The oc list identity or oc list identities command can be used to list the users that exist on the system under a particular identity provider.
IMPORTANT
Identities will not be listed until they have logged into OpenShift at least once.
~]$ oc get identity
NAME IDP NAME IDP USER NAME USER NAME USER UID
htpasswd_provider:john.doe htpasswd_provider john.doe john.doe 6b9b184a-cfea-44bf-ad62-a4a3454881cc
my-ldap:Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50 my-ldap Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50 jane.doe 5ad8f659-64ce-4c9c-9ca0-fe69521fd7f2
my-ldap:Y249YzA0NDQ2OSxvdT11c2VycyxPPVRocml2ZW50 my-ldap Y249YzA0NDQ2OSxvdT11c2VycyxPPVRocml2ZW50 jack.doe eb31ca82-4af7-477f-b6c7-53661b685189
Similarly, the oc get users command can be used to list the users that have logged into OpenShift.
IMPORTANT
Users will not be listed until they have logged into OpenShift at least once.
~]# oc get users
NAME UID FULL NAME IDENTITIES
john.doe 6b9b184a-cfea-44bf-ad62-a4a3454881cc john.doe htpasswd_provider:john.doe
jane.doe 5ad8f659-64ce-4c9c-9ca0-fe69521fd7f2 jane.doe example-ldap:Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50
The openshift-authentication project / namespace handles OpenShift Authentication. The openshift-authentication namespace by default should contain a few resources, such as a deployment, one or more pods, a service, a route, one or more confiig maps, and one or more secrets. There will typically be a config map that contains the enabled authentication methods.
~]$ oc get configmaps --namespace openshift-authentication
NAME DATA AGE
kube-root-ca.crt 1 161d
openshift-service-ca.crt 1 161d
v4-0-config-system-cliconfig 1 355d
v4-0-config-system-metadata 1 355d
v4-0-config-system-service-ca 1 355d
v4-0-config-system-trusted-ca-bundle 1 355d
In this example, the config map named v4-0-config-system-cliconfig in the openshift-authentication namespace contains an LDAP identity provider. OpenShift can be configured with the following identity providers.
- GitHub
- htpasswd (flat file with a users username and password)
- keystone
- kubeadmin (default administrator user ID)
- LDAP
- OpenID Connect
~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
"identityProviders": [
{
"challenge": true,
"login": true,
"mappingMethod": "claim",
"name": "my-ldap",
"provider": {
"apiVersion": "osin.config.openshift.io/v1",
"attributes": {
"email": [
"mail"
],
"id": [
"dn"
],
"name": [
"cn"
],
"preferredUsername": [
"uid"
]
},
"bindDN": "cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme",
"bindPassword": {
"env": "",
"file": "/var/config/user/idp/0/secret/v4-0-config-user-idp-0-bind-password/bindPassword",
"keyFile": "",
"value": ""
},
"ca": "",
"insecure": true,
"kind": "LDAPPasswordIdentityProvider",
"url": "ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)"
}
}
],
Did you find this article helpful?
If so, consider buying me a coffee over at 