[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift

vincent at cojot.name vincent at cojot.name
Fri Aug 21 22:07:42 UTC 2020

Hi Rowland,

Here's an updated config of the yaml file. With that config (it is only 
using 'memberOf', I only get a few groups and not all of them):

$ oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm
group/Denied RODC Password Replication Group
group/Domain Admins
group/Enterprise Admins
group/Group Policy Creator Owners
group/Schema Admins

I have about 27 groups (all default groups) on this setup. The missing 
groups appear to be 'nested groups', which OCP doesn't handle and this is 
why I started experimenting with memberOf:1.2.840.113556.1.4.1941 (it was 
described in the documentation as a way to un-flatten nested groups for 


>>>         pageSize: 0
>>>     userNameAttributes: [ "sAMAccountName" ]
>> As far as I can see (and I could be missing something obvious), whilst it 
>> defines the search base, etc, it doesn't define what DN to search for. 
>> Should [ "memberof:1.2.840.113556.1.4.1941:" ]  be something like:
>> [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain 
>> Users,CN=Users,dc=samdom,dc=example,dc=com" ]
>> Rowland 
> looking at 'krynn-ad-sync-config.yaml' , you have 'groupUIDAttribute' set to 
> 'primaryGroupID' and that is set to '513' for every AD user (unless you have 
> changed it), so could the UID actually refer to something that identifies the 
> group ? 'dn' for instance ?
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
# oc adm groups sync  --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://dc00.ad.lasthome.solace.krynn:389
insecure: false
ca: "KrynnAD.pem"
bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn"
bindPassword: "OBFUSCATED"
        baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ "memberOf" ]
    #groupMembershipAttributes: [ "memberOf:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" ]
        baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn"
        scope: sub
        derefAliases: always
        filter: (objectclass=person)
        pageSize: 0
    userNameAttributes: [ "sAMAccountName" ]

More information about the samba mailing list