Bump up the log level on the apiserver to 4 (--loglevel=4) and capture the log messages during a login attempt
On Wed, Jul 12, 2017 at 11:05 PM, Werner, Mark <[email protected]> wrote: > Thank you. That is what I was kind of assuming. And there is my problem. I > cannot get a successful logon with an AD user. I am out of ideas. It is > easy enough to delete old identity bindings with oc delete identity > <identity_provider>:<username>. > > > > I just can’t seem to understand why I cannot get AD authentication to work. > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Jordan Liggitt [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 10:58 PM > > *To:* Werner, Mark <[email protected]> > *Cc:* Derek Wright <[email protected]>; > [email protected] > *Subject:* Re: OpenShift Origin Active Directory Authentication > > > > Configuring a new identity provider does not remove Identity objects > created by a previously configured provider, which is why the allow_all > object still exists. > > Also, until you get a successful login with your new LDAP identity > provider, you won't see any Identity objects created by it. > > > > > > On Wed, Jul 12, 2017 at 10:55 PM, Werner, Mark <[email protected]> > wrote: > > No, the name is AD. But as I understand it the name is arbitrary. > > > > The kind is set to LDAPPasswordIdentityProvider, which replaced allow_all. > As I understand it this defines the type of Identity Provider. > > > > name: AD > > provider: > > apiVersion: v1 > > attributes: > > email: > > - mail > > id: > > - dn > > name: > > - displayName > > preferredUsername: > > - sAMAccountName > > bindDN: CN=OpenShift User,OU=users,DC=domain,DC=local > > bindPassword: password > > insecure: true > > kind: LDAPPasswordIdentityProvider > > > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Jordan Liggitt [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 10:49 PM > *To:* Werner, Mark <[email protected]> > *Cc:* Derek Wright <[email protected]>; > [email protected] > *Subject:* Re: OpenShift Origin Active Directory Authentication > > > > > > > > On Wed, Jul 12, 2017 at 10:41 PM, Werner, Mark <[email protected]> > wrote: > > I am wondering why, if I perform a “oc get identity” that the only > identity that is returned is allow_all? If I changed the master-config.yaml > file to only have the Identity Provider AllowAllPasswordIdentityProvider, > then restart the origin=master service. Why doesn’t “oc get identity” > return AllowAllPasswordIdentityProvider and still returns allow_all? > > > > The name of your AllowAllPasswordIdentityProvider identity provider was > "allow_all", right? > > name: allow_all > > > > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
