This assumes you have already created an oAuth LDAP Identity Provider. If not, check out my article FreeKB - OpenShift - Create an oAuth LDAP Identity Provider.

ldap-sync can be used to import Users and Groups into OpenShift from LDAP. For example, let's say you have the following Groups in LDAP domain ldap.example.com.

CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
CN=bar,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com

The oc adm groups sync command can be used to sync the Groups in LDAP with OpenShift. Notice in this example that the command expects a file named config.yaml. If you do not use the --confirm command, then the command is a dry run, meaning no sync will actually be performed.

oc adm groups sync --sync-config=config.yaml --confirm

The config.yaml file could have something like this to sync groups in your example.com Domain Controller (dc). In this example, LDAP is associated with Active Directory.

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://ldap.example.com:389
activeDirectory:
    usersQuery:
        baseDN: "OU=Groups,DC=ldap,DC=example,DC=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=person)
        pageSize: 0
    userNameAttributes: [ mail ] 
    groupMembershipAttributes: [ memberOf ] 

This example uses augmentedActiveDirectory to sync both users and groups.

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://ldap.example.com:389
bindDN: CN=openshift_ldap,OU=Service Accounts,OU=Accounts-X,DC=ldap,DC=example,DC=com
bindPassword: itsasecret
augmentedActiveDirectory:
    groupsQuery:
        baseDN: "OU=Groups,DC=ldap,DC=example,DC=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    usersQuery:
        baseDN: "DC=ldap,DC=example,DC=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=person)
        pageSize: 0
    userNameAttributes: [ mail ] 
    groupMembershipAttributes: [ memberOf ] 

And this example uses RFC2307 to sync both users and groups.

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://ldap.example.com:389 
insecure: false 
rfc2307:
    groupsQuery:
        baseDN: "OU=Groups,DC=ldap,DC=example,DC=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ member ] 
    usersQuery:
        baseDN: "OU=Users,DC=ldap,DC=example,DC=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    userUIDAttribute: dn 
    userNameAttributes: [ mail ] 
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false

Before running the oc adm groups sync command you will need to sign into OpenShift.

oc login -u admin

If you don't, the oc adm groups sync command will return something like this.

Error building OpenShift group for LDAP group "CN=admins,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com": Unauthorized.

By default, the oc adm groups sync command will attempt to sync each and every object in the LDAP domain, Users, Groups, Organizational Units (OU), and so on. Notice in this example that the oc adm groups sync command attempted to sync a group in the example.com base domain instead of the ldap.example.com subdomain. 

search for entry with dn="CN=admins,OU=OpenShift,OU=Groups-O365,CN=Groups,DC=example,DC=com" would search outside of the base dn specified (dn="OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com")

Almost always, you are not going to want to sync each and every object in your LDAP domain with OpenShift. Instead, there is probably just certain Users or Groups that you want to sync with OpenShift. whitelist or blacklist can be used so that only certain Users or Groups are sync'd. For example, let's say you have a file named whitelist.yaml that contains the following so that only the foo and bar groups are sync'd with OpenShift.

CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
CN=bar,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com

The --whitelist option can then be used to only sync the objects listed in the whitelist.yaml file.

oc adm groups sync --sync-config=config.yaml --whitelist=whitelist.yaml

Since the prior command did not include the --confirm flag, this will be a dry run means the Groups in the whitelist.yaml file will not be sync'd with OpenShift. Something like this should be returned if the dry run does not detect any problems.

apiVersion: v1
items:
- apiVersion: user.openshift.io/v1
  kind: Group
  metadata:
    annotations:
      openshift.io/ldap.sync-time: 2024-08-13T20:24:51-0500
      openshift.io/ldap.uid: CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
      openshift.io/ldap.url: ldap.example.com:636
    creationTimestamp: "2023-08-17T02:45:31Z"
    labels:
      openshift.io/ldap.host: ldap.example.com
    name: foo
    resourceVersion: "303192139"
    uid: fc1ef499-a97d-438a-8fae-04a4f62198d8
  users:
  - john.doe
  - jane.doe
kind: List
metadata: {}

On the other hand, if something like this is returned, this almost always means the User or Group in the whitelist file does not exist in LDAP.

~]$ oc adm groups sync --sync-config=/path/to/config.yaml --whitelist=/path/to/whitelist.yaml 
Error building OpenShift group for LDAP group "CN=my_group,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com": search for entry with base dn="CN=my_group,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com" refers to a non-existent entry.
apiVersion: v1
items: []
kind: List
metadata: {}
search for entry with base dn="CN=my_group,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com" refers to a non-existent entry
error: search for entry with base dn="CN=my_group,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com" refers to a non-existent entry

Assuming no problems are detected in dry run, you can then include the --confirm flag to actually go ahead with the sync. If something like this is return, this means the sync should have been successful.

~]# oc adm groups sync --sync-config=config.yaml --whitelist=whitelist.yaml --confirm
group/foo
group/bar

Since this is something you will want to do often, such as daily or perhaps once every hour, almost always it makes sense to create a cronjob that run the oc adm groups sync command. Check out my article FreeKB - OpenShift - Schedule LDAP sync using cronjob.

The oc get groups command can be used to list the groups in OpenShift. Be aware that this may also include groups that were added to OpenShift outside of the LDAP sync process.

~]$ oc get groups
NAME                          USERS
foo                           jack.doe jacob.doe
bar                           josh.doe jenny.doe

Once groups have been sync'd, the oc describe group command should have LDAP annotations.

~]$ oc describe group foo
Name:           foo
Created:        4 months ago
Labels:         openshift.io/ldap.host=ldap.example.com
Annotations:    openshift.io/ldap.sync-time=2024-02-02T09:45:06Z
                openshift.io/ldap.uid=CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
                openshift.io/ldap.url=ldap.example.com:636
Users:          john.doe
                jane.doe

Refer to this article if you want to remove Users or Groups from OpenShift that are no longer in LDAP - FreeKB - OpenShift - Remove LDAP Group using oc adm prune groups