On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson <[email protected]> wrote:
> Hi, > > I just wanted to check what the proper way is to limit which users are > allowed to login to OpenShift via an LDAP group. > > There doesn't seem to be a way during authentication, but on the > authorisation side of things I found that if I removed > "system:authenticated" from the basic-user cluster role binding then that > seemed to have the desired effect. Is this the right way? > No, removing that role breaks things like `oc whoami`, `oc auth can-i`, and web console login. You have two options for gating logins during authentication: 1. Specify a filter on the user query to limit to a particular set of users. See the filter documentation at https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider for more information. For example, to limit to users with an openshiftUser=true attribute: url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true) 2. Instead of automatically provisioning User and Identity objects in openshift at login time, require them to be pre-created out of band using `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does not have a configured Identity and User object will fail. See https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users for more details. > So I ran these 2 commands: > > oc adm policy add-cluster-role-to-group basic-user staff > oc adm policy remove-cluster-role-from-group basic-user > system:authenticated > > After which only users in the staff group can login if that don't already > have other permissions. > > The effect on the console is a little odd. You can login ok and it shows > an error screen, then you click continue and then you are redirected back > to the login screen. > > Thanks, > > Joel > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
