OKD4 integration with Active Directory
Lucas Maltempi Monfardine
Posted on January 10, 2024
Disclaimer: this article was published originally on Medium, in March 2021 and may not be 100% up to date.
Quick guide on integrating a OKD4 cluster to login with Active Directory
Before going to OKD, it’s better gather the following information:
- A dedicated AD service account (for binding purposes) with complete DN;
- Domain name or AD IP;
- Complete DN of a “control group” with users allowed to log in;
- Complete DN of groups you want to sync.
Now to OKD: start by creating a secret for your LDAP Service Account password:
oc create secret generic ldap-secret --from-literal=bindPassword=<LDAP SA password> -n openshift-config
Next, let’s update the cluster authentication methods. This YAML will change existing OAuth cluster settings existing on openshift-config namespace:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
namespace: openshift-config
spec:
identityProviders:
- name: ldapidp
mappingMethod: claim
type: LDAP
ldap:
attributes:
id:
- sAMAccountName
email:
- mail
name:
- displayName
preferredUsername:
- cn
bindDN: "CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com"
bindPassword:
name: ldap-secret
insecure: true
url: "ldap://<ip-or-ad-domain>:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(memberof=CN=okd-users,OU=groups,DC=domain,DC=com)"
Fields to change:
- bindDN: replace with your LDAP Service Account complete DN
- URL: replace with your server and the OU where your users are located on LDAP server.
- The last part of the URL sets that only members of the group “okd-users” will be able to log-in. You can remove that if you want.
Then apply the file you generated:
oc apply -f path/to/ldap-auth.yaml
After applying, wait for the redeploy of authentication pods and you should be able to log in using your LDAP account.
Group Sync
For the group sync, there’s two needed files: ldap-group-sync.yaml and whitelist.txt
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://<ip-or-ad-domain>:389
insecure: true
bindDN: CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com
bindPassword: '<AD Service Account Password>'
groupUIDNameMapping:
"CN=okd-admins,OU=Groups,DC=domain,DC=com": okd-admins
"CN=okd-project1-users,OU=Groups,DC=domain,DC=com": okd-project1-users
augmentedActiveDirectory:
groupsQuery:
derefAliases: never
pageSize: 0
groupUIDAttribute: dn
groupNameAttributes: \[ cn \]
usersQuery:
baseDN: "OU=Users,DC=domain,DC=com"
scope: sub
derefAliases: never
filter: (objectclass=person)
pageSize: 0
userNameAttributes: \[ cn \]
groupMembershipAttributes: \[ "memberOf:1.2.840.113556.1.4.1941:" \]
Fields to change:
- URL: replace with your AD server IP or domain
- bindDN: replace with previously created service account
- bindPassword: the service account password
- groupUIDNameMapping: insert as many groups as you need
- baseDN: replace with baseDN of your AD users
On the whitelist.txt file, insert the previously mentioned groups, one per line:
CN=okd-admins,OU=Groups,DC=domain,DC=com
CN=okd-project1-users,OU=Groups,DC=domain,DC=com
After finishing the files edit, do a dry run to validade:
oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yam
If everything goes well, add the “confirm” flag to process the changes:
oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yaml --confirm
Check if your groups appeared on the console and then add the needed RoleBindings to them, accordingly:
Binding cluster-admin role to okd-admins group.
Group Sync automation
You could sync your groups manually whenever you need, or maybe schedule a cron in any host to do that. But there’s a cooler way. Let’s schedule a cronJob inside OKD cluster to constantly check for changes on your groups.
Start by creating a project “ldap-sync” and a Cluster Role that will give the propper permissions for the job to complete the task:
Create a file rbac-ldap-group-sync.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ldap-group-sync
rules:
\- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- create
- update
- patch
- delete
- get
- list
Then run:
oc apply rbac-ldap-group-sync.yaml
Next, create the cronjob-ldap-group-sync.yaml:
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ldap-group-sync
namespace: ldap-sync
spec:
schedule: '[@hourly](http://twitter.com/hourly)'
suspend: false
jobTemplate:
spec:
template:
spec:
template:
metadata:
creationTimestamp: null
spec:
restartPolicy: Never
serviceAccountName: ldap-sync
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
securityContext: {}
containers:
- name: oc-cli
image: registry.redhat.io/openshift4/ose-cli
command:
- /bin/oc
- adm
- groups
- sync
- '--whitelist=/ldap-sync/whitelist.txt'
- '--sync-config=/ldap-sync/ldap\_group\_sync.yaml'
- '--confirm'
volumeMounts:
- name: config
readOnly: true
mountPath: /ldap-sync/
serviceAccount: ldap-sync
volumes:
- name: config
secret:
secretName: ldap-sync
defaultMode: 420
dnsPolicy: ClusterFirst
And then create the task:
oc apply -f cronjob-ldap-group-sync.yaml
On OKD console you can see the history of events generated by the job.
Tips:
- You can change the schedule from ‘@hourly’ to any valid Linux cron expression.
- If you receive any errors on runnin the cron job, check if the serviceAccount line is present on the Cron Job in the OKD UI.
Posted on January 10, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.