Hi Joseph, Yes, it's not possible do a sync without an objectClass, but you it's possible to use DN as objectClass. I had some problems syncing the LDAPGroups in a client before, and after change the scopes and attributes a lot of times, I got to this LDAPSyncConfig, to work correctly. I think that you just need to find the right parameters =).
kind: LDAPSyncConfig apiVersion: v1 url: "ldap://ldapserver.client.com.br"; insecure: true bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM" bindPassword: "password" rfc2307: groupsQuery: baseDN: "ou=openShift,ou=accounts,o=client.com" scope: sub derefAliases: never filter: (objectClass=groupOfNames) groupUIDAttribute: dn groupNameAttributes: [ ou ] groupMembershipAttributes: [ member ] usersQuery: baseDN: "O=CLIENT.COM" scope: sub derefAliases: never userUIDAttribute: dn userNameAttributes: [ uid ] tolerateMemberNotFoundErrors: false tolerateMemberOutOfScopeErrors: false Hope this can help!! Regards, Rodrigo Bersa Cloud Consultant | Red Hat Brasil [email protected] | M: +55 11 9 9557-5841 Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil. RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com <https://www.redhat.com/pt-br/about/trusted> <http://www.redhat.com/es/about/trusted> [image: Red Hat] <http://www.redhat.com.br> On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <[email protected]> wrote: > Hi all, > > I am following the documentation here: > > https://docs.openshift.org/latest/install_config/syncing_ > groups_with_ldap.html > > > I used a yaml config here: > > https://gist.github.com/jaloren/ec7b76feea980dd23d757c477680f751 > > > Which failed with: > > error: validation of LDAP sync config failed: usersQuery.filter: Invalid > value: "(objectclass=inetOrgPerson)": cannot specify a filter when using > "dn" as the UID attribute > > Seems like the bug here in the docs has not actually been fixed. > > https://bugzilla.redhat.com/show_bug.cgi?id=1381674 > > But okay so you can't use DN with a object class filter that's fine. So > then I tried it without an object class but left everything else the same > and now I see this: > > error: validation of LDAP sync config failed: groupsQuery.filter: Invalid > value: "": invalid query filter: LDAP Result Code 201 "": ldap: filter does > not start with an '(' > > So if I can't use an object class with a DN as the UID attribute and I > can't do a sync without an object class, my questions are: how does one get > this to work where the DN is the UID attribute and if DN is not acceptable > for the UID attribute, then what is? > > Thanks, > > Joe > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
