DEV Community

Lucas Maltempi Monfardine
Lucas Maltempi Monfardine

Posted on

OKD4 integration with Active Directory

Disclaimer: this article was published originally on Medium, in March 2021 and may not be 100% up to date.

Quick guide on integrating a OKD4 cluster to login with Active Directory

Before going to OKD, it’s better gather the following information:

  • A dedicated AD service account (for binding purposes) with complete DN;
  • Domain name or AD IP;
  • Complete DN of a “control group” with users allowed to log in;
  • Complete DN of groups you want to sync.

Now to OKD: start by creating a secret for your LDAP Service Account password:

oc create secret generic ldap-secret --from-literal=bindPassword=<LDAP SA password> -n openshift-config
Enter fullscreen mode Exit fullscreen mode

Next, let’s update the cluster authentication methods. This YAML will change existing OAuth cluster settings existing on openshift-config namespace:

apiVersion: config.openshift.io/v1  
kind: OAuth  
metadata:  
  name: cluster  
  namespace: openshift-config  
spec:  
  identityProviders:  
  - name: ldapidp  
    mappingMethod: claim  
    type: LDAP  
    ldap:  
      attributes:  
        id:  
        - sAMAccountName  
        email:  
        - mail  
        name:  
        - displayName  
        preferredUsername:  
        - cn  
      bindDN: "CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com"  
      bindPassword:  
        name: ldap-secret  
      insecure: true  
      url: "ldap://<ip-or-ad-domain>:389/OU=Users,DC=domain,DC=com?sAMAccountName?sub?(memberof=CN=okd-users,OU=groups,DC=domain,DC=com)"
Enter fullscreen mode Exit fullscreen mode

Fields to change:

  • bindDN: replace with your LDAP Service Account complete DN
  • URL: replace with your server and the OU where your users are located on LDAP server.
  • The last part of the URL sets that only members of the group “okd-users” will be able to log-in. You can remove that if you want.

Then apply the file you generated:

oc apply -f path/to/ldap-auth.yaml
Enter fullscreen mode Exit fullscreen mode

After applying, wait for the redeploy of authentication pods and you should be able to log in using your LDAP account.

OKD login screen will show ldapidp provider.

Group Sync

For the group sync, there’s two needed files: ldap-group-sync.yaml and whitelist.txt

kind: LDAPSyncConfig  
apiVersion: v1  
url: ldap://<ip-or-ad-domain>:389  
insecure: true  
bindDN: CN=OKD,OU=ServiceAccounts,OU=Users,DC=domain,DC=com  
bindPassword: '<AD Service Account Password>'  
groupUIDNameMapping:  
  "CN=okd-admins,OU=Groups,DC=domain,DC=com": okd-admins  
  "CN=okd-project1-users,OU=Groups,DC=domain,DC=com": okd-project1-users  
augmentedActiveDirectory:  
    groupsQuery:  
        derefAliases: never  
        pageSize: 0  
    groupUIDAttribute: dn  
    groupNameAttributes: \[ cn \]  
    usersQuery:  
        baseDN: "OU=Users,DC=domain,DC=com"  
        scope: sub  
        derefAliases: never  
        filter: (objectclass=person)  
        pageSize: 0  
    userNameAttributes: \[ cn \]  
    groupMembershipAttributes: \[ "memberOf:1.2.840.113556.1.4.1941:" \]
Enter fullscreen mode Exit fullscreen mode

Fields to change:

  • URL: replace with your AD server IP or domain
  • bindDN: replace with previously created service account
  • bindPassword: the service account password
  • groupUIDNameMapping: insert as many groups as you need
  • baseDN: replace with baseDN of your AD users

On the whitelist.txt file, insert the previously mentioned groups, one per line:

CN=okd-admins,OU=Groups,DC=domain,DC=com  
CN=okd-project1-users,OU=Groups,DC=domain,DC=com
Enter fullscreen mode Exit fullscreen mode

After finishing the files edit, do a dry run to validade:

oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yam
Enter fullscreen mode Exit fullscreen mode

If everything goes well, add the “confirm” flag to process the changes:

oc adm groups sync --whitelist=whitelist.txt --sync-config=ldap-group-sync.yaml --confirm  

Enter fullscreen mode Exit fullscreen mode

Check if your groups appeared on the console and then add the needed RoleBindings to them, accordingly:

Binding cluster-admin role to okd-admins group.

This step is done.

Group Sync automation

You could sync your groups manually whenever you need, or maybe schedule a cron in any host to do that. But there’s a cooler way. Let’s schedule a cronJob inside OKD cluster to constantly check for changes on your groups.

Start by creating a project “ldap-sync” and a Cluster Role that will give the propper permissions for the job to complete the task:

Create a file rbac-ldap-group-sync.yaml:

apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
  name: ldap-group-sync  
rules:  
\- apiGroups:  
  - user.openshift.io  
  resources:  
  - groups  
  verbs:  
  - create  
  - update  
  - patch  
  - delete  
  - get  
  - list
Enter fullscreen mode Exit fullscreen mode

Then run:

oc apply rbac-ldap-group-sync.yaml
Enter fullscreen mode Exit fullscreen mode

Next, create the cronjob-ldap-group-sync.yaml:

apiVersion: batch/v1beta1  
kind: CronJob  
metadata:  
  name: ldap-group-sync  
  namespace: ldap-sync  
spec:  
  schedule: '[@hourly](http://twitter.com/hourly)'  
  suspend: false  
  jobTemplate:  
    spec:  
      template:  
    spec:  
      template:  
        metadata:  
          creationTimestamp: null  
        spec:  
          restartPolicy: Never  
          serviceAccountName: ldap-sync  
          schedulerName: default-scheduler  
          terminationGracePeriodSeconds: 30  
          securityContext: {}  
          containers:  
            - name: oc-cli  
              image: registry.redhat.io/openshift4/ose-cli  
              command:  
                - /bin/oc  
                - adm  
                - groups  
                - sync  
                - '--whitelist=/ldap-sync/whitelist.txt'  
                - '--sync-config=/ldap-sync/ldap\_group\_sync.yaml'  
                - '--confirm'  
              volumeMounts:  
                - name: config  
                  readOnly: true  
                  mountPath: /ldap-sync/  
          serviceAccount: ldap-sync  
          volumes:  
            - name: config  
              secret:  
                secretName: ldap-sync  
                defaultMode: 420  
          dnsPolicy: ClusterFirst
Enter fullscreen mode Exit fullscreen mode

And then create the task:

oc apply -f cronjob-ldap-group-sync.yaml
Enter fullscreen mode Exit fullscreen mode

On OKD console you can see the history of events generated by the job.

Tips:

  • You can change the schedule from ‘@hourly’ to any valid Linux cron expression.
  • If you receive any errors on runnin the cron job, check if the serviceAccount line is present on the Cron Job in the OKD UI.

Top comments (0)