This assumes you have already imported one or more groups into OpenShift using LDAP sync. If not, check out my article FreeKB - OpenShift - Import Users and Groups using ldap-sync.
First and foremost, you will need to sign into OpenShift.
oc login -u admin
Let's say you've imported the groups named "foo" and "bar" in ldap.example.com. The oc describe group command should show that the "foo" and "bar" groups has the LDAP annotation.
~]$ oc describe group foo
Name: foo
Created: 4 months ago
Labels: openshift.io/ldap.host=ad.example.com
Annotations: openshift.io/ldap.sync-time=2024-02-02T09:45:06Z
openshift.io/ldap.uid=CN=foo,OU=Groups-O365,OU=Groups,DC=ad,DC=example,DC=com
openshift.io/ldap.url=ad.example.com:636
Users: john.doe
jane.doe
Let's create a file named groups_to_remove.yml that contains the groups that you want to remove. In this example, groups_to_remove.yml contains "foo" and "bar" meaning an attempt will be made to remove the foo and bar groups from OpenShift.
~]# cat groups_to_remove.yml
foo
bar
The oc adm prune group command can be used to attempt to remove the groups from OpenShift. If you do not include the --confirm flag this will be a dry run meaning the groups will not be removed from OpenShift. If no output is returned, this means the groups will not be removed from OpenShift. The most likely reason that a group would not be removed is because the group still exists in LDAP.
Notice also in this example the --sync-config points to a config.yaml file. This will be the same config YAML file that you use when importing groups. Check out my article FreeKB - OpenShift - Import Users and Groups using ldap-sync for more details on the config YAML file.
~]# oc adm prune groups --whitelist=/path/to/groups_to_remove.yaml --sync-config=/path/to/config.yaml
If there is output, the groups listed in the output will be removed from OpenShift. This also means the group is no longer in LDAP. In this example, the "foo" group would be removed but the "bar" group would not be removed.
~]# oc adm prune groups --whitelist=/path/to/groups_to_remove.yaml --sync-config=/path/to/config.yaml
group/foo
Optionally, --loglevel can be used to display a bit more details about what the oc adm prune groups command is doing.
~]# oc adm prune groups --whitelist=/path/to/groups_to_remove.yaml --sync-config=/path/to/config.yaml --loglevel=4
I0813 20:36:36.647162 1382177 grouppruner.go:47] LDAPGroupPruner listing groups to prune with &{[foo] map[] 0xc000d98900 ldap.example.com:636 map[]}
I0813 20:36:36.687023 1382177 grouppruner.go:53] LDAPGroupPruner will attempt to prune ldapGroupUIDs [CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com]
I0813 20:36:36.687040 1382177 grouppruner.go:56] Checking LDAP group CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com
I0813 20:36:36.693828 1382177 query.go:235] searching LDAP server with config {Scheme: ldaps Host: ldap.example.com:636 BindDN: CN=openshift_ldap,OU=Service Accounts,OU=Accounts-X,DC=ldap,DC=example,DC=com len(BbindPassword): 12 Insecure: false} with dn="CN=foo,OU=Groups,DC=ldap,DC=example,DC=com" and scope 0 for (objectClass=*) requesting [cn dn] with pageSize=10
I0813 20:36:36.701309 1382177 query.go:235] searching LDAP server with config {Scheme: ldaps Host: ldap.example.com:636 BindDN: CN=openshift_ldap,OU=Service Accounts,OU=Accounts-X,DC=ldap,DC=example,DC=com len(BbindPassword): 12 Insecure: false} with dn="DC=ldap,DC=example,DC=com" and scope 2 for (&((objectclass=person))(memberOf=CN=foo,OU=OpenShift,OU=Groups-O365,OU=Groups,DC=ldap,DC=example,DC=com)) requesting [memberOf sAMAccountName] with pageSize=10
group/foo
You can then reissue the command with the --confirm flag to go ahead with the actual removal of the group.
oc adm prune groups --whitelist=/path/to/groups_to_remove.yaml --sync-config=/path/to/config.yaml --loglevel=4 --confirm
Did you find this article helpful?
If so, consider buying me a coffee over at 