[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
vincent at cojot.name
vincent at cojot.name
Fri Aug 21 22:07:42 UTC 2020
Hi Rowland,
Here's an updated config of the yaml file. With that config (it is only
using 'memberOf', I only get a few groups and not all of them):
$ oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm
group/Administrators
group/Denied RODC Password Replication Group
group/Domain Admins
group/Enterprise Admins
group/Group Policy Creator Owners
group/Guests
group/Schema Admins
$
I have about 27 groups (all default groups) on this setup. The missing
groups appear to be 'nested groups', which OCP doesn't handle and this is
why I started experimenting with memberOf:1.2.840.113556.1.4.1941 (it was
described in the documentation as a way to un-flatten nested groups for
AD).
Vincent
>>> pageSize: 0
>>> userNameAttributes: [ "sAMAccountName" ]
>>
>> As far as I can see (and I could be missing something obvious), whilst it
>> defines the search base, etc, it doesn't define what DN to search for.
>> Should [ "memberof:1.2.840.113556.1.4.1941:" ] be something like:
>>
>> [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain
>> Users,CN=Users,dc=samdom,dc=example,dc=com" ]
>>
>> Rowland
>
> looking at 'krynn-ad-sync-config.yaml' , you have 'groupUIDAttribute' set to
> 'primaryGroupID' and that is set to '513' for every AD user (unless you have
> changed it), so could the UID actually refer to something that identifies the
> group ? 'dn' for instance ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
-------------- next part --------------
# oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://dc00.ad.lasthome.solace.krynn:389
insecure: false
ca: "KrynnAD.pem"
bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
bindPassword: "OBFUSCATED"
augmentedActiveDirectory:
groupsQuery:
baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
scope: sub
derefAliases: never
pageSize: 0
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ "memberOf" ]
#groupMembershipAttributes: [ "memberOf:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" ]
usersQuery:
baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
scope: sub
derefAliases: always
filter: (objectclass=person)
pageSize: 0
userNameAttributes: [ "sAMAccountName" ]
More information about the samba
mailing list