Configuring LDAP Auth and Group Sync on Openshift Container Platform

Preface

How to integrate LDAP users and grouping to Openshift Container Platform (OCP4) authentication.

Prerequisite

• Admin access to Openshift Cluster.

Procedure

Add IdentityProvider on OAuth Configuration

 
apiVersion: config.openshift.io/v1
kind: OAuth
spec:
  identityProviders:
    - ldap:
        attributes:
          email:
            - mail
          id:
            - mail
          name:
            - cn
          preferredUsername:
            - mail
        bindDN: "CN=OCP Admin, OU=Application Admin, OU=IT, OU=Users, DC=ndkprd, DC=com"
        bindPassword:
          name: <SECRET-NAME-IN-openshift-config-NAMESPACE>
        insecure: true
        url: "ldap://10.10.10.10:389/OU=Users, DC=ndkprd, DC=com?mail?sub?(objectClass=person)"
      mappingMethod: claim
      name: "NDKPRD.COM Directory"
      type: LDAP
 

Note

You can test if the LDAP works properly or not by trying to login. At this point, you should be able to login, but not able to access anything. If something goes wrong, check the pods logs in openshift-authentication namespace.

Create and Apply Configuration

 
---
 
# Configuring LDAP Auth and Group Sync on Openshift Container Platform
 
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://10.1.54.9:389
bindDN: "CN=OCP Admin, OU=Application Admin, OU=IT, OU=Users, DC=ndkprd, DC=com"
insecure: true
groupUIDNameMapping:
  "CN=OCP Admins, ": "CN=OCP Administrators, OU=Groups, DC=ndkprd, DC=com"
augmentedActiveDirectory:
    groupsQuery:
       baseDN: "OU=Groups, DC=ndkprd, DC=com"
       scope: sub
       derefAliases: never
       pageSize: 0
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    usersQuery:
        baseDN: "OU=Users, DC=ndkprd, DC=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=person)
        pageSize: 0
    userNameAttributes: [ mail ]
    groupMembershipAttributes: [ memberOf ]
 

Apply:

oc adm groups sync --sync-config=ldap_sync.yaml --confirm

CAUTION

Don’t run with the --confirm flag if you want to do dry-run first.

Add ClusterroleBinding (for admins)

oc create clusterrolebinding <CRB_NAME> --clusterrolebinding=cluster-admin --group="OCP Admin"

Conclusion

At this point you should be able to use LDAP users who are the members of “OCP Admin” groups.

References

• Configuring an LDAP identity provider - Configuring identity providers | Authentication and authorization | OKD 4
• Syncing LDAP groups | Authentication and authorization | OKD 4.16