Docker Community Forums

Share and learn in the Docker community.

Swarm nodes user managment with Active Directory (or any other alternative, OpenLDAP, FreeIPA etc)

Hello, I would like to ask if anybody is managing docker swarm node users with Active Directory(OpenLDAP or any other alternative to AD) and what are advantages and disadvantages of it?

– Out of the box:
Docker provides an all or nothing approach: a shell user is either allowed to access /var/run/docker.sock or not. You could create a group in your ldap and make this group the owner of the docker.sock. I assume you already have ldap auth enabled for your nodes ssh login.

Access to the docker.sock can additionaly be protected by requiring a tls certificate for authentification, see: Protect the Docker daemon socket | Docker Documentation. Of course certificate based auth can be (and should be!) used when binding the docker engine to a tcp port as well.

– requires additional work:
Practically Docker allows to use Authorization plugins to achive what you want. Though I am not aware of any existing plugin that queries ldap. You probably would need to research on this, and high likely end up developing your own.

Furthermore, the UCP component of Docker Enterprise brought this out-of-the box to the table for subscribers. Docker Enterprise is now owned by Mirantis and called Mirantis Kubernetes Engine. Even though it has Kubernetes in the name, it still provides supports for the Swarm mode.