Openshift: Creating a project and authenticating an ldap group

In this article, I will explain how we can authenticate an ldap group for an openshift project(namespace).

For this, we should sync ldap groups with openshift platform.First, lets create a namespace named projectname.

[root@*** ]#oc create namespace projectname

and two file named whitelist.txt and ldap_nested_sync.yaml.

[root@*** ]# cat /root/ocp/confs/authentication/whitelist.txt
CN=yourldapgroup,OU=yourOU,DC=yourdomain,DC=com
[root@*** ~]# cat /root/ocp/confs/authentication/ldap_nested_sync.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://yourdc.yourdomain.com
bindDN: "CN=ocpserviceuser,CN=ServiceAccountsCN,DC=yourdomain,DC=com"
bindPassword: "ocpserviceuserplanepassword"
insecure: true
augmentedActiveDirectory:
 groupsQuery:
 derefAliases: never
 pageSize: 0
 groupUIDAttribute: dn
 groupNameAttributes: [ cn ]
 usersQuery:
 baseDN: "OU=yourOU,DC=yourdomain,DC=com"
 scope: sub
 derefAliases: never
 filter: (objectclass=person)
 pageSize: 0
 userNameAttributes: [ sAMAccountName ]
 groupMembershipAttributes: [ "memberOf:1.2.846.113556.1.4.1041:" ]

Sync with the command below.

[root@***~]# oc adm groups sync \
--sync-config=/root/ocp/confs/authentication/ldap_nested_sync.yaml \
--whitelist=/root/ocp/confs/authentication/whitelist.txt --confirm
[root@***~]# oc get groups

And add role as you wish for this group and project.

#oc adm policy add-role-to-group admin yourldapgroup -n projectname
NAME                         USERS
yourldapgroup              yourldapusersinyourldapgroup

You can check the authentication.

#oc auth can-i get pods  --as=ldapuserinyourldapgroup  \
--as-group=yourldapgroup  --as-group=system:authenticated