[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

Andrew Bartlett abartlet at samba.org
Fri Aug 21 20:38:37 UTC 2020 

What I would do is try the query Rowland uses, and the example from the
OCP documentation and then, with the Samba debug level raised, examine
what Samba gets in the filter.

If that isn't clear enough, get a network trace using wireshark and
decrypt it with the SSL key and keytab.

But my money is on a typo or small syntax thing that can be worked
around, at a first guess.

Andrew Bartlett

On Fri, 2020-08-21 at 16:31 -0400, Vincent S. Cojot via samba wrote:
> Hi Rowland,
> 
> Sorry about that, the site appears down (for me).
> Here's another link (although on OCP3.11)
> 
> https://developers.redhat.com/blog/2019/08/02/how-to-configure-ldap-user-authentication-and-rbac-in-red-hat-openshift-3-11/
> 
> Vincent
> 
> On Fri, 21 Aug 2020, Rowland penny via samba wrote:
> 
> > On 21/08/2020 19:28, Vincent S. Cojot via samba wrote:
> > > Hi everyone,
> > > 
> > > I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use 
> > > with OpenShift (a container platform to which RedHat contributes - aka 
> > > OCP). I'm also not too skilled on LDAP even though I've been running the 
> > > above for over two years now..
> > > 
> > > There are typically two steps involved in connecting AD to OCP:
> > > 1) declare an OAuth configuration in OCP (requires a bind user in AD and 
> > > the AD Cert) with Active Directory. (Working config attached)
> > > 
> > > 2) declare a group synchronization sync config.
> > > (non working config attached)
> > > 
> > > Part #1 worked fine and I can now login to the OCP platform using my AD 
> > > credentials.
> > > 
> > > ...But I'm struggling to make part #2 work fully. In short, with:
> > > 
> > > groupMembershipAttributes: [ "memberof" ]
> > > .. some groups (non-nested) get synced but others do not.
> > > 
> > > OCP doesn't support nested groups and it is documented ([1]) that when 
> > > using AD and nested groups, one should use this instead:
> > > groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ]
> > > 
> > > Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD 
> > > environment.
> > I am fairly sure it does, I think it went into Samba 4.4.0, I think you may 
> > be using the wrong attribute, have you tried it with the 'member' attribute 
> > instead of 'memberof' ?
> > > Does anyone have any idea? Is there an equivalent in Samba to that AD OID 
> > > so that nested AD Groups can be expanded/flattened?
> > > 
> > > Any ideas welcomed. :)
> > > 
> > > [1]: https://examples.openshift.pub/authentication/activedirectory-ldap
> > > 
> > That link doesn't seem to work ;-)
> > 
> > Rowland
> > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list