Bootstrap FreeKB - OpenShift - Create an oAuth LDAP Identity Provider
OpenShift - Create an oAuth LDAP Identity Provider
Updated:   |  OpenShift articles

To import users and groups into OpenShift using LDAP you can create an oAuth LDAP Identity Provider custom resource. For example, the following YAML is the basic syntax for the oAuth LDAP Identity Provider custom resource. Notice in this example that the bindPassword is stored in a secret named ldap-secret and the Certificate Authority (CA) is stored in a config map named ca-config-map. Thus, before applying this YAML, the secret and config map must first be created.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: ldapidp 
    mappingMethod: claim 
    type: LDAP
    ldap:
      attributes:
        id: 
        - dn
        email: 
        - mail
        name: 
        - cn
        preferredUsername: 
        - uid
      bindDN: "" 
      bindPassword: 
        name: ldap-secret
      ca: 
        name: ca-config-map
      insecure: false 
      url: "ldaps://ldaps.example.com/ou=users,dc=acme,dc=com?uid"

 

Let's create an opaque generic secret in the openshift-config namespace that contains the password to authenticate to your LDAP identity provider. To oc create secret command can be used to create the opaque generic secret.

oc create secret generic ldap-secret --from-literal=bindPassword=<your_ldap_bind_password> --namespace openshift-config

 

Once created, the oc get secret command can be used to verify the secret exists and contains the correct LDAP bind password.

~]$ oc get secret ldap-secret --namespace openshift-config --output yaml
apiVersion: v1
data:
  bindPassword: itsasecret
kind: Secret
metadata:
  creationTimestamp: "2023-08-16T18:58:06Z"
  name: ldap-secret
  namespace: openshift-config
  resourceVersion: "29051910"
  uid: eace4934-9393-48ab-8b05-c75c1575ae77
type: Opaque

 

Next let's use the oc create configmap command in the openshift-config namespace to create a config map that contains the Certificate Authority (CA) public certificate that can be used to establish a secured connection to your LDAP identity provider. For example, let's say ca.pem contains the public certificate. 

oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca.pem --namespace openshift-config

 

And then the oc apply command can be used to apply the oAuth YAML file.

oc apply -f oauth.yml

 

Once applied, there should then be an oAuth resource. Since our YAML file had metadata name cluster the name of the resource is "cluster".

~]$ oc get oauth
NAME      AGE
cluster   3y304d

 

And the oc get oauth command with the --output yaml or json option can be used to see the YAML or JSON.

~]$ oc get oauth cluster --output yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  creationTimestamp: "2020-09-30T15:41:25Z"

  name: cluster
  resourceVersion: "1730679458"
  uid: f1a37a7e-17ce-4747-8c53-171fa3f767bc
spec:
  identityProviders:
  - ldap:
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: ""
      bindPassword:
        name: ldap-ad-secret
      ca:
        name: ca-config-map
      insecure: false
      url: ldaps://ldaps.example.com/ou=users,dc=acme,dc=com?uid
    mappingMethod: claim
    type: LDAP

 

An LDAP entry typically has a format like this. In this example, Common Uame (cn) john.doe is in the People Organizational Unit (ou) in the example.com Domain Controller (dc).

cn=john.doe,ou=People,dc=example,dc=com

 

In this example, User ID (uid) john.doe is in the People Organizational Unit (ou) in the example.com Domain Controller (dc).

uid=john.doe,ou=People,dc=example,dc=com

 

Notice that the oAuth Identity Provider custom resource has mappingMethod:claim and preferredUsername:uid. This means that the oAuth Identity Provider will look for a User ID (uid) entry in LDAP.

Assuming the LDAP entry is uid=john.doe, John Doe should be able to log into OpenShift.

oc login -u john.doe

 

If john.doe is able to log into OpenShift, two resources should be created, the User resource and Identity resource.

The oc get users command can be used to list the users that have logged into OpenShift.

IMPORTANT

Users will not be listed until they have logged into OpenShift at least once.

~]# oc get users
NAME            UID                                   FULL NAME  IDENTITIES
jane.doe        6b9b184a-cfea-44bf-ad62-a4a3454881cc  jane.doe   htpasswd_provider:jane.doe
john.doe        5ad8f659-64ce-4c9c-9ca0-fe69521fd7f2  john.doe   my-ldap:Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50

 

Similarly, the oc list identities command can be used to list the users that exist on the system under a particular identity provider.

IMPORTANT

Identities will not be listed until they have logged into OpenShift at least once.

~]$ oc get identity
NAME                                                  IDP NAME           IDP USER NAME                               USER NAME       USER UID
my-ldap:Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50      my-ldap            Y249YzA0NDIwNixvdT11c2VycyxPPVRocml2ZW50    john.doe        5ad8f659-64ce-4c9c-9ca0-fe69521fd7f2

 

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter fdf12f in the box below so that we can be sure you are a human.