# Use LDAP external authentication for Aerospike on Kubernetes

This example creates a cluster where Aerospike is configured to use the Lightweight Directory Access Protocol (LDAP) for external authentication. For details about LDAP in Aerospike, see [Aerospike Access Control](https://aerospike.com/docs/database/learn/security/access-control).

## Prerequisites

Preinstalled LDAP server cluster that is reachable from the Kubernetes pods. This could be internal or external to the Kubernetes cluster.

## Aerospike cluster using LDAP

To create an Aerospike Cluster that uses LDAP, see the following `aerospikeConfig` section from a sample custom resource (CR) file. The `security.ldap` section here uses demo values from a sample configuration. Adapt this section to use the appropriate configuration for your LDAP server. For more details see the [available LDAP configuration parameters](https://aerospike.com/docs/database/manage/security/ldap).

```yaml
aerospikeConfig:

  service:

    feature-key-file: /etc/aerospike/secret/features.conf

  security:

    ldap:

      query-base-dn: 'dc=example,dc=org'

      server: ldap://openldap.default.svc.cluster.local:1389

      disable-tls: true

      query-user-dn: "cn=admin,dc=example,dc=org"

      query-user-password-file: /etc/aerospike/secret/ldap-passwd.txt

      user-dn-pattern: 'cn=${un},ou=users,dc=example,dc=org'

      role-query-search-ou: true

      role-query-patterns:

        - '(&(objectClass=groupOfNames)(member=cn=${un},ou=users,dc=example,dc=org))'

      polling-period: 10

  network:

    service:

      tls-name: aerospike-a-0.test-runner

      tls-authenticate-client: false

      tls-port: 4333

    heartbeat:

      tls-name: aerospike-a-0.test-runner

      tls-port: 3012

    fabric:

      tls-name: aerospike-a-0.test-runner

      tls-port: 3011

    tls:

      - name: aerospike-a-0.test-runner

        cert-file: /etc/aerospike/secret/svc_cluster_chain.pem

        key-file: /etc/aerospike/secret/svc_key.pem

        ca-file: /etc/aerospike/secret/cacert.pem

  namespaces:

    - name: test

      replication-factor: 2

      storage-engine:

        type: memory

        data-size: 1073741824
```

For the full CR file, see the [example LDAP authentication CR](https://github.com/aerospike/aerospike-kubernetes-operator/blob/v4.1.2/config/samples/ldap_cluster_cr.yaml).

This and other example CRs are available in [the main Aerospike Kubernetes Operator repository](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.1.2/config/samples).

Save and exit the CR file, then use `kubectl` to apply the change.

Terminal window

```shell
kubectl apply -f aerospike-cluster.yaml
```