[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Rowland penny
rpenny at samba.org
Fri Aug 21 19:29:21 UTC 2020
On 21/08/2020 20:08, Rowland penny via samba wrote:
> On 21/08/2020 19:28, Vincent S. Cojot via samba wrote:
>>
>> Hi everyone,
>>
>> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to
>> use with OpenShift (a container platform to which RedHat contributes
>> - aka OCP). I'm also not too skilled on LDAP even though I've been
>> running the above for over two years now..
>>
>> There are typically two steps involved in connecting AD to OCP:
>> 1) declare an OAuth configuration in OCP (requires a bind user in AD
>> and the AD Cert) with Active Directory. (Working config attached)
>>
>> 2) declare a group synchronization sync config.
>> (non working config attached)
>>
>> Part #1 worked fine and I can now login to the OCP platform using my
>> AD credentials.
>>
>> ...But I'm struggling to make part #2 work fully. In short, with:
>>
>> groupMembershipAttributes: [ "memberof" ]
>> .. some groups (non-nested) get synced but others do not.
>>
>> OCP doesn't support nested groups and it is documented ([1]) that
>> when using AD and nested groups, one should use this instead:
>> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
>>
>> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD
>> environment.
> I am fairly sure it does, I think it went into Samba 4.4.0, I think
> you may be using the wrong attribute, have you tried it with the
> 'member' attribute instead of 'memberof' ?
>>
>> Does anyone have any idea? Is there an equivalent in Samba to that AD
>> OID so that nested AD Groups can be expanded/flattened?
>>
>> Any ideas welcomed. :)
>>
>> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap
>>
> That link doesn't seem to work ;-)
>
> Rowland
>
>
>
This works for me:
rowland at devstation:~$ sudo ldapsearch -H ldaps://dc01.samdom.example.com
-D 'SAMDOM\Administrator' -w 'xxxxxxxxxx' -b
'dc=samdom,dc=example,dc=com'
'memberof:1.2.840.113556.1.4.1941:=cn=Domain
Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:'
[sudo] password for rowland:
dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com
dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
Rowland
More information about the samba
mailing list