[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

vincent at cojot.name vincent at cojot.name
Fri Aug 21 18:28:10 UTC 2020 

Hi everyone,

I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use 
with OpenShift (a container platform to which RedHat contributes - aka 
OCP). I'm also not too skilled on LDAP even though I've been running the 
above for over two years now..

There are typically two steps involved in connecting AD to OCP:
1) declare an OAuth configuration in OCP (requires a bind user in AD and 
the AD Cert) with Active Directory. (Working config attached)

2) declare a group synchronization sync config.
(non working config attached)

Part #1 worked fine and I can now login to the OCP platform using my AD 
credentials.

...But I'm struggling to make part #2 work fully. In short, with:

groupMembershipAttributes: [ "memberof" ]
.. some groups (non-nested) get synced but others do not.

OCP doesn't support nested groups and it is documented ([1]) that when 
using AD and nested groups, one should use this instead:
groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]

Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD 
environment.

Does anyone have any idea? Is there an equivalent in Samba to that AD OID 
so that nested AD Groups can be expanded/flattened?

Any ideas welcomed. :)

[1]: https://examples.openshift.pub/authentication/activedirectory-ldap

Thanks for reading,

Vincent
-------------- next part --------------
# oc adm groups sync  --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://dc00.ad.lasthome.solace.krynn:389
insecure: false
ca: "KrynnAD.pem"
bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
bindPassword: "OBFUSCATED"
groupUIDNameMapping:
    "CN=Administrators,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_admins
    "CN=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_users
augmentedActiveDirectory:
    groupsQuery:
        baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
        scope: sub
        derefAliases: never
        pageSize: 0
        filter: (objectclass=group)
    groupUIDAttribute: primaryGroupID
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
    #groupMembershipAttributes: [ "memberof" ]
    usersQuery:
        baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
        scope: sub
        derefAliases: never
        filter: (objectclass=person)
        pageSize: 0
    userNameAttributes: [ "sAMAccountName" ]
    #tolerateMemberNotFoundErrors: true
    #tolerateMemberOutOfScopeErrors: false
-------------- next part --------------
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: KRYNN_AD
    mappingMethod: claim 
    type: LDAP
    ldap:
      attributes:
        id: ["sAMAccountName"]
        email: ["mail"]
        name: ["displayName"]
        preferredUsername: ["sAMAccountName"]
      bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
      bindPassword: 
        name: krynn-ad-secret
      ca: 
        name: krynn-ad-ca-config-map
      insecure: false
      url: "ldap://dc00.ad.lasthome.solace.krynn:389/cn=users,dc=ad,dc=lasthome,dc=solace,dc=krynn?sAMAccountName?sub?(objectClass=user)"

More information about the samba mailing list