Configure LDAP as Identity Provider for OCP

Configuration guide for demo / lab environment purposes, not for production.

Author(s): Tamas Bures | Created: 29 May 2020 | Last modified: 29 May 2020

Tested on: Red Hat OpenShift Platform v 4.4.3 & IBM Security Directory Server 6.4.0.20

Table of contents

Configure LDAP as Identity Provider for OCP
IBM Security Directory Server 6.4
Installation and basic configuration
Created directory content
Configure OCP to connect to LDAP server
Configure LDAP IdP and create Config Resource
Create LDAP synchronization configuration and sync groups from LDAP
Grant privileges to user
Resources

Configure LDAP as Identity Provider for OCP↑

In this guide, I will configure IBM Security Directory Server 6.4.0.20 as a Red Hat OpenShift Container Platform 4.4.3 (OCP) Identity Provider (IdP) for user and group synchronization and authentication.

IBM Security Directory Server 6.4↑

Installation and basic configuration↑

This topic covered earlier on this site, see here [1].

Created directory content↑

I have created the following directory server content, sample in ldif format:

    version: 1

    #/opt/ibm/ldap/V6.4/sbin/64/db2ldif -I idsldap -o /root/sample_ldap.ldif

    dn: o=ibm,c=hu
    objectclass: organization
    objectclass: top
    o: ibm

    dn: cn=groups,o=ibm,c=hu
    objectclass: container
    objectclass: top
    cn: groups

    dn: cn=users,o=ibm,c=hu
    objectclass: container
    objectclass: top
    cn: users

    dn: uid=john.doe,cn=users,o=ibm,c=hu
    mail: john.doe@cp4s.sechu.ibm
    mobile: +36123456789
    uid: john.doe
    ou: Security Business Unit
    objectclass: inetorgperson
    objectclass: top
    objectclass: organizationalperson
    objectclass: person
    sn: Doe
    cn: John Doe
    userPassword: {AES256}<...>==

    dn: uid=openshift_ldap_bind,cn=users,o=ibm,c=hu
    mail: openshift@cp4s.sechu.ibm
    uid: openshift_ldap_bind
    userPassword: {AES256}<...>==
    objectclass: inetorgperson
    objectclass: top
    objectclass: organizationalperson
    objectclass: person
    sn: OpenShift
    cn: OpenShift LDAP Bind User

    dn: cn=techusers,cn=groups,o=ibm,c=hu
    objectclass: groupofnames
    objectclass: top
    cn: techusers
    member: uid=openshift_ldap_bind,cn=users,o=ibm,c=hu

    dn: cn=ocp_admins,cn=groups,o=ibm,c=hu
    objectclass: groupofnames
    objectclass: top
    cn: ocp_admins
    member: uid=openshift_admin,cn=users,o=ibm,c=hu
    member: uid=john.doe,cn=users,o=ibm,c=hu

    dn: uid=openshift_admin,cn=users,o=ibm,c=hu
    mail: openshift_admin@cp4s.sechu.ibm
    uid: openshift_admin
    userPassword: {AES256}<...>==
    objectclass: inetorgperson
    objectclass: top
    objectclass: organizationalperson
    objectclass: person
    sn: OpenShift
    cn: openshift_admin

Configure OCP to connect to LDAP server↑

Configure LDAP IdP and create Config Resource↑

Load Kubernetes config:

 export KUBECONFIG=/root/os4/auth/kubeconfig

Create a secret on the cluster using the bastion machine.

 oc create secret generic ldap-secret --from-literal=bindPassword=<password> -n openshift-config

Where is the bind user's password.

Create the configuration YAML file:

 vi /root/os4/ldap_config.yaml

Example content:

 apiVersion: config.openshift.io/v1
 kind: OAuth
 metadata:
   name: cluster
 spec:
   identityProviders:
     - name: ldapidp
       mappingMethod: claim
       type: LDAP
       ldap:
         attributes:
           id:
             - uid
           email:
             - mail
           name:
             - displayName
           preferredUsername:
             - uid
         bindDN: "uid=openshift_ldap_bind,cn=users,o=ibm,c=hu"
         bindPassword:
           name: ldap-secret
         insecure: true
         url: "ldap://ldap.cp4s.sechu.ibm:389/o=ibm,c=hu?uid"

Where:

type: LDAP

bindDN: is the user in the LDAP to be able to bind

bindPassword: the reference name ldap-secret you created in step 1

url: RFC 2205 LDAP URL. The format: ldap(s)://<ldap hostname>:<ldap port>/<base DN>?<attribute>?<scope>?<filter>

Create the configuration resource:
```
 oc apply -f /root/os4/ldap_config.yaml
```

Create LDAP synchronization configuration and sync groups from LDAP↑

Create a LDAP sync file to sync groups and users.

 vi /root/os4/ldapsysnc.yaml

Example content:

 kind: LDAPSyncConfig
 apiVersion: v1
 url: ldap://ldap.cp4s.sechu.ibm:389
 insecure: true
 rfc2307:
   groupsQuery:
     baseDN: cn=groups,o=ibm,c=hu
     scope: sub
     timeout: 0
     derefAliases: always
     filter: (objectClass=*)
     pageSize: 0
   groupUIDAttribute: dn
   groupNameAttributes: [cn]
   groupMembershipAttributes: [member]
   usersQuery:
     baseDN: cn=users,o=ibm,c=hu
     scope: one
     derefAliases: always
     pageSize: 0
   userUIDAttribute: dn
   userNameAttributes: [uid]
   tolerateMemberNotFoundErrors: true
   tolerateMemberOutOfScopeErrors: true

Synchronize:

 oc adm groups sync --sync-config=ldapsysnc.yaml --confirm

Example output:

 group/groups
 group/techusers
 group/ocp_admins

Grant privileges to user↑

Once the new user can be seen on the OCP console, you can grant to any privilege to user or group. In my example, I'll. grant

 kubectl create clusterrolebinding permissive-binding \
     --clusterrole=cluster-admin \
     --user=openshift_admin \
     --user=john.doe \
     --group=system:serviceaccounts

Resources↑

[1]: Install and update IBM Security Directory Server V6.4