ldap server setup by Gemini - unix1998/technical_notes GitHub Wiki

Here's a step-by-step procedure to set up authorization in your OpenShift cluster using a remote LDAP server:

Prerequisites:

OpenShift Cluster Access: You'll need administrative access to your OpenShift cluster to create and manage necessary resources.
Remote LDAP Server: Ensure your LDAP server is accessible from the OpenShift cluster nodes.
LDAP Server Details: Gather information about your LDAP server, including:
- Hostname or IP address
- Port number (typically 389 for LDAP)
- Base DN (Distinguished Name) for user searches
- User filter (LDAP search filter to identify authorized users)
- Bind DN and password (optional, for searching with elevated privileges)

Steps:

Create LDAP Secret:
- This secret stores the bind password (if required) for accessing your LDAP server.
- Use the oc create secret command:
```
oc create secret generic ldap-credentials \
  --from-literal=bindDN=<your_bind_dn> \
  --from-literal=bindPassword=<your_bind_password>
```
- Replace <your_bind_dn> and <your_bind_password> with the actual values from your LDAP server configuration (omit these options if not using bind DN).
Create LDAP ConfigMap:
- This config map defines the connection details and search parameters for your LDAP server.
- Use the oc create configmap command:
```
oc create configmap ldap-config \
  --from-literal=uri=ldap://<your_ldap_server_host>:<your_ldap_server_port> \
  --from-literal=baseDN=<your_ldap_base_dn> \
  --from-literal=userFilter=<your_ldap_user_filter> \
  --from-literal=insecure=true (optional, set to false if using TLS)
```
- Replace the placeholders with your actual values:
  - <your_ldap_server_host>: Hostname or IP address of your LDAP server
  - <your_ldap_server_port>: Port number of your LDAP server (usually 389)
  - <your_ldap_base_dn>: Base DN for user searches within your LDAP directory
  - <your_ldap_user_filter>: LDAP search filter to identify authorized users (e.g., (uid={username}))
  - <insecure=true>: Set to false if your LDAP server uses TLS encryption

Create LDAP Identity Provider (IDP) Resource:

This resource defines how OpenShift interacts with your LDAP server for user authentication.
Use the oc apply -f command with a YAML file specifying the IDP configuration:

apiVersion: config.openshift.io/v1
kind: IdentityProvider
metadata:
  name: ldap-idp
spec:
  type: LDAP
  mapping:
    userPrefix: ""  # Optional user prefix for usernames
    userField: username  # LDAP attribute representing username
    idField: uid  # Optional LDAP attribute representing user ID
  # Reference to the secrets and configmap you created
  secret:
    name: ldap-credentials
  config:
    name: ldap-config

Save this YAML configuration in a file (e.g., ldap-idp.yaml) and apply it using:

oc apply -f ldap-idp.yaml

Verify and Test:
- After applying the configuration, you can verify if OpenShift recognizes the LDAP IDP:
```
oc get idps
```
- This should list the ldap-idp you created.
- To test user authentication with LDAP, attempt logging in to the OpenShift web console or using oc login with an LDAP username.

Additional Considerations:

Security: Consider using TLS encryption for communication with your LDAP server (set insecure=false in the config map).
Group Sync (Optional): You can optionally configure group sync to map LDAP groups to OpenShift roles or project access using the openshift-auth-ldap-sync project. Refer to the OpenShift documentation for detailed instructions.

Resources:

OpenShift Documentation: Configuring an LDAP identity provider: [https://docs.openshift.com/container-platform/4.9/authentication/identity_providers/configuring-ldap-identity-provider.html](https://docs.openshift.com/container-platform/4.9/authentication/identity_providers/configuring-ldap-identity-provider.html)
OpenShift Auth LDAP Sync: https://github.com/rhthsa/openshift-demo/blob/main/infrastructure-authentication-providers.md

**By following these