Hey Mark, Here is my working AD auth configuration (you might need to
tailor that URL filtering to your needs):
oauthConfig:
assetPublicURL: https://<redacted>:8443/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: paas_ldap_provider
provider:
apiVersion: v1
attributes:
email:
- mail
id:
- dn
name:
- displayName
preferredUsername:
- sAMAccountName
bindDN:
CN=linux_auth,OU=ServiceAccounts,OU=Generic,OU=Directory_Integration,DC=<redacted>,DC=com
bindPassword: <redacted>
ca: /etc/pki/ca-trust/source/anchors/<redacted>.pem
insecure: false
kind: LDAPPasswordIdentityProvider
url: ldaps://<redacted>:636/DC=<redacted>
,DC=com?sAMAccountName?sub?(memberOf=cn=openshift_sandbox,OU=openshift,ou=appgroups,ou=directory_integration,dc=
<redacted>,dc=com)
If services don't start after master-config.yaml modification, it seems
like that might be an issue with your YAML. Ensure proper whitespacing (no
tabs, only spaces!) - Hope that helps!
--Derek
On Tue, Jul 11, 2017 at 10:18 PM, Werner, Mark <[email protected]>
wrote:
> I am really struggling to get Active Directory authentication to work.
>
> The oauthConfig section of the master-config.yaml file starts out like
> this and all is fine.
>
> oauthConfig:
>
> assetPublicURL: https://master.domain.local:8443/console/
>
> grantConfig:
>
> method: auto
>
> identityProviders:
>
> - challenge: true
>
> login: true
>
> mappingMethod: claim
>
> name: allow_all
>
> provider:
>
> apiVersion: v1
>
> kind: AllowAllPasswordIdentityProvider
>
> masterCA: ca-bundle.crt
>
> masterPublicURL: https://master.domain.local:8443
>
> masterURL: https://master.domain.local:8443
>
> Then I attempt to modify the oauthConfig section of the master-config.yaml
> file to look like this.
>
> oauthConfig:
>
> assetPublicURL: https://master.domain.local:8443/console/
>
> grantConfig:
>
> method: auto
>
> identityProviders:
>
> - name: Active_Directory
>
> challenge: true
>
> login: true
>
> mappingMethod: claim
>
> provider:
>
> apiVersion: v1
>
> kind: LDAPPasswordIdentityProvider
>
> attributes:
>
> id:
>
> - dn
>
> email:
>
> - mail
>
> name:
>
> - cn
>
> preferredUsername:
>
> - uid
>
> bindDN: "cn=openshift,cn=users,dc=domain,dc=local"
>
> bindPassword: "password"
>
> insecure: true
>
> url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid
>
> assetPublicURL: https://master.domain.local:8443/console/
>
> masterPublicURL: https://master.domain.local:8443
>
> masterURL: https://master.domain.local:8443
>
> Then I try to restart the origin-master service and it fails to restart,
> and won't start again, not even on reboot. If I revert back to the old
> master-config.yaml file everything works fine again, and origin-master
> service starts with no problem.
>
> The user "openshift" has been created in Active Directory with the correct
> password.
>
> I have even tried using url: ldaps://dc.domain.local:686/
> cn=users,dc=domain,dc=local?uid
>
> That doesn't work either. I cannot seem to figure out what I am doing
> wrong and what the origin-master service does not like about the modified
> master-config.yaml file that keeps it from starting.
>
>
>
>
>
> *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services
>
> Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> |
> [email protected]
>
> 11720 Plaza America Drive, Reston, VA 20190
>
>
>
> [image: unisys_logo] <http://www.unisys.com/>
>
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all devices.
>
> [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image:
> Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP]
> <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT]
> <http://www.youtube.com/theunisyschannel>[image: Grey_FB]
> <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo]
> <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/>
>
>
>
> _______________________________________________
> dev mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
