Introduction
Integrating your cluster with Active Directory can bolster security. In this post, we’ll walk through the steps to Configuring Active Directory as OpenShift Identity Provider. By bridging these platforms, you’ll have more control over your users and applications. Connecting will have the advantage of same user as your eco system. Essentially, providing you with another easier way to secure your platform.
Procedure
Create your Active Directory User:
Enter the details. Note the Full name and press Next.
Enter the user password. Make sure you select Password never expires as this will be a service account.
Press Next.
The user is created. Now press Finish.
Validate the user from Bastion
Let’s make sure your ldap connection is working.
$ yum install openldap-clients
$ ldapsearch -x -H ldap://<ldap_ip>:389 -b 'dc=example,dc=com' -D 'OCP ldapUser' -w 'password' "(objectClass=person)"Make sure the password you’ve entered is correct. If not, you’ll probably get the following error:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580Create a sample LDAP CR
01_oauth_ad.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: Active Directory IdP
mappingMethod: claim
type: LDAP
ldap:
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- sAMAccountName
bindDN: "OCP ldapUser"
bindPassword:
name: ldap-secret
ca:
name: ca-config-map
insecure: false
url: "ldaps://<ldap_ip>:636/cn=Users,dc=example,dc=local?sAMAccountName"
Define an OpenShift Secret
Define the OCP secret that contains the bindPassword mentioned above:
$ oc create secret generic ldap-secret --from-literal=bindPassword="<YourUserNamePassword>" -n openshift-configConfigure the LDAP CA
$ oc create configmap ca-config-map --from-file=ca.crt=/path/to/ca -n openshift-configApply the CR and check
Now that we have the secret, apply the defined CR:
$ oc apply -f 01_oauth_ad.yamlLog in to the cluster as a user from your identity provider, entering the password when prompted:
$ oc login -u <username>
$ oc whoamiAdditionally you can check the Web UI, and choose Active Directory IdP:
Permissions Wanted
Adding a user from AD is not enough. For example, you can add permissions to the AD user. Here’s an example of adding cluster-admin permissions to a specific user:
$ oc adm policy add-cluster-role-to-user cluster-admin <ad_user>Troubleshooting
If you have any issues you can check the following commands:
$ oc get OAuth cluster -o yaml
$ oc get users
$ oc get identities
$ oc get pods -n openshift-authentication
$ oc logs oauth-openshift-.....-.... -n openshift-authenticationNOTE: for more permissions related information you might want to check Using RBAC to define and apply permissions from the openshift.com site.
Summary
We’ve gone over the path of configuring Active Directory as OpenShift Identity Provider, a pivotal integration that enhances security and simplifies user management. Successfully marrying these technologies means harnessing the best of both worlds. If you’re looking for expert guidance or want to configure authentication using htpasswd, or support in fine-tuning this integration, remember that a partner like us at Octopus can be invaluable in navigating these waters with confidence and precision.
