Ahh Thanks, I wondered if there would be a side effect. I discovered that the directory we're using, OpenDJ, has virtual attributes, and one of those attributes is "isMemberOf", so I was able to use:
url: ldap:// ldap.company.com.au:1389/ou=people,dc=company,dc=com,dc=au?uid?sub?(isMemberOf=cn=staff,ou=groups,dc=company,dc=com,dc=au) And that worked like a charm. As manually provisioning users sounds like way too much effort. On Fri, Jan 5, 2018 at 1:50 AM Jordan Liggitt <jligg...@redhat.com> wrote: > On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> Hi, >> >> I just wanted to check what the proper way is to limit which users are >> allowed to login to OpenShift via an LDAP group. >> >> There doesn't seem to be a way during authentication, but on the >> authorisation side of things I found that if I removed >> "system:authenticated" from the basic-user cluster role binding then that >> seemed to have the desired effect. Is this the right way? >> > > > No, removing that role breaks things like `oc whoami`, `oc auth can-i`, > and web console login. > > You have two options for gating logins during authentication: > > 1. Specify a filter on the user query to limit to a particular set of > users. See the filter documentation at > https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider > for more information. For example, to limit to users with an > openshiftUser=true attribute: > > url: > "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true) > > > 2. Instead of automatically provisioning User and Identity objects in > openshift at login time, require them to be pre-created out of band using > `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does > not have a configured Identity and User object will fail. See > https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users > for more details. > > > >> So I ran these 2 commands: >> >> oc adm policy add-cluster-role-to-group basic-user staff >> oc adm policy remove-cluster-role-from-group basic-user >> system:authenticated >> >> After which only users in the staff group can login if that don't already >> have other permissions. >> >> The effect on the console is a little odd. You can login ok and it shows >> an error screen, then you click continue and then you are redirected back >> to the login screen. >> >> Thanks, >> >> Joel >> >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users