[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

vincent at cojot.name vincent at cojot.name
Fri Aug 21 20:31:47 UTC 2020 

Hi Rowland,

Sorry about that, the site appears down (for me).
Here's another link (although on OCP3.11)

https://developers.redhat.com/blog/2019/08/02/how-to-configure-ldap-user-authentication-and-rbac-in-red-hat-openshift-3-11/

Vincent

On Fri, 21 Aug 2020, Rowland penny via samba wrote:

> On 21/08/2020 19:28, Vincent S. Cojot via samba wrote:
>> 
>> Hi everyone,
>> 
>> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use 
>> with OpenShift (a container platform to which RedHat contributes - aka 
>> OCP). I'm also not too skilled on LDAP even though I've been running the 
>> above for over two years now..
>> 
>> There are typically two steps involved in connecting AD to OCP:
>> 1) declare an OAuth configuration in OCP (requires a bind user in AD and 
>> the AD Cert) with Active Directory. (Working config attached)
>> 
>> 2) declare a group synchronization sync config.
>> (non working config attached)
>> 
>> Part #1 worked fine and I can now login to the OCP platform using my AD 
>> credentials.
>> 
>> ...But I'm struggling to make part #2 work fully. In short, with:
>> 
>> groupMembershipAttributes: [ "memberof" ]
>> .. some groups (non-nested) get synced but others do not.
>> 
>> OCP doesn't support nested groups and it is documented ([1]) that when 
>> using AD and nested groups, one should use this instead:
>> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
>> 
>> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD 
>> environment.
> I am fairly sure it does, I think it went into Samba 4.4.0, I think you may 
> be using the wrong attribute, have you tried it with the 'member' attribute 
> instead of 'memberof' ?
>> 
>> Does anyone have any idea? Is there an equivalent in Samba to that AD OID 
>> so that nested AD Groups can be expanded/flattened?
>> 
>> Any ideas welcomed. :)
>> 
>> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap
>> 
> That link doesn't seem to work ;-)
>
> Rowland
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list