Re: Limiting which LDAP users can login

2018-01-04 Thread Joel Pearson 
Ahh Thanks, I wondered if there would be a side effect.

I discovered that the directory we're using, OpenDJ, has virtual
attributes, and one of those attributes is "isMemberOf", so I was able to
use:

url: ldap://
ldap.company.com.au:1389/ou=people,dc=company,dc=com,dc=au?uid?sub?(isMemberOf=cn=staff,ou=groups,dc=company,dc=com,dc=au)

And that worked like a charm. As manually provisioning users sounds like
way too much effort.

On Fri, Jan 5, 2018 at 1:50 AM Jordan Liggitt  wrote:

> On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Hi,
>>
>> I just wanted to check what the proper way is to limit which users are
>> allowed to login to OpenShift via an LDAP group.
>>
>> There doesn't seem to be a way during authentication, but on the
>> authorisation side of things I found that if I removed
>> "system:authenticated" from the basic-user cluster role binding then that
>> seemed to have the desired effect.  Is this the right way?
>>
>
>
> No, removing that role breaks things like `oc whoami`, `oc auth can-i`,
> and web console login.
>
> You have two options for gating logins during authentication:
>
> 1. Specify a filter on the user query to limit to a particular set of
> users. See the filter documentation at
> https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider
> for more information. For example, to limit to users with an
> openshiftUser=true attribute:
>
> url: 
> "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true)
>
>
> 2. Instead of automatically provisioning User and Identity objects in
> openshift at login time, require them to be pre-created out of band using
> `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does
> not have a configured Identity and User object will fail. See
> https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users
> for more details.
>
>
>
>> So I ran these 2 commands:
>>
>> oc adm policy add-cluster-role-to-group basic-user staff
>> oc adm policy remove-cluster-role-from-group basic-user
>> system:authenticated
>>
>> After which only users in the staff group can login if that don't already
>> have other permissions.
>>
>> The effect on the console is a little odd.  You can login ok and it shows
>> an error screen, then you click continue and then you are redirected back
>> to the login screen.
>>
>> Thanks,
>>
>> Joel
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Limiting which LDAP users can login

2018-01-04 Thread Jordan Liggitt 
On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson 
wrote:

> Hi,
>
> I just wanted to check what the proper way is to limit which users are
> allowed to login to OpenShift via an LDAP group.
>
> There doesn't seem to be a way during authentication, but on the
> authorisation side of things I found that if I removed
> "system:authenticated" from the basic-user cluster role binding then that
> seemed to have the desired effect.  Is this the right way?
>


No, removing that role breaks things like `oc whoami`, `oc auth can-i`, and
web console login.

You have two options for gating logins during authentication:

1. Specify a filter on the user query to limit to a particular set of
users. See the filter documentation at
https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider
for more information. For example, to limit to users with an
openshiftUser=true attribute:

url: 
"ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true)


2. Instead of automatically provisioning User and Identity objects in
openshift at login time, require them to be pre-created out of band using
`mappingMethod: lookup`. Any attempt to log in as an LDAP user that does
not have a configured Identity and User object will fail. See
https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users
for more details.



> So I ran these 2 commands:
>
> oc adm policy add-cluster-role-to-group basic-user staff
> oc adm policy remove-cluster-role-from-group basic-user
> system:authenticated
>
> After which only users in the staff group can login if that don't already
> have other permissions.
>
> The effect on the console is a little odd.  You can login ok and it shows
> an error screen, then you click continue and then you are redirected back
> to the login screen.
>
> Thanks,
>
> Joel
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Limiting which LDAP users can login

2018-01-04 Thread Joel Pearson 
Hi,

I just wanted to check what the proper way is to limit which users are
allowed to login to OpenShift via an LDAP group.

There doesn't seem to be a way during authentication, but on the
authorisation side of things I found that if I removed
"system:authenticated" from the basic-user cluster role binding then that
seemed to have the desired effect.  Is this the right way?

So I ran these 2 commands:

oc adm policy add-cluster-role-to-group basic-user staff
oc adm policy remove-cluster-role-from-group basic-user system:authenticated

After which only users in the staff group can login if that don't already
have other permissions.

The effect on the console is a little odd.  You can login ok and it shows
an error screen, then you click continue and then you are redirected back
to the login screen.

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users