Docker UCP integrates with LDAP directory services, so that you can manage users and groups from your organization’s directory and automatically propagate this information to UCP and DTR. You can set up your cluster’s LDAP configuration by using the UCP web UI, or you can use a UCP configuration file.
To see an example TOML config file that shows how to configure UCP settings,
run UCP with the example-config option.
Learn about UCP configuration files.
docker container run --rm /: example-config
Use the following command to extract the name of the currently active
configuration from the ucp-agent service.
$ CURRENT_CONFIG_NAME=$(docker service inspect --format '{{ range $config := .Spec.TaskTemplate.ContainerSpec.Configs }}{{ $config.ConfigName }}{{ "\n" }}{{ end }}' ucp-agent | grep 'com.docker.ucp.config-')
Get the current configuration and save it to a TOML file.
docker config inspect --format '{{ printf "%s" .Spec.Data }}' $CURRENT_CONFIG_NAME > config.toml
Use the output of the example-config command as a guide to edit your
config.toml file. Under the [auth] sections, set backend = "ldap"
and [auth.ldap] to configure LDAP integration the way you want.
Once you’ve finished editing your config.toml file, create a new Docker
Config object by using the following command.
NEW_CONFIG_NAME="com.docker.ucp.config-$(( $(cut -d '-' -f 2 <<< "$CURRENT_CONFIG_NAME") + 1 ))"
docker config create $NEW_CONFIG_NAME config.toml
Update the ucp-agent service to remove the reference to the old config
and add a reference to the new config.
docker service update --config-rm "$CURRENT_CONFIG_NAME" --config-add "source=${NEW_CONFIG_NAME},target=/etc/ucp/ucp.toml" ucp-agent
Wait a few moments for the ucp-agent service tasks to update across
your cluster. If you set jit_user_provisioning = true in the LDAP
configuration, users matching any of your specified search queries will
have their accounts created when they log in with their username and LDAP
password.