Hi Mark, Is there any possibility that you could look at the LDAP/AD server to see what OpenShift is trying to bind with?
That might give you an idea about what is being sent across, and/or why it isn't working. --- ERIK JACOBS PRINCIPAL TECHNICAL MARKETING MANAGER, OPENSHIFT Red Hat Inc <https://www.redhat.com/> [email protected] M: 646.462.3745 @: erikonopen <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> On Thu, Jul 13, 2017 at 12:00 AM, Werner, Mark <[email protected]> wrote: > I think actually for me it would be journalclt –-u origin-master.service. > > > > Still that is a lot of log to parse through and I really don’t see > anything regarding logon or authentication. I do see the error messages for > when the master service was not starting but I have been past that for a > while. > > > > Also, my understanding was that since this was installed with Ansible I > could just go to /etc/sysconfig/origin-master and modify the line > OPTIONS=--loglevel=2. Which I did, to OPTIONS=--loglevel=5. Then restarted > origin-master service. Then tried a logon, but haven’t come across anything > in the logs that tells me anything. > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Steve Kuznetsov [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 11:44 PM > *To:* Werner, Mark <[email protected]> > *Cc:* dev <[email protected]>; Jordan Liggitt < > [email protected]> > *Subject:* RE: OpenShift Origin Active Directory Authentication > > > > You could look at master logs: > > > > journalctl --unit atomic-openshift-master.service > > > > But I think Jordan was looking for client logs, so: > > > > oc login ... --loglevel 4 > > > > On Jul 12, 2017 8:38 PM, "Werner, Mark" <[email protected]> wrote: > > Jordan, > > > > Do you happen to know what journalctl command to use to view logs related > to logons? > > > > Thanks, > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Jordan Liggitt [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 11:15 PM > *To:* Werner, Mark <[email protected]> > *Cc:* Derek Wright <[email protected]>; > [email protected] > *Subject:* Re: OpenShift Origin Active Directory Authentication > > > > Bump up the log level on the apiserver to 4 (--loglevel=4) and capture the > log messages during a login attempt > > > > On Wed, Jul 12, 2017 at 11:05 PM, Werner, Mark <[email protected]> > wrote: > > Thank you. That is what I was kind of assuming. And there is my problem. I > cannot get a successful logon with an AD user. I am out of ideas. It is > easy enough to delete old identity bindings with oc delete identity > <identity_provider>:<username>. > > > > I just can’t seem to understand why I cannot get AD authentication to work. > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Jordan Liggitt [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 10:58 PM > > > *To:* Werner, Mark <[email protected]> > *Cc:* Derek Wright <[email protected]>; > [email protected] > *Subject:* Re: OpenShift Origin Active Directory Authentication > > > > Configuring a new identity provider does not remove Identity objects > created by a previously configured provider, which is why the allow_all > object still exists. > > Also, until you get a successful login with your new LDAP identity > provider, you won't see any Identity objects created by it. > > > > > > On Wed, Jul 12, 2017 at 10:55 PM, Werner, Mark <[email protected]> > wrote: > > No, the name is AD. But as I understand it the name is arbitrary. > > > > The kind is set to LDAPPasswordIdentityProvider, which replaced allow_all. > As I understand it this defines the type of Identity Provider. > > > > name: AD > > provider: > > apiVersion: v1 > > attributes: > > email: > > - mail > > id: > > - dn > > name: > > - displayName > > preferredUsername: > > - sAMAccountName > > bindDN: CN=OpenShift User,OU=users,DC=domain,DC=local > > bindPassword: password > > insecure: true > > kind: LDAPPasswordIdentityProvider > > > > > > *Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services > > Unisys | Mobile Phone 586.214.9017 <(586)%20214-9017> | > [email protected] > > 11720 Plaza America Drive, Reston, VA 20190 > > > > [image: unisys_logo] <http://www.unisys.com/> > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all devices. > > [image: Grey_LI] <http://www.linkedin.com/company/unisys> [image: > Grey_TW] <http://twitter.com/unisyscorp> [image: Grey_GP] > <https://plus.google.com/+UnisysCorp/posts>[image: Grey_YT] > <http://www.youtube.com/theunisyschannel>[image: Grey_FB] > <http://www.facebook.com/unisyscorp>[image: Grey_Vimeo] > <https://vimeo.com/unisys>[image: Grey_UB] <http://blogs.unisys.com/> > > > > *From:* Jordan Liggitt [mailto:[email protected]] > *Sent:* Wednesday, July 12, 2017 10:49 PM > *To:* Werner, Mark <[email protected]> > *Cc:* Derek Wright <[email protected]>; > [email protected] > *Subject:* Re: OpenShift Origin Active Directory Authentication > > > > > > > > On Wed, Jul 12, 2017 at 10:41 PM, Werner, Mark <[email protected]> > wrote: > > I am wondering why, if I perform a “oc get identity” that the only > identity that is returned is allow_all? If I changed the master-config.yaml > file to only have the Identity Provider AllowAllPasswordIdentityProvider, > then restart the origin=master service. Why doesn’t “oc get identity” > return AllowAllPasswordIdentityProvider and still returns allow_all? > > > > The name of your AllowAllPasswordIdentityProvider identity provider was > "allow_all", right? > > name: allow_all > > > > > > > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
