preface

Just as an administrator needs to create different users for the application after the Linux operating system is installed, so does the K8S/OKD/ OpenShift cluster. In the OKD/ OpenShift cluster, we can integrate the OpenLDAP directory system as shown below.

OpenLDAPThe installation

This article uses Helm to install OpenLDAP. First, download the Chars for easy viewing:

git clone https://github.com/helm/charts

Optional. Latest image can be pushed to a private repository first:

Docker pull osixia/openldap: 1.2.1 docker tag docker. IO/osixia/openldap: 1.2.1 okd - lr. Zyl. IO: 5001 / osixia/openldap: 1.2.1 Docker push okd - lr. Zyl. IO: 5001 / osixia/openldap: 1.2.1

The image is run as root (gosudo toggle) with the following privileges:

oc new-project auth-openshift
oc adm policy add-scc-to-user anyuid -z default

Customize the OpenLDAP char parameter:

cd charts/stable/openldap cp values.yaml values_cs.yaml vi values_cs.yaml ... Env: # LDAP creates dc=zyl,dc= IO domain, zyl Inc. LDAP_ORGANISATION: "zyl Inc." LDAP_DOMAIN: "zyl. # AdminPassword (CN =admin, DC =zyl, DC = IO) AdminPassword: Config # Persistent storage. This example uses the already created GlusterFS storage system, which supports dynamic provisionability. persistence: enabled: true storageClass: "glusterfs-app" accessMode: ReadWriteOnce size: 8Gi

Execute the HELM command to install:

helm install --name openldap -f values_cs.yaml .

After LDAP is started, domain dc=zyl,dc= IO and HDB admin accounts CN =admin,dc=zyl,dc= IO are created. Create user and group information in this field, as shown below:

% oc rsh deploy/openldap % cat > users.ldif <<EOF dn: ou=People,dc=zyl,dc=io ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=zyl,dc=io ou: Group objectClass: top objectClass: organizationalUnit dn: uid=zyl,ou=People,dc=zyl,dc=io uid: zyl cn: zyl objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: changeme loginShell: /bin/bash uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/zyl dn: uid=admin,ou=People,dc=zyl,dc=io uid: admin cn: admin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: changeme loginShell: /bin/bash uidNumber: 5001 gidNumber: 5001 homeDirectory: /home/admin dn: cn=zyl,ou=Group,dc=zyl,dc=io cn: zyl objectClass: top objectClass: posixGroup gidNumber: 5000 memberUid: zyl dn: cn=admin,ou=Group,dc=zyl,dc=io cn: admin objectClass: top objectClass: posixGroup gidNumber: 5001 memberUid: admin dn: cn=openshift_user,ou=Group,dc=zyl,dc=io cn: openshift_user objectClass: top objectClass: posixGroup gidNumber: 6000 memberUid: zyl dn: cn=openshift_admin,ou=Group,dc=zyl,dc=io cn: openshift_admin objectClass: top objectClass: posixGroup gidNumber: 6001 memberUid: admin EOF % ldapadd -x -w $LDAP_ADMIN_PASSWORD -D "cn=admin,dc=zyl,dc=io" -H ldapi:/// -f users.ldif % ldapsearch -x -D "Cn =admin,dc=zyl,dc= IO" -w $LDAP_ADMIN_PASSWORD \ -b dc=zyl,dc= IO # "cn=admin,cn=config" -w $LDAP_CONFIG_PASSWORD \ -b cn=config "olcDatabase=config"

configurationMasteruseLdapcertification

If OPENSHIFT_MASTER_IDENTITY_PROVIDERS is not configured during the initial installation, OKD defaults to the following authentication, which allows any user to log into the cluster.

% vi /etc/origin/master/master-config.yaml 
...
oauthConfig:
...
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: allow_all
    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider
...

Delete the following section from all Master configurations:

  - challenge: true
    login: true
    mappingMethod: claim
    name: allow_all
    provider:
      apiVersion: v1
      kind: AllowAllPasswordIdentityProvider

Replace it with the following paragraph:

- challenge: true login: true mappingMethod: claim name: ldap_auth provider: apiVersion: v1 attributes: email: - mail id: - dn name: - cn preferredUsername: - uid bindDN: cn=admin,dc=zyl,dc=io bindPassword: admin insecure: true kind: LDAPPasswordIdentityProvider url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io? uid

Note: If TLS was enabled, I would provide the OpenLDAP certificate by adding ca: my-ldap-ca.crt and then copy the certificate to /etc/origin/ Master /my-ldap-ca.crt.

OSEV3.YAML in Ansible configuration file adds the following section to avoid being restored when upgrading.

##### Auth openshift_master_identity_providers: - name: ldap_auth challenge: true login: true kind: LDAPPasswordIdentityProvider bindDN: cn=admin,dc=zyl,dc=io bindPassword: admin url: ldap://openldap.auth-openshift.svc.cluster.local./ou=People,dc=zyl,dc=io? uid attributes: id: ['dn'] email: ['mail'] name: ['cn'] preferredUsername: ['uid'] insecure: true

Then restart the Master node respectively:

Master-logs API is a server that can be accessed by the server server. The server is a server that can be accessed by the server server server controllers controllers

synchronousLDAPGroup information toOKDon

Create the following file:

cat > rfc2307_config_user_defined.yaml <<EOF
---
kind: LDAPSyncConfig
apiVersion: v1
bindDN: cn=admin,dc=zyl,dc=io
bindPassword: admin
insecure: true
url: ldap://openldap.auth-openshift.svc.cluster.local
groupUIDNameMapping:
  "cn=openshift_admin,ou=Group,dc=zyl,dc=cn": openshift_admin
  "cn=openshift_user,ou=Group,dc=zyl,dc=cn": openshift_user
rfc2307:
    groupsQuery:
        baseDN: "ou=Group,dc=zyl,dc=io"
        scope: sub
        derefAliases: never
        filter: (objectClass=posixGroup)
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ memberUid ] 
    usersQuery:
        baseDN: "ou=People,dc=zyl,dc=io"
        scope: sub
        derefAliases: never
        filter: (objectClass=posixAccount)
    userUIDAttribute: uid
    userNameAttributes: [ cn ]
EOF

Execute the following command to synchronize:

% oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm group/zyl group/admin group/openshift_user  group/openshift_admin

OpenSHIFT_ADMIN as the administrator group and OpenSHIFT_USER as the ordinary user group are empowered:

oc adm policy add-cluster-role-to-group cluster-admin openshift_admin oc adm policy add-cluster-role-to-group basic-user  openshift_user

oc login -uadmin -pchangeme

After the user logs in, OKD generates its own user corresponding to LDAP:

% oc get groups
NAME              USERS
admin             admin
openshift_admin   admin
openshift_user    zyl
zyl               zyl                

% oc get users
NAME      UID                                    FULL NAME   IDENTITIES
admin     3c4ae0bf-338c-11e9-b2f8-52540042814f   admin       ldap_auth:uid=admin,ou=People,dc=zyl,dc=io

% oc get identities
NAME                                         IDP NAME    IDP USER NAME                      USER NAME   USER UID
ldap_auth:uid=admin,ou=People,dc=zyl,dc=io   ldap_auth   uid=admin,ou=People,dc=zyl,dc=io   admin       3c4ae0bf-338c-11e9-b2f8-52540042814f

Reference documentation

OpenLDAP Helm Chart:https://github.com/helm/chart…;
osixia/openldap:https://github.com/osixia/doc…;

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Configure OpenLDAP authentication for the OKD/ OpenShift cluster

preface

OpenLDAPThe installation

configurationMasteruseLdapcertification

synchronousLDAPGroup information toOKDon

Reference documentation

Configure OpenLDAP authentication for the OKD/ OpenShift cluster

preface

OpenLDAPThe installation

configurationMasteruseLdapcertification

synchronousLDAPGroup information toOKDon

Reference documentation

Related Posts

K8S Series I – Knowledge Graph

How to use the Helm on Kubernetes rapid deployment Jenkins | IDCF

Helm of Kubernetes application deployment tool | IDCF