ldap server Open shift setup by Chat GPT - unix1998/technical_notes GitHub Wiki
-
Prerequisites:
- Ensure you have administrative access to your OpenShift cluster.
- Have the LDAP server details (hostname, port, bind DN, bind password, base DN, etc.).
-
Access the OpenShift Cluster: Open a terminal and log in to your OpenShift cluster as a user with cluster-admin privileges.
oc login -u <admin_user> -p <admin_password> --server=<api_server_url>
-
Create an LDAP secret: Create a secret to store the LDAP bind password. This is necessary for OpenShift to authenticate to the LDAP server.
oc create secret generic ldap-secret --from-literal=bindPassword='<bind_password>' -n openshift-config -
Define the LDAP Identity Provider: Edit the OAuth configuration to include the LDAP identity provider.
First, open the OAuth configuration for editing:
oc edit oauth cluster
Add the LDAP configuration under
identityProviders. Here's an example configuration:apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: ldap mappingMethod: claim type: LDAP ldap: attributes: id: [dn] preferredUsername: [uid] name: [cn] email: [mail] bindDN: "cn=admin,dc=example,dc=com" bindPassword: name: ldap-secret ca: name: ldap-ca insecure: true url: "ldap://ldap.example.com:389/ou=Users,dc=example,dc=com?uid"
Replace the placeholders with your LDAP server details:
-
bindDN: The DN to bind as (e.g., "cn=admin,dc=example,dc=com"). -
url: The LDAP URL with the base DN and attribute to search by (e.g., "ldap://ldap.example.com:389/ou=Users,dc=example,dc=com?uid"). -
insecure: Set totrueif not using TLS/SSL. For production, usefalseand configure a proper CA.
-
-
Add the LDAP CA certificate (if needed): If your LDAP server uses a custom CA, create a ConfigMap with the CA certificate and reference it in the OAuth configuration.
oc create configmap ldap-ca --from-file=ca.crt=<path_to_ca_certificate> -n openshift-config
-
Save and apply the configuration: Once you've added the LDAP identity provider configuration to the OAuth resource, save the changes. OpenShift will automatically apply the new authentication configuration.
-
Test the LDAP authentication: Log out and attempt to log back in using a user account from your LDAP directory.
If you are setting up LDAP during the initial OpenShift installation using the install-config.yaml, include the LDAP configuration as shown below:
apiVersion: v1
baseDomain: example.com
metadata:
name: my-cluster
networking:
networkType: OpenShiftSDN
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
serviceNetwork:
- 172.30.0.0/16
compute:
- name: worker
replicas: 3
controlPlane:
name: master
replicas: 3
platform:
aws:
region: us-east-1
pullSecret: '{"auths": ... }'
sshKey: 'ssh-rsa ...'
oauth:
identityProviders:
- name: ldap
mappingMethod: claim
type: LDAP
ldap:
attributes:
id: [dn]
preferredUsername: [uid]
name: [cn]
email: [mail]
bindDN: "cn=admin,dc=example,dc=com"
bindPassword:
name: ldap-secret
ca:
name: ldap-ca
insecure: true
url: "ldap://ldap.example.com:389/ou=Users,dc=example,dc=com?uid"Replace the placeholders with the actual LDAP server details and your specific configuration.
- Create a secret to store the LDAP bind password.
- Edit the OAuth configuration to add the LDAP identity provider.
- Configure CA certificates if using a custom CA.
- Test the setup by logging in with LDAP credentials.
By following these steps, you can configure your OpenShift cluster to use a remote LDAP server for authentication.