Introduction
$ kinit admin
$ ipa -vv user-show admin
...
"result": {
"dn": "uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com",
...
$ ipa group-find
...
Group name: admins
...
$ ipa -vv group-show admins
...
"result": {
"dn": "cn=admins,cn=groups,cn=accounts,dc=mkk,dc=example,dc=com ",
...
Configuring the LDAP Identity Provider
$ oc explain OAuth.spec.identityProviders.ldap
...
FIELDS:
...
bindPassword <Object>
bindPassword is an optional reference to a secret by name containing a
password to bind with during the search phase. The key "bindPassword" is
used to locate the data. If specified and the secret or expected key is not
found, the identity provider is not honored. The namespace for this secret
is openshift-config.
ca <Object>
ca is an optional reference to a config map by name containing the
PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS
certificate presented by the remote server. The key "ca.crt" is used to
locate the data. If specified and the config map or expected key is not
found, the identity provider is not honored. If the specified ca data is
not valid, the identity provider is not honored. If empty, the default
system roots are used. The namespace for this config map is
openshift-config.
...
Administration -> Cluster Settings -> Configuration -> OAuth
curl http://idm.mkk.example.com/ipa/config/ca.crt
bindDN: "uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com"
url: "ldaps://idm.mkk.example.com/cn=users,cn=accounts,dc=mkk,dc=example,dc=com?uid"
Troubleshooting
- Authentication Operator Logs
- Oauth Pods status
- oc get pods -n openshift-authentication
Synchronizing LDAP Groups
ldap-sync-config-map.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldaps://idm.mkk.example.com/
insecure: false
bindDN: uid=admin,cn=users,cn=accounts,dc=mkk,dc=example,dc=com
bindPassword: redhat123
ca: /tmp/ca.crt
rfc2307:
groupsQuery:
baseDN: "cn=groups,cn=accounts,dc=mkk,dc=example,dc=com"
scope: sub
derefAliases: never
pageSize: 0
filter: "(objectClass=ipausergroup)"
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ member ]
usersQuery:
baseDN: "cn=users,cn=accounts,dc=mkk,dc=example,dc=com"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ uid ]
tolerateMemberNotFoundErrors: false
tolerateMemberOutOfScopeErrors: false
Verify configuration, connectivity, username, password, etc
$ oc adm groups sync --sync-config tmp/ldap-sync.yml
Create new namespace to store everything
$ oc new-project ldap-group-sync
Modify LDAPSyncConfig and save to /tmp/ldap-group-sync.yaml
...
bindPassword:
file: "/etc/secrets/bindPassword"
ca: /etc/config/ca.crt
...
$ oc create secret generic ldap-secret --from-literal bindPassword=redhat123 -n ldap-group-sync
$ oc create configmap ldap-config --from-file ldap-group-sync.yaml=/tmp/ldap-group-sync.yaml,ca.crt=/tmp/ca.crt -n ldap-group-sync
kind: ServiceAccount
apiVersion: v1
metadata:
name: ldap-group-sync-sa
namespace: ldap-group-sync
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ldap-group-sync-cr
rules:
- apiGroups:
- ''
- user.openshift.io
resources:
- groups
verbs:
- get
- list
- create
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ldap-group-sync-crb
subjects:
- kind: ServiceAccount
name: ldap-group-sync-sa
namespace: ldap-group-sync
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ldap-group-sync-cr
---
kind: CronJob
apiVersion: batch/v1beta1
metadata:
name: ldap-group-sync-cj
namespace: ldap-group-sync
spec:
schedule: "*/30 * * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
backoffLimit: 0
template:
spec:
containers:
- name: ldap-group-sync
image: "registry.redhat.io/openshift4/ose-cli:latest"
command:
- "/bin/bash"
- "-c"
- "oc adm groups sync --sync-config=/etc/config/ldap-group-sync.yaml --confirm"
volumeMounts:
- mountPath: "/etc/config"
name: "ldap-sync-volume"
- mountPath: "/etc/secrets"
name: "ldap-bind-password"
volumes:
- name: "ldap-sync-volume"
configMap:
name: "ldap-config"
- name: "ldap-bind-password"
secret:
secretName: "ldap-secret"
restartPolicy: "Never"
terminationGracePeriodSeconds: 30
activeDeadlineSeconds: 500
dnsPolicy: "ClusterFirst"
serviceAccountName: "ldap-group-sync-sa"
$ oc logs pod/ldap-group-sync-...
$ oc get groups
$ oc adm policy add-cluster-role-to-group cluster-admin admins
No comments:
Post a Comment