Configure and Troubleshoot LDAP on OpenShift

One of the most frequent asked questions that I get is how to configure LDAP on OpenShift. Instead of replying back with my PDF every time I get a request about this. It maybe good to share the info here, so I can always refer back to. As for configuring LDAP on OpenShift is pretty straight forward if you have all the correct information to connect. In the blog I will walk you through the configuration for both pre & post installation options. Also, I will provide some of the troubleshooting steps on how to debug if you run into issues.

Problem: Can’t login with LDAP users.

AD usually is using sAMAccountName as uid for login. LDAP usually is using uid for login

Step 1

Use the following ldapsearch to validate the informaiton was given by customer: ldapsearch -x – D “CN=xxx,OU=Service-Accounts,OU=DCS,DC=homeoffice,DC=example,DC=com” \ -W -H ldaps://ldaphost.example.com -b “ou=Users,dc=office,dc=example,DC=com” \ -s sub ‘sAMAccountName=user1’

If the ldapsearch did not return any user, it means -D or -b may not be correct. Retry different baseDN. If there is too many enteries returns, add filter to your search. Filter example is (objectclass=people)

filter example: (objectclass=person)

Step 2

Logging: set OPTIONS=–loglevel=5 in /etc/sysconfig/atomic-openshift-master step 3

Since customer had htpasswd provider setup before switch to Active Directory and the user identity was created for the same users. In journalctl -u atomic-openshift-master, it logged conflict with the user identity when user trying to login.

Here was the step
oc get identity 
oc delete identity <name_of_identity_that_user1> 
oc get user oc delete user user1
Inspiration from :
Final configuration in master-config.yaml was as shown below.

oauthConfig:
  assetPublicURL: https://master.example.com:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - name: "OfficeAD"
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        id:
        - dn
        email:
        - mail
        name:
        - cn
        preferredUsername:
        - sAMAccountName
      bindDN: "CN=LinuxSVC,OU=Service-Accounts,OU=DCS,DC=office,DC=example,DC=com"
      bindPassword: "password"
      ca: ad-ca.pem.crt
      insecure: false
      url: "ldaps://ad-server.example.com:636/CN=Users,DC=hoffice,DC=example,DC=com?sAMAccountName?sub"

Published by

shannachan

Shanna Chan is a passionate and self driven technologist who enjoy solving problems and share knowledge with others. Strong engineering professional skilled in presales, middleware, OpenShift, Docker, Kubernetes, open source technologies, IT Strategy, DevOps, Professional Services, Java, and Platform as a Service (PaaS).

One thought on “Configure and Troubleshoot LDAP on OpenShift”

  1. On login at web-console with ldap identityprovider i am getting error

    An authentication error occurred.

    Before configuring LDAP i verified connectivity with “ldapsearch”, now i want to debug what goes to AD and what response openshift received.

    I enabled debugging by editing below file and setting “DEBUG_LOGLEVEL=4”

    vi /etc/origin/master/master.env

    but i am unable to find anything in /var/log/messages or master-logs api api

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s