[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
vincent at cojot.name
vincent at cojot.name
Fri Aug 21 18:28:10 UTC 2020
Hi everyone,
I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use
with OpenShift (a container platform to which RedHat contributes - aka
OCP). I'm also not too skilled on LDAP even though I've been running the
above for over two years now..
There are typically two steps involved in connecting AD to OCP:
1) declare an OAuth configuration in OCP (requires a bind user in AD and
the AD Cert) with Active Directory. (Working config attached)
2) declare a group synchronization sync config.
(non working config attached)
Part #1 worked fine and I can now login to the OCP platform using my AD
credentials.
...But I'm struggling to make part #2 work fully. In short, with:
groupMembershipAttributes: [ "memberof" ]
.. some groups (non-nested) get synced but others do not.
OCP doesn't support nested groups and it is documented ([1]) that when
using AD and nested groups, one should use this instead:
groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD
environment.
Does anyone have any idea? Is there an equivalent in Samba to that AD OID
so that nested AD Groups can be expanded/flattened?
Any ideas welcomed. :)
[1]: https://examples.openshift.pub/authentication/activedirectory-ldap
Thanks for reading,
Vincent
-------------- next part --------------
# oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://dc00.ad.lasthome.solace.krynn:389
insecure: false
ca: "KrynnAD.pem"
bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
bindPassword: "OBFUSCATED"
groupUIDNameMapping:
"CN=Administrators,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_admins
"CN=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_users
augmentedActiveDirectory:
groupsQuery:
baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
scope: sub
derefAliases: never
pageSize: 0
filter: (objectclass=group)
groupUIDAttribute: primaryGroupID
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
#groupMembershipAttributes: [ "memberof" ]
usersQuery:
baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
scope: sub
derefAliases: never
filter: (objectclass=person)
pageSize: 0
userNameAttributes: [ "sAMAccountName" ]
#tolerateMemberNotFoundErrors: true
#tolerateMemberOutOfScopeErrors: false
-------------- next part --------------
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: KRYNN_AD
mappingMethod: claim
type: LDAP
ldap:
attributes:
id: ["sAMAccountName"]
email: ["mail"]
name: ["displayName"]
preferredUsername: ["sAMAccountName"]
bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
bindPassword:
name: krynn-ad-secret
ca:
name: krynn-ad-ca-config-map
insecure: false
url: "ldap://dc00.ad.lasthome.solace.krynn:389/cn=users,dc=ad,dc=lasthome,dc=solace,dc=krynn?sAMAccountName?sub?(objectClass=user)"
More information about the samba
mailing list