LldapUser
An LldapUser resource declares an lldap user account managed by the operator.
Each resource must carry the lldap-operator.lukidoescode.com/lldap-instance
label whose value selects which lldap instance the user belongs to. The operator
ignores resources without this label.
Example
apiVersion: lldap-operator.lukidoescode.com/v1alpha1
kind: LldapUser
metadata:
name: alice
labels:
lldap-operator.lukidoescode.com/lldap-instance: default
spec:
username: "alice.smith"
email: "alice.smith@example.com"
displayName: "Alice Smith"
firstName: "Alice"
lastName: "Smith"
passwordPolicy: Manage
passwordSecretRef:
name: alice-password
key: password
attributes:
- name: department
value:
- "Engineering"
---
apiVersion: v1
kind: Secret
metadata:
name: alice-password
type: Opaque
stringData:
password: "change-me-on-first-login"
Spec Fields
| Field | Type | Required | Description |
|---|---|---|---|
username | string | yes | LDAP username (1–64 chars, [a-zA-Z0-9._-]) |
email | string | yes | Email address |
displayName | string | no | Display name |
firstName | string | no | First name |
lastName | string | no | Last name |
attributes | AttributeValue[] | no | Custom attribute values; each requires a corresponding LldapAttributeSchema |
passwordPolicy | string | no | One of Manage (default), InitialOnly, Ignore |
passwordSecretRef | object | no | Reference to a Secret containing the password |
passwordSecretRef.name | string | yes (when set) | Name of the Secret |
passwordSecretRef.key | string | yes (when set) | Key within the Secret containing the password |
Validation Rules
The following rules are enforced at admission time by the Kubernetes API server via CRD-embedded CEL expressions (requires Kubernetes 1.25+).
-
Instance label required — rejected with:
metadata.labels must include 'lldap-operator.lukidoescode.com/lldap-instance' with a non-empty valueThe label must be set to a non-empty string identifying which lldap instance owns this user.
-
Password secret required for managed policies — rejected with:
spec.passwordSecretRef is required when spec.passwordPolicy is 'Manage' or 'InitialOnly' (only 'Ignore' permits omitting it)When
passwordPolicyisManage(the default) orInitialOnly, the operator needs a Secret reference to source the password from. OnlyIgnorepermits omittingpasswordSecretRef.
Group memberships are not declared on LldapUser. Use LldapMembership to
attach users to groups.
Status
| Field | Type | Description |
|---|---|---|
uuid | string | User UUID assigned by lldap |
passwordHash | string | Hash of the last reconciled password, used to detect Secret changes |
observedGeneration | int64 | Last observed resource generation |
conditions | Condition[] | Standard Kubernetes conditions |