config:
      authentication:
        provider: ldap
        ldapConfiguration:
          host: "192.168.15.65"                          # LDAP server
          port: 389                                      # Port (389 or 636 for LDAPS)
          dnAdminPrincipal: "cn=admin,dc=claim,dc=local" # Admin DN
          userBaseDN: "ou=users,dc=claim,dc=local"       # User base DN
          groupBaseDN: "ou=groups,dc=claim,dc=local"     # Group base DN
          mailAttributeName: mail                        # Email attribute
          usernameAttributeName: mail                    # Login attribute
          groupAttributeName: memberOf                   # Group attribute
          sslEnabled: false                              # true for LDAPS
          truststoreConfigType: TrustAll                 # Certificate validation

3. Create LDAP Password Secret

Terminal input
kubectl create secret generic tdp-openmetadata-ldap-secret \
  --from-literal=bind-password=<LDAP_BIND_PASSWORD> \
  -n <namespace>

Installation with LDAP

Terminal input
helm upgrade --install tdp-openmetadata \
  oci://registry.tecnisys.com.br/tdp/charts/tdp-openmetadata \
  -n <namespace> --create-namespace \
  -f values.yaml \
  -f values-tdp-ldap.yaml

Role Mapping (Optional)

To map LDAP groups to OpenMetadata roles:

ldapConfiguration:
  authRolesMapping: '{"cn=tdp-admins,ou=groups,dc=claim,dc=local": ["Admin"]}'

Access with LDAP

  1. Port-forward:
Terminal input
kubectl -n <namespace> port-forward service/<release> 8585:8585

  1. Open: http://localhost:8585

  2. Login: use the LDAP user's email and password.

For the full list of parameters, consult helm show values for the installed chart version and the official OpenMetadata documentation.