Disclaimer: this article was published originally on Medium, in March 2021 and may not be 100% up to date.
Quick guide on integrating a OKD4 cluster to login with Active Directory
Before going to OKD, it’s better gather the following information:
- A dedicated AD service account (for binding purposes) with complete DN;
- Domain name or AD IP;
- Complete DN of a “control group” with users allowed to log in;
- Complete DN of groups you want to sync.
Now to OKD: start by creating a secret for your LDAP Service Account password:
oc create secret generic ldap-secret --from-literal=bindPassword=<LDAP SA password> -n openshift-config Next, let’s update the cluster authentication methods. This YAML will change existing OAuth cluster settings existing on openshift-config namespace:
apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster namespace: openshift-config spec: identityProviders: - name: ldapidp mappingMethod: claim type: LDAP ldap: attributes: id: - sAMAccountName email: - mail name: - displayName preferredUsername: - cn bindDN: "CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com" bindPassword: name: ldap-secret insecure: true url: "ldap://<ip-or-ad-domain>:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(memberof=CN=okd-users,OU=groups,DC=domain,DC=com)" Fields to change:
- bindDN: replace with your LDAP Service Account complete DN
- URL: replace with your server and the OU where your users are located on LDAP server.
- The last part of the URL sets that only members of the group “okd-users” will be able to log-in. You can remove that if you want.
Then apply the file you generated:
oc apply -f path/to/ldap-auth.yaml After applying, wait for the redeploy of authentication pods and you should be able to log in using your LDAP account.
Group Sync
For the group sync, there’s two needed files: ldap-group-sync.yaml and whitelist.txt
kind: LDAPSyncConfig apiVersion: v1 url: ldap://<ip-or-ad-domain>:389 insecure: true bindDN: CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com bindPassword: '<AD Service Account Password>' groupUIDNameMapping: "CN=okd-admins,OU=Groups,DC=domain,DC=com": okd-admins "CN=okd-project1-users,OU=Groups,DC=domain,DC=com": okd-project1-users augmentedActiveDirectory: groupsQuery: derefAliases: never pageSize: 0 groupUIDAttribute: dn groupNameAttributes: \[ cn \] usersQuery: baseDN: "OU=Users,DC=domain,DC=com" scope: sub derefAliases: never filter: (objectclass=person) pageSize: 0 userNameAttributes: \[ cn \] groupMembershipAttributes: \[ "memberOf:1.2.840.113556.1.4.1941:" \] Fields to change:
- URL: replace with your AD server IP or domain
- bindDN: replace with previously created service account
- bindPassword: the service account password
- groupUIDNameMapping: insert as many groups as you need
- baseDN: replace with baseDN of your AD users
On the whitelist.txt file, insert the previously mentioned groups, one per line:
CN=okd-admins,OU=Groups,DC=domain,DC=com CN=okd-project1-users,OU=Groups,DC=domain,DC=com After finishing the files edit, do a dry run to validade:
oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yam If everything goes well, add the “confirm” flag to process the changes:
oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yaml --confirm Check if your groups appeared on the console and then add the needed RoleBindings to them, accordingly:
Binding cluster-admin role to okd-admins group.
Group Sync automation
You could sync your groups manually whenever you need, or maybe schedule a cron in any host to do that. But there’s a cooler way. Let’s schedule a cronJob inside OKD cluster to constantly check for changes on your groups.
Start by creating a project “ldap-sync” and a Cluster Role that will give the propper permissions for the job to complete the task:
Create a file rbac-ldap-group-sync.yaml:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ldap-group-sync rules: \- apiGroups: - user.openshift.io resources: - groups verbs: - create - update - patch - delete - get - list Then run:
oc apply rbac-ldap-group-sync.yaml Next, create the cronjob-ldap-group-sync.yaml:
apiVersion: batch/v1beta1 kind: CronJob metadata: name: ldap-group-sync namespace: ldap-sync spec: schedule: '[@hourly](http://twitter.com/hourly)' suspend: false jobTemplate: spec: template: spec: template: metadata: creationTimestamp: null spec: restartPolicy: Never serviceAccountName: ldap-sync schedulerName: default-scheduler terminationGracePeriodSeconds: 30 securityContext: {} containers: - name: oc-cli image: registry.redhat.io/openshift4/ose-cli command: - /bin/oc - adm - groups - sync - '--whitelist=/ldap-sync/whitelist.txt' - '--sync-config=/ldap-sync/ldap\_group\_sync.yaml' - '--confirm' volumeMounts: - name: config readOnly: true mountPath: /ldap-sync/ serviceAccount: ldap-sync volumes: - name: config secret: secretName: ldap-sync defaultMode: 420 dnsPolicy: ClusterFirst And then create the task:
oc apply -f cronjob-ldap-group-sync.yaml On OKD console you can see the history of events generated by the job.
Tips:
- You can change the schedule from ‘@hourly’ to any valid Linux cron expression.
- If you receive any errors on runnin the cron job, check if the serviceAccount line is present on the Cron Job in the OKD UI.
Top comments (0)