Rowland penny
2020-Aug-21 19:29 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 20:08, Rowland penny via samba wrote:> On 21/08/2020 19:28, Vincent S. Cojot via samba wrote: >> >> Hi everyone, >> >> I have a working Samba AD/DC (4.12.6 on RHEL7.8) setup I'm trying to >> use with OpenShift (a container platform to which RedHat contributes >> - aka OCP). I'm also not too skilled on LDAP even though I've been >> running the above for over two years now.. >> >> There are typically two steps involved in connecting AD to OCP: >> 1) declare an OAuth configuration in OCP (requires a bind user in AD >> and the AD Cert) with Active Directory. (Working config attached) >> >> 2) declare a group synchronization sync config. >> (non working config attached) >> >> Part #1 worked fine and I can now login to the OCP platform using my >> AD credentials. >> >> ...But I'm struggling to make part #2 work fully. In short, with: >> >> groupMembershipAttributes: [ "memberof" ] >> .. some groups (non-nested) get synced but others do not. >> >> OCP doesn't support nested groups and it is documented ([1]) that >> when using AD and nested groups, one should use this instead: >> groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] >> >> Obviously, OID 1.2.840.113556.1.4.1941 doesn't exist in a Samba AD >> environment. > I am fairly sure it does, I think it went into Samba 4.4.0, I think > you may be using the wrong attribute, have you tried it with the > 'member' attribute instead of 'memberof' ? >> >> Does anyone have any idea? Is there an equivalent in Samba to that AD >> OID so that nested AD Groups can be expanded/flattened? >> >> Any ideas welcomed. :) >> >> [1]: https://examples.openshift.pub/authentication/activedirectory-ldap >> > That link doesn't seem to work ;-) > > Rowland > > >This works for me: rowland at devstation:~$ sudo ldapsearch -H ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' 'memberof:1.2.840.113556.1.4.1941:=cn=Domain Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' [sudo] password for rowland: dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com Rowland
vincent at cojot.name
2020-Aug-21 20:40 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On Fri, 21 Aug 2020, Rowland penny via samba wrote:> This works for me: > > rowland at devstation:~$ sudo ldapsearch -H ldaps://dc01.samdom.example.com -D > 'SAMDOM\Administrator' -w 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' > 'memberof:1.2.840.113556.1.4.1941:=cn=Domain > Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' > [sudo] password for rowland: > dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com > dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com > dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com > > RowlandYou're right, this works here too: ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D "raistlin at ad.lasthome.solace.krynn" -b "dc=ad,dc=lasthome,dc=solace,dc=krynn" 'memberof:1.2.840.113556.1.4.1941:=cn=Domain Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:' Enter LDAP Password: dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn So that must not be the problem, then.. Do you see anything else that stands out in the lines below? augmentedActiveDirectory: groupsQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: never pageSize: 0 filter: (objectclass=group) groupUIDAttribute: primaryGroupID groupNameAttributes: [ cn ] groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] usersQuery: baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" scope: sub derefAliases: never filter: (objectclass=person) pageSize: 0 userNameAttributes: [ "sAMAccountName" ] Thanks Guys, Vincent
Rowland penny
2020-Aug-21 21:08 UTC
[Samba] Using Samba AD/DC as an Active Directory OAuth provider for OpenShift
On 21/08/2020 21:40, vincent at cojot.name wrote:> On Fri, 21 Aug 2020, Rowland penny via samba wrote: > >> This works for me: >> >> rowland at devstation:~$ sudo ldapsearch -H >> ldaps://dc01.samdom.example.com -D 'SAMDOM\Administrator' -w >> 'xxxxxxxxxx' -b 'dc=samdom,dc=example,dc=com' >> 'memberof:1.2.840.113556.1.4.1941:=cn=Domain >> Admins,CN=Users,dc=samdom,dc=example,dc=com' | grep 'dn:' >> [sudo] password for rowland: >> dn: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=swanadmin,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=dhcpduser,CN=Users,DC=samdom,DC=example,DC=com >> dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com >> >> Rowland > > You're right, this works here too: > ldapsearch -H ldaps://dc00.ad.lasthome.solace.krynn:636 -x -W -D > "raistlin at ad.lasthome.solace.krynn" -b > "dc=ad,dc=lasthome,dc=solace,dc=krynn" > 'memberof:1.2.840.113556.1.4.1941:=cn=Domain > Admins,CN=Users,dc=ad,dc=lasthome,dc=solace,dc=krynn'|grep 'dn:' > Enter LDAP Password: > dn: CN=raistlin,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn > dn: CN=Administrator,CN=Users,DC=ad,DC=lasthome,DC=solace,DC=krynn > > So that must not be the problem, then.. Do you see anything else that > stands out in the lines below? > > augmentedActiveDirectory: > ??? groupsQuery: > ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" > ??????? scope: sub > ??????? derefAliases: never > ??????? pageSize: 0 > ??????? filter: (objectclass=group) > ??? groupUIDAttribute: primaryGroupID > ??? groupNameAttributes: [ cn ] > ??? groupMembershipAttributes: [ "memberof:1.2.840.113556.1.4.1941:" ] > ??? usersQuery: > ??????? baseDN: "DC=ad,DC=lasthome,DC=solace,DC=krynn" > ??????? scope: sub > ??????? derefAliases: never > ??????? filter: (objectclass=person) > ??????? pageSize: 0 > ??? userNameAttributes: [ "sAMAccountName" ]As far as I can see (and I could be missing something obvious), whilst it defines the search base, etc, it doesn't define what DN to search for. Should [ "memberof:1.2.840.113556.1.4.1941:" ]? be something like: [ "memberof:1.2.840.113556.1.4.1941:=cn=Domain Users,CN=Users,dc=samdom,dc=example,dc=com" ] Rowland