[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Rowland penny
rpenny at samba.org
Fri Aug 21 19:08:04 UTC 2020
On 21/08/2020 19:28, Vincent S. Cojot via samba wrote:
>
> Hi everyone,
>
> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to
> use with OpenShift (a container platform to which RedHat contributes -
> aka OCP). I'm also not too skilled on LDAP even though I've been
> running the above for over two years now..
>
> There are typically two steps involved in connecting AD to OCP:
> 1) declare an OAuth configuration in OCP (requires a bind user in AD
> and the AD Cert) with Active Directory. (Working config attached)
>
> 2) declare a group synchronization sync config.
> (non working config attached)
>
> Part #1 worked fine and I can now login to the OCP platform using my
> AD credentials.
>
> ...But I'm struggling to make part #2 work fully. In short, with:
>
> groupMembershipAttributes: [ "memberof" ]
> .. some groups (non-nested) get synced but others do not.
>
> OCP doesn't support nested groups and it is documented ([1]) that when
> using AD and nested groups, one should use this instead:
> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
>
> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD
> environment.
I am fairly sure it does, I think it went into Samba 4.4.0, I think you
may be using the wrong attribute, have you tried it with the 'member'
attribute instead of 'memberof' ?
>
> Does anyone have any idea? Is there an equivalent in Samba to that AD
> OID so that nested AD Groups can be expanded/flattened?
>
> Any ideas welcomed. :)
>
> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap
>
That link doesn't seem to work ;-)
Rowland
More information about the samba
mailing list