Openshift: Creating a project and authenticating an ldap group
1 min readJan 25, 2021
In this article, I will explain how we can authenticate an ldap group for an openshift project(namespace).
For this, we should sync ldap groups with openshift platform.First, lets create a namespace named projectname.
[root@*** ]#oc create namespace projectname
and two file named whitelist.txt and ldap_nested_sync.yaml.
[root@*** ]# cat /root/ocp/confs/authentication/whitelist.txt
CN=yourldapgroup,OU=yourOU,DC=yourdomain,DC=com[root@*** ~]# cat /root/ocp/confs/authentication/ldap_nested_sync.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://yourdc.yourdomain.com
bindDN: "CN=ocpserviceuser,CN=ServiceAccountsCN,DC=yourdomain,DC=com"
bindPassword: "ocpserviceuserplanepassword"
insecure: true
augmentedActiveDirectory:
groupsQuery:
derefAliases: never
pageSize: 0
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
usersQuery:
baseDN: "OU=yourOU,DC=yourdomain,DC=com"
scope: sub
derefAliases: never
filter: (objectclass=person)
pageSize: 0
userNameAttributes: [ sAMAccountName ]
groupMembershipAttributes: [ "memberOf:1.2.846.113556.1.4.1041:" ]
Sync with the command below.
[root@***~]# oc adm groups sync \
--sync-config=/root/ocp/confs/authentication/ldap_nested_sync.yaml \
--whitelist=/root/ocp/confs/authentication/whitelist.txt --confirm[root@***~]# oc get groups
And add role as you wish for this group and project.
#oc adm policy add-role-to-group admin yourldapgroup -n projectname
NAME USERS
yourldapgroup yourldapusersinyourldapgroup
You can check the authentication.
#oc auth can-i get pods --as=ldapuserinyourldapgroup \
--as-group=yourldapgroup --as-group=system:authenticated