Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

LemonLDAP::NG controller

Build Status Coverage Status Go Report Card


This repository contains the LemonLDAP::NG controller built around the Kubernetes Ingress resource that uses ConfigMap to store the LemonLDAP configuration.

It is intended to be used with the NGINX Ingress Controller.


See Deployment.

Ingress Annotations

The following annotations are supported:

Name type string string string string string string string string


YAML or JSON are supported: |
    "^/admin/": "$uid eq \"bart.simpson\"",
    "default": "accept"

If not specified in the Ingress, the default location-rules are: |
    "default": "accept"

Which ensures that the user is authentified.

See also LemonLDAP::NG documentation.


YAML or JSON are supported: |
    "Display-Name": "$givenName.\" \".$surName"

If not specified in the Ingress, the default exported-headers are: |
    "Auth-User ": "$uid"

See also LemonLDAP::NG documentation.

application-category, application-name, application-description, application-logo, application-display, application-uri

apiVersion: extensions/v1beta1
kind: Ingress
  annotations: "1apps" "MyApp" "My Application to do things" "thumbnail.png" auto ""

If application-category or application-name are not specified in the Ingress, no application is created.

The other annotations defaults to:

  • application-description: Same as application-name
  • application-logo: "gear.png" (other images are available)
  • application-display: "auto" (other values: on or off)
  • application-uri: Url built from first HTTP Ingress rule.

See also LemonLDAP::NG documentation.

Config Map

A config map can be used to override lmConf-1.js parameters.

Any key suffixed by .yaml will be parsed accordingly:

kind: ConfigMap
apiVersion: v1
  name: lemonldap-ng-configuration
  namespace: ingress-nginx
  globalStorage: Apache::Session::Browseable::Postgres # Default Apache::Session::File
  globalStorageOptions.yaml: |
    DataSource: dbi:Pg:dbname=sessions;host=
    UserName: lemonldapng
    Password: mysuperpassword
    TableName: sessions
    Commit: 1
    Index: _whatToTrace ipAddr

This is the most difficult part of LemonLDAP::NG configuration. Recommended settings include:

See also the example ConfigMap and the full parameters list from LemonLDAP::NG documentation.

Note: Make sure to have the following to arg in the deployement:

- --configmap=ingress-nginx/lemonldap-ng-configuration

You can convert an existing configuration to ConfigMap with Convert mode.

Command line flags

Usage of /lemonldap-ng-controller:
      --alsologtostderr                               log to standard error as well as files
      --configmap string                              Name of the ConfigMap that contains the custom configuration to use
      --convert                                       Convert lmConf-n.js from standard input to ConfigMap
      --force-namespace-isolation                     Force namespace isolation. This flag is required to avoid the reference of secrets or configmaps located in a different namespace than the specified in the flag --watch-namespace
      --kubeconfig string                             Path to a kubeconfig. Only required if out-of-cluster
      --lemonldap-ng-configuration-directory string   LemonLDAP::NG configuration directory (default "/var/lib/lemonldap-ng/conf")
      --log_backtrace_at traceLocation                when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                                If non-empty, write log files in this directory
      --logtostderr                                   log to standard error instead of files
      --master string                                 The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster
      --stderrthreshold severity                      logs at or above this threshold go to stderr (default 2)
      --sync-period duration                          Relist and confirm cloud resources this often (default 10m0s)
  -v, --v Level                                       log level for V logs
      --version                                       Shows release information about the LemonLDAP::NG controller
      --vmodule moduleSpec                            comma-separated list of pattern=N settings for file-filtered logging
      --watch-namespace string                        Namespace to watch for Ingress. Default is to watch all namespaces

Convert mode

If you have an existing configuration, convert it with --convert:

cat lmConf-42.js | \
  lemonldap-ng-controller --convert --configmap=ingress-nginx/lemonldap-ng-configuration | \
  kubectl apply -f