Bootstrap FreeKB - OpenShift - Import Active Directory groups using LDAP sync
OpenShift - Import Active Directory groups using LDAP sync
Updated:   |  OpenShift articles

The ldap-sync namespace can be used to import Active Directory groups into OpenShift. For example, let's say you have the following groups in Active Directory, foo and bar.

CN=foo,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com
CN=bar,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com

 

You can create an Opaque secret named ldap-sync in the ldap-sync namespace that contains a TXT file such as ldap-sync-whitelist.txt listing the Active Directory groups you want to import into OpenShift.

~]$ oc get secrets --namespace ldap-sync
NAME            TYPE        DATA   AGE
ldap-sync       Opaque      3      139d

 

The content of the TXT file will contain the Active Directory groups you want to import into OpenShift.

~]$ oc get secret ldap-sync --namespace ldap-sync --output jsonpath="{.data.ldap-sync-whitelist\.txt}" | base64 --decode
CN=foo,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com
CN=bar,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com

 

And then you can have a reoccurring cronjob that will run an oc command to import the groups listed in the TXT file..

~]$ oc get cronjob --namespace ldap-sync
NAME              SCHEDULE             SUSPEND   ACTIVE   LAST SCHEDULE   AGE
ldap-group-sync   15,48 0,2-23 * * *   False     0        14m             139d

 

For example, the cronjob could run the oc adm groups sync command to import the groups listed in the TXT file.

 ~]$ oc describe cronjob ldap-group-sync --namespace ldap-sync
Pod Template:
  Containers:
   oc-cli:
    Command:
      oc
    Args:
      adm
      groups
      sync
      --whitelist=/ldap-sync/ldap-sync-whitelist.txt
      --sync-config=/ldap-sync/ldap-sync.yaml
      --confirm
    Mounts:
      /ldap-sync/ from config (ro)
  Volumes:
   config:
    Type:            Secret (a volume populated by a Secret)
    SecretName:      ldap-sync
    Optional:        false

 

Once groups have been sync'd, the oc describe group command should have LDAP annotations.

~]$ oc describe group foo
Name:           foo
Created:        4 months ago
Labels:         openshift.io/ldap.host=ad.example.com
Annotations:    openshift.io/ldap.sync-time=2024-02-02T09:45:06Z
                openshift.io/ldap.uid=CN=foo,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com
                openshift.io/ldap.url=ad.example.com:636
Users:          john.doe
                jane.doe

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 3dabd2 in the box below so that we can be sure you are a human.