Bootstrap FreeKB - OpenShift - List the enabled authentication methods
OpenShift - List the enabled authentication methods
Updated:   |  OpenShift articles

The openshift-authentication namespace handles OpenShift Authentication. The openshift-authentication project by default should contain a few objects, such as a deployment, one or more pods, a service, a route, one or more confiig maps, and one or more secrets. There will typically be a config map that contains the enabled authentication methods.

~]$ oc get configmaps --namespace openshift-authentication
NAME                                   DATA   AGE
kube-root-ca.crt                       1      161d
openshift-service-ca.crt               1      161d
v4-0-config-system-cliconfig           1      355d
v4-0-config-system-metadata            1      355d
v4-0-config-system-service-ca          1      355d
v4-0-config-system-trusted-ca-bundle   1      355d

 

In this example, the config map named v4-0-config-system-cliconfig in the openshift-authentication namespace contains an LDAP identity provider. OpenShift can be configured with the following identity providers.

  • GitHub
  • htpasswd (flat file with a users username and password)
  • keystone
  • kubeadmin (default administrator user ID)
  • LDAP
  • OpenID Connect
~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
        "identityProviders": [
            {
                "challenge": true,
                "login": true,
                "mappingMethod": "claim",
                "name": "my-ldap",
                "provider": {
                    "apiVersion": "osin.config.openshift.io/v1",
                    "attributes": {
                        "email": [
                            "mail"
                        ],
                        "id": [
                            "dn"
                        ],
                        "name": [
                            "cn"
                        ],
                        "preferredUsername": [
                            "uid"
                        ]
                    },
                    "bindDN": "cn=openshift_ldap,ou=Appmgmt,ou=svcs,O=acme",
                    "bindPassword": {
                        "env": "",
                        "file": "/var/config/user/idp/0/secret/v4-0-config-user-idp-0-bind-password/bindPassword",
                        "keyFile": "",
                        "value": ""
                    },
                    "ca": "",
                    "insecure": true,
                    "kind": "LDAPPasswordIdentityProvider",
                    "url": "ldap://ldap.example.com/o=acme?cn?sub?(groupmembership=cn=Openshift_users,ou=OpenShift,ou=applications,ou=groups,o=Acme)"
                }
            }
        ],

 

The oc list identity command can be used to list the users that exist on the system under a particular identity provider.

~]$ oc get identity
NAME                                                  IDP NAME           IDP USER NAME                               USER NAME       USER UID
htpasswd_provider:john.doe                            htpasswd_provider  john.doe                                    john.doe        6b9b184a-cfea-44bf-ad62-a4a3454881cc
my-ldap:Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50      my-ldap            Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50    jane.doe        5ad8f659-64ce-4c9c-9ca0-fe69521fd7f2
my-ldap:Y249YzA0NDQ2OSxvdT11c2VycyxPPVRocml2ZW50      my-ldap            Y249YzA0NDQ2OSxvdT11c2VycyxPPVRocml2ZW50    jack.doe        eb31ca82-4af7-477f-b6c7-53661b685189

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 01a17e in the box below so that we can be sure you are a human.