vincent at cojot.name
2020-Aug-21 18:28 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Hi everyone, I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use with OpenShift (a container platform to which RedHat contributes - aka OCP). I'm also not too skilled on LDAP even though I've been running the above for over two years now.. There are typically two steps involved in connecting AD to OCP: 1) declare an OAuth configuration in OCP (requires a bind user in AD and the AD Cert) with Active Directory. (Working config attached) 2) declare a group synchronization sync config. (non working config attached) Part #1 worked fine and I can now login to the OCP platform using my AD credentials. ...But I'm struggling to make part #2 work fully. In short, with: groupMembershipAttributes: [ "memberof" ] .. some groups (non-nested) get synced but others do not. OCP doesn't support nested groups and it is documented ([1]) that when using AD and nested groups, one should use this instead: groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD environment. Does anyone have any idea? Is there an equivalent in Samba to that AD OID so that nested AD Groups can be expanded/flattened? Any ideas welcomed. :) [1]: https://examples.openshift.pub/authentication/activedirectory-ldap Thanks for reading, Vincent -------------- next part -------------- # oc adm groups sync --sync-config=krynn-ad-sync-config.yaml --confirm --whitelist=krynn_group_list.txt kind: LDAPSyncConfig apiVersion: v1 url: ldap://dc00.ad.lasthome.solace.krynn:389 insecure: false ca: "KrynnAD.pem" bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" bindPassword: "OBFUSCATED" groupUIDNameMapping: "CN=Administrators,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_admins "CN=Domain Users,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn": openshift_users augmentedActiveDirectory: groupsQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: never pageSize: 0 filter: (objectclass=group) groupUIDAttribute: primaryGroupID groupNameAttributes: [ cn ] groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] #groupMembershipAttributes: [ "memberof" ] usersQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: never filter: (objectclass=person) pageSize: 0 userNameAttributes: [ "sAMAccountName" ] #tolerateMemberNotFoundErrors: true #tolerateMemberOutOfScopeErrors: false -------------- next part -------------- apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: KRYNN_AD mappingMethod: claim type: LDAP ldap: attributes: id: ["sAMAccountName"] email: ["mail"] name: ["displayName"] preferredUsername: ["sAMAccountName"] bindDN: "CN=openshift,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn" bindPassword: name: krynn-ad-secret ca: name: krynn-ad-ca-config-map insecure: false url: "ldap://dc00.ad.lasthome.solace.krynn:389/cn=users,dc=ad,dc=lasthome,dc=solace,dc=krynn?sAMAccountName?sub?(objectClass=user)"
Rowland penny
2020-Aug-21 19:08 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 19:28, Vincent S. Cojot via samba wrote:> > Hi everyone, > > I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to > use with OpenShift (a container platform to which RedHat contributes - > aka OCP). I'm also not too skilled on LDAP even though I've been > running the above for over two years now.. > > There are typically two steps involved in connecting AD to OCP: > 1) declare an OAuth configuration in OCP (requires a bind user in AD > and the AD Cert) with Active Directory. (Working config attached) > > 2) declare a group synchronization sync config. > (non working config attached) > > Part #1 worked fine and I can now login to the OCP platform using my > AD credentials. > > ...But I'm struggling to make part #2 work fully. In short, with: > > groupMembershipAttributes: [ "memberof" ] > .. some groups (non-nested) get synced but others do not. > > OCP doesn't support nested groups and it is documented ([1]) that when > using AD and nested groups, one should use this instead: > groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] > > Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD > environment.I am fairly sure it does, I think it went into Samba 4.4.0, I think you may be using the wrong attribute, have you tried it with the 'member' attribute instead of 'memberof' ?> > Does anyone have any idea? Is there an equivalent in Samba to that AD > OID so that nested AD Groups can be expanded/flattened? > > Any ideas welcomed. :) > > [1]: https://examples.openshift.pub/authentication/activedirectory-ldap >That link doesn't seem to work ;-) Rowland
Rowland penny
2020-Aug-21 19:29 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 20:08, Rowland penny via samba wrote:> On 21/08/2020 19:28, Vincent S. Cojot via samba wrote: >> >> Hi everyone, >> >> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to >> use with OpenShift (a container platform to which RedHat contributes >> - aka OCP). I'm also not too skilled on LDAP even though I've been >> running the above for over two years now.. >> >> There are typically two steps involved in connecting AD to OCP: >> 1) declare an OAuth configuration in OCP (requires a bind user in AD >> and the AD Cert) with Active Directory. (Working config attached) >> >> 2) declare a group synchronization sync config. >> (non working config attached) >> >> Part #1 worked fine and I can now login to the OCP platform using my >> AD credentials. >> >> ...But I'm struggling to make part #2 work fully. In short, with: >> >> groupMembershipAttributes: [ "memberof" ] >> .. some groups (non-nested) get synced but others do not. >> >> OCP doesn't support nested groups and it is documented ([1]) that >> when using AD and nested groups, one should use this instead: >> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] >> >> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD >> environment. > I am fairly sure it does, I think it went into Samba 4.4.0, I think > you may be using the wrong attribute, have you tried it with the > 'member' attribute instead of 'memberof' ? >> >> Does anyone have any idea? Is there an equivalent in Samba to that AD >> OID so that nested AD Groups can be expanded/flattened? >> >> Any ideas welcomed. :) >> >> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap >> > That link doesn't seem to work ;-) > > Rowland > > >This works for me: rowland at devstation:~$ sudo ldapsearch -H ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' 'memberof:1.2.840.113556.1.4.1941:=cn=Domain Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' [sudo] password for rowland: dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com Rowland
vincent at cojot.name
2020-Aug-21 20:31 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
Hi Rowland, Sorry about that, the site appears down (for me). Here's another link (although on OCP3.11) https://developers.redhat.com/blog/2019/08/02/how-to-configure-ldap-user-authentication-and-rbac-in-red-hat-openshift-3-11/ Vincent On Fri, 21 Aug 2020, Rowland penny via samba wrote:> On 21/08/2020 19:28, Vincent S. Cojot via samba wrote: >> >> Hi everyone, >> >> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to use >> with OpenShift (a container platform to which RedHat contributes - aka >> OCP). I'm also not too skilled on LDAP even though I've been running the >> above for over two years now.. >> >> There are typically two steps involved in connecting AD to OCP: >> 1) declare an OAuth configuration in OCP (requires a bind user in AD and >> the AD Cert) with Active Directory. (Working config attached) >> >> 2) declare a group synchronization sync config. >> (non working config attached) >> >> Part #1 worked fine and I can now login to the OCP platform using my AD >> credentials. >> >> ...But I'm struggling to make part #2 work fully. In short, with: >> >> groupMembershipAttributes: [ "memberof" ] >> .. some groups (non-nested) get synced but others do not. >> >> OCP doesn't support nested groups and it is documented ([1]) that when >> using AD and nested groups, one should use this instead: >> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] >> >> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD >> environment. > I am fairly sure it does, I think it went into Samba 4.4.0, I think you may > be using the wrong attribute, have you tried it with the 'member' attribute > instead of 'memberof' ? >> >> Does anyone have any idea? Is there an equivalent in Samba to that AD OID >> so that nested AD Groups can be expanded/flattened? >> >> Any ideas welcomed. :) >> >> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap >> > That link doesn't seem to work ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
- Using Samba AD/DC as an Active Directory OAuth provider for OpenShift