One of the most frequent asked questions that I get is how to configure LDAP on OpenShift. Instead of replying back with my PDF every time I get a request about this. It maybe good to share the info here, so I can always refer back to. As for configuring LDAP on OpenShift is pretty straight forward if you have all the correct information to connect. In the blog I will walk you through the configuration for both pre & post installation options. Also, I will provide some of the troubleshooting steps on how to debug if you run into issues.
Problem: Can’t login with LDAP users.
AD usually is using sAMAccountName as uid for login. LDAP usually is using uid for login
Use the following ldapsearch to validate the informaiton was given by customer: ldapsearch -x – D “CN=xxx,OU=Service-Accounts,OU=DCS,DC=homeoffice,DC=example,DC=com” \ -W -H ldaps://ldaphost.example.com -b “ou=Users,dc=office,dc=example,DC=com” \ -s sub ‘sAMAccountName=user1’
If the ldapsearch did not return any user, it means -D or -b may not be correct. Retry different baseDN. If there is too many enteries returns, add filter to your search. Filter example is (objectclass=people)
filter example: (objectclass=person)
Logging: set OPTIONS=–loglevel=5 in /etc/sysconfig/atomic-openshift-master step 3
Since customer had htpasswd provider setup before switch to Active Directory and the user identity was created for the same users. In journalctl -u atomic-openshift-master, it logged conflict with the user identity when user trying to login.
oc get identity oc delete identity <name_of_identity_that_user1> oc get user oc delete user user1
oauthConfig: assetPublicURL: https://master.example.com:8443/console/ grantConfig: method: auto identityProviders: - name: "OfficeAD" challenge: true login: true provider: apiVersion: v1 kind: LDAPPasswordIdentityProvider attributes: id: - dn email: - mail name: - cn preferredUsername: - sAMAccountName bindDN: "CN=LinuxSVC,OU=Service-Accounts,OU=DCS,DC=office,DC=example,DC=com" bindPassword: "password" ca: ad-ca.pem.crt insecure: false url: "ldaps://ad-server.example.com:636/CN=Users,DC=hoffice,DC=example,DC=com?sAMAccountName?sub"