Thanks Derek,
It seems I am pretty sure that I have the syntax correct for the Identity Provider (contents below). Still not working. I don’t get it. What should the format or the syntax be in the Username field on the OpenShift web console logon page? The dn for the Active Directory user account being used to query Active Directory (or for bind) as returned by PowerShell is CN=Open Shift,CN=Users,DC=domain.DC=local (actual logon name is openshift). The dn for the user I am trying to logon to OpenShift web console with as returned by PowerShell is CN=Mark Werner,CN=Users,DC=domain,DC=local (actual logon name is wernermp), I think I have tried every variation of using the name to try and logon with. Keep getting oauthConfig: assetPublicURL: https://master.domain.local:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: AD provider: apiVersion: v1 attributes: email: - mail id: - dn name: - displayName preferredUsername: - sAMAccountName bindDN: CN=OpenShift User,OU=users,DC=domain,DC=local bindPassword: password insecure: true kind: LDAPPasswordIdentityProvider url: ldap://dc.domain.local:389/OU=Users,DC=domain,DC=local?sAMAccountName?sub masterPublicURL: https://master.domain.local:8443 masterURL: https://master.domain.local:8443 Thanks, Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services Unisys | Mobile Phone 586.214.9017 | mark.wer...@unisys.com <mailto:mark.wer...@unisys.com> 11720 Plaza America Drive, Reston, VA 20190 <http://www.unisys.com/> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all devices. <http://www.linkedin.com/company/unisys> <http://twitter.com/unisyscorp> <https://plus.google.com/+UnisysCorp/posts> <http://www.youtube.com/theunisyschannel> <http://www.facebook.com/unisyscorp> <https://vimeo.com/unisys> <http://blogs.unisys.com/> From: Derek Wright [mailto:derekmwri...@gmail.com] Sent: Wednesday, July 12, 2017 7:20 PM To: Werner, Mark <mark.wer...@unisys.com> Cc: dev@lists.openshift.redhat.com Subject: Re: OpenShift Origin Active Directory Authentication Hey Mark, Here is my working AD auth configuration (you might need to tailor that URL filtering to your needs): oauthConfig: assetPublicURL: https:// <https://%3credacted%3e:8443/console/> <redacted>:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: paas_ldap_provider provider: apiVersion: v1 attributes: email: - mail id: - dn name: - displayName preferredUsername: - sAMAccountName bindDN: CN=linux_auth,OU=ServiceAccounts,OU=Generic,OU=Directory_Integration,DC=<redacted>,DC=com bindPassword: <redacted> ca: /etc/pki/ca-trust/source/anchors/<redacted>.pem insecure: false kind: LDAPPasswordIdentityProvider url: ldaps://<redacted>:636/DC=<redacted>,DC=com?sAMAccountName?sub?(memberOf=cn=openshift_sandbox,OU=openshift,ou=appgroups,ou=directory_integration,dc=<redacted>,dc=com) If services don't start after master-config.yaml modification, it seems like that might be an issue with your YAML. Ensure proper whitespacing (no tabs, only spaces!) - Hope that helps! --Derek On Tue, Jul 11, 2017 at 10:18 PM, Werner, Mark <mark.wer...@unisys.com <mailto:mark.wer...@unisys.com> > wrote: I am really struggling to get Active Directory authentication to work. The oauthConfig section of the master-config.yaml file starts out like this and all is fine. oauthConfig: assetPublicURL: <https://master.domain.local:8443/console/> https://master.domain.local:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: allow_all provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider masterCA: ca-bundle.crt masterPublicURL: <https://master.domain.local:8443> https://master.domain.local:8443 masterURL: <https://master.domain.local:8443> https://master.domain.local:8443 Then I attempt to modify the oauthConfig section of the master-config.yaml file to look like this. oauthConfig: assetPublicURL: <https://master.domain.local:8443/console/> https://master.domain.local:8443/console/ grantConfig: method: auto identityProviders: - name: Active_Directory challenge: true login: true mappingMethod: claim provider: apiVersion: v1 kind: LDAPPasswordIdentityProvider attributes: id: - dn email: - mail name: - cn preferredUsername: - uid bindDN: "cn=openshift,cn=users,dc=domain,dc=local" bindPassword: "password" insecure: true url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid assetPublicURL: <https://master.domain.local:8443/console/> https://master.domain.local:8443/console/ masterPublicURL: <https://master.domain.local:8443> https://master.domain.local:8443 masterURL: <https://master.domain.local:8443> https://master.domain.local:8443 Then I try to restart the origin-master service and it fails to restart, and won't start again, not even on reboot. If I revert back to the old master-config.yaml file everything works fine again, and origin-master service starts with no problem. The user "openshift" has been created in Active Directory with the correct password. I have even tried using url: ldaps://dc.domain.local:686/cn=users,dc=domain,dc=local?uid That doesn't work either. I cannot seem to figure out what I am doing wrong and what the origin-master service does not like about the modified master-config.yaml file that keeps it from starting. Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services Unisys | Mobile Phone 586.214.9017 <tel:(586)%20214-9017> | mark.wer...@unisys.com <mailto:mark.wer...@unisys.com> 11720 Plaza America Drive, Reston, VA 20190 <http://www.unisys.com/> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all devices. <http://www.linkedin.com/company/unisys> <http://twitter.com/unisyscorp> <https://plus.google.com/+UnisysCorp/posts> <http://www.youtube.com/theunisyschannel> <http://www.facebook.com/unisyscorp> <https://vimeo.com/unisys> <http://blogs.unisys.com/> _______________________________________________ dev mailing list dev@lists.openshift.redhat.com <mailto:dev@lists.openshift.redhat.com> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev