Openshift Cluster OAuth – AD LDAP

Leave a reply

Create user and group in AD.

ocp-user: Users with OpenShift access
Any users who should be able to log-in to OpenShift must be members of this group
All of the below mentioned users are in this group
ocp-normal-dev: Normal OpenShift users
Regular users of OpenShift without special permissions
Contains: normaluser1, teamuser1, teamuser2
ocp-fancy-dev: Fancy OpenShift users
Users of OpenShift that are granted some special privileges
Contains: fancyuser1, fancyuser2
ocp-teamed-app: Teamed app users
A group of users that will have access to the same OpenShift Project
Contains: teamuser1, teamuser2

Create a Secret with the bind password.

oc create secret generic ldapuser-secret --from-literal=bindPassword=yourPassword -n openshift-config

Update the cluster OAuth object with the LDAP identity provider.

spec:
  identityProviders:
  - name: ldap
    challenge: false
    login: true
    mappingMethod: claim
    type: LDAP
    ldap:
      attributes:
        id:
        - distinguishedName
        email:
        - userPrincipalName
        name:
        - givenName
        preferredUsername:
        - sAMAccountName
      bindDN: "cn=ldapuser,cn=Users,dc=dcloud,dc=demo,dc=com"
      bindPassword:
        name: ldapuser-secret
      insecure: true
      url: "ldap://ad1.dcloud.demo.com:389/cn=Users,dc=dcloud,dc=demo,dc=com?sAMAccountName?sub?(memberOf=cn=ocp-user,cn=Users,dc=dcloud,dc=demo,dc=com)"
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
https://rhthsa.github.io/openshift-demo/infrastructure-authentication-providers.html

Leave a Reply