RE: OpenShift Origin Active Directory Authentication

[Werner, Mark]

Thanks Derek,

 

It seems I am pretty sure that I have the syntax correct for the Identity 
Provider (contents below). Still not working. I don’t get it. What should the 
format or the syntax be in the Username field on the OpenShift web console 
logon page?

 

The dn for the Active Directory user account being used to query Active 
Directory (or for bind) as returned by PowerShell is CN=Open 
Shift,CN=Users,DC=domain.DC=local (actual logon name is openshift).

 

The dn for the user I am trying to logon to OpenShift web console with as 
returned by PowerShell is CN=Mark Werner,CN=Users,DC=domain,DC=local (actual 
logon name is wernermp),

 

I think I have tried every variation of using the name to try and logon with. 
Keep getting 

 



 

oauthConfig:

  assetPublicURL: https://master.domain.local:8443/console/

  grantConfig:

    method: auto

  identityProviders:

  - challenge: true

    login: true

    mappingMethod: claim

    name: AD

    provider:

      apiVersion: v1

      attributes:

        email:

        - mail

        id:

        - dn

        name:

        - displayName

        preferredUsername:

        - sAMAccountName

      bindDN: CN=OpenShift User,OU=users,DC=domain,DC=local

      bindPassword: password

      insecure: true

      kind: LDAPPasswordIdentityProvider

      url: 
ldap://dc.domain.local:389/OU=Users,DC=domain,DC=local?sAMAccountName?sub

  masterPublicURL: https://master.domain.local:8443

  masterURL: https://master.domain.local:8443

 

Thanks,

 

Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 | mark.wer...@unisys.com 
<mailto:mark.wer...@unisys.com>  

11720 Plaza America Drive, Reston, VA 20190

 

 <http://www.unisys.com/> 

 

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is for use only by the intended recipient. If you received this in 
error, please contact the sender and delete the e-mail and its attachments from 
all devices.

 <http://www.linkedin.com/company/unisys>    <http://twitter.com/unisyscorp>   
<https://plus.google.com/+UnisysCorp/posts>  
<http://www.youtube.com/theunisyschannel>  <http://www.facebook.com/unisyscorp> 
 <https://vimeo.com/unisys>  <http://blogs.unisys.com/> 

 

From: Derek Wright [mailto:derekmwri...@gmail.com] 
Sent: Wednesday, July 12, 2017 7:20 PM
To: Werner, Mark <mark.wer...@unisys.com>
Cc: dev@lists.openshift.redhat.com
Subject: Re: OpenShift Origin Active Directory Authentication

 

Hey Mark, Here is my working AD auth configuration (you might need to tailor 
that URL filtering to your needs):

 

oauthConfig:

  assetPublicURL: https:// <https://%3credacted%3e:8443/console/> 
<redacted>:8443/console/

  grantConfig:

    method: auto

  identityProviders:

  - challenge: true

    login: true

    mappingMethod: claim

    name: paas_ldap_provider

    provider:

      apiVersion: v1

      attributes:

        email:

        - mail

        id:

        - dn

        name:

        - displayName

        preferredUsername:

        - sAMAccountName

      bindDN: 
CN=linux_auth,OU=ServiceAccounts,OU=Generic,OU=Directory_Integration,DC=<redacted>,DC=com

      bindPassword: <redacted>

      ca: /etc/pki/ca-trust/source/anchors/<redacted>.pem

      insecure: false

      kind: LDAPPasswordIdentityProvider

      url: 
ldaps://<redacted>:636/DC=<redacted>,DC=com?sAMAccountName?sub?(memberOf=cn=openshift_sandbox,OU=openshift,ou=appgroups,ou=directory_integration,dc=<redacted>,dc=com)

 

If services don't start after master-config.yaml modification, it seems like 
that might be an issue with your YAML. Ensure proper whitespacing (no tabs, 
only spaces!) - Hope that helps!

 

--Derek

 

On Tue, Jul 11, 2017 at 10:18 PM, Werner, Mark <mark.wer...@unisys.com 
<mailto:mark.wer...@unisys.com> > wrote:

I am really struggling to get Active Directory authentication to work.

The oauthConfig section of the master-config.yaml file starts out like this and 
all is fine.

oauthConfig:

  assetPublicURL:  <https://master.domain.local:8443/console/> 
https://master.domain.local:8443/console/

  grantConfig:

    method: auto

  identityProviders:

  - challenge: true

    login: true

    mappingMethod: claim

    name: allow_all

    provider:

      apiVersion: v1

      kind: AllowAllPasswordIdentityProvider

  masterCA: ca-bundle.crt

  masterPublicURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443

  masterURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443

Then I attempt to modify the oauthConfig section of the master-config.yaml file 
to look like this.

oauthConfig:

  assetPublicURL:  <https://master.domain.local:8443/console/> 
https://master.domain.local:8443/console/

  grantConfig:

    method: auto

  identityProviders:

  - name: Active_Directory

    challenge: true

    login: true

    mappingMethod: claim

    provider:

      apiVersion: v1

      kind: LDAPPasswordIdentityProvider

      attributes:

        id:

        - dn

        email:

        - mail

        name:

        - cn

        preferredUsername:

        - uid

      bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

      bindPassword: "password"

      insecure: true

      url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid

  assetPublicURL:  <https://master.domain.local:8443/console/> 
https://master.domain.local:8443/console/

  masterPublicURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443

  masterURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443

Then I try to restart the origin-master service and it fails to restart, and 
won't start again, not even on reboot. If I revert back to the old 
master-config.yaml file everything works fine again, and origin-master service 
starts with no problem.

The user "openshift" has been created in Active Directory with the correct 
password.

I have even tried using url: 
ldaps://dc.domain.local:686/cn=users,dc=domain,dc=local?uid

That doesn't work either. I cannot seem to figure out what I am doing wrong and 
what the origin-master service does not like about the modified 
master-config.yaml file that keeps it from starting.

 

 

Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 <tel:(586)%20214-9017>  | 
mark.wer...@unisys.com <mailto:mark.wer...@unisys.com>  

11720 Plaza America Drive, Reston, VA 20190

 

 <http://www.unisys.com/> 

 

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is for use only by the intended recipient. If you received this in 
error, please contact the sender and delete the e-mail and its attachments from 
all devices.

 <http://www.linkedin.com/company/unisys>    <http://twitter.com/unisyscorp>   
<https://plus.google.com/+UnisysCorp/posts>  
<http://www.youtube.com/theunisyschannel>  <http://www.facebook.com/unisyscorp> 
 <https://vimeo.com/unisys>  <http://blogs.unisys.com/> 

 


_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com <mailto:dev@lists.openshift.redhat.com> 
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev