Syncing LDAP groups

    For more information on configuring LDAP, see Configuring an LDAP identity provider.

    Before you can run LDAP sync, you need a sync configuration file. This file contains the following LDAP client configuration details:

    • Configuration for connecting to your LDAP server.

    • Sync configuration options that are dependent on the schema used in your LDAP server.

    • An administrator-defined list of name mappings that maps OKD group names to groups in your LDAP server.

    The format of the configuration file depends upon the schema you are using: RFC 2307, Active Directory, or augmented Active Directory.

    LDAP client configuration

    The LDAP client configuration section of the configuration defines the connections to your LDAP server.

    The LDAP client configuration section of the configuration defines the connections to your LDAP server.

    LDAP client configuration

    1The connection protocol, IP address of the LDAP server hosting your database, and the port to connect to, formatted as scheme://host:port.
    2Optional distinguished name (DN) to use as the Bind DN. OKD uses this if elevated privilege is required to retrieve entries for the sync operation.
    3Optional password to use to bind. OKD uses this if elevated privilege is necessary to retrieve entries for the sync operation. This value may also be provided in an environment variable, external file, or encrypted file.
    4When false, secure LDAP (ldaps://) URLs connect using TLS, and insecure LDAP (ldap://) URLs are upgraded to TLS. When true, no TLS connection is made to the server and you cannot use ldaps:// URL schemes.
    5The certificate bundle to use for validating server certificates for the configured URL. If empty, OKD uses system-trusted roots. This only applies if insecure is set to false.

    LDAP query definition

    Sync configurations consist of LDAP query definitions for the entries that are required for synchronization. The specific definition of an LDAP query depends on the schema used to store membership information in the LDAP server.

    LDAP query definition

    1. baseDN: ou=users,dc=example,dc=com (1)
    2. scope: sub (2)
    3. derefAliases: never (3)
    4. timeout: 0 (4)
    5. filter: (objectClass=person) (5)
    6. pageSize: 0 (6)
    1The distinguished name (DN) of the branch of the directory where all searches will start from. It is required that you specify the top of your directory tree, but you can also specify a subtree in the directory.
    2The scope of the search. Valid values are base, one, or sub. If this is left undefined, then a scope of sub is assumed. Descriptions of the scope options can be found in the table below.
    3The behavior of the search with respect to aliases in the LDAP tree. Valid values are never, search, base, or always. If this is left undefined, then the default is to always dereference aliases. Descriptions of the dereferencing behaviors can be found in the table below.
    4The time limit allowed for the search by the client, in seconds. A value of 0 imposes no client-side limit.
    5A valid LDAP search filter. If this is left undefined, then the default is (objectClass=*).
    6The optional maximum size of response pages from the server, measured in LDAP entries. If set to 0, no size restrictions will be made on pages of responses. Setting paging sizes is necessary when queries return more entries than the client or server allow by default.
    Table 1. LDAP search scope options
    LDAP search scopeDescription

    base

    Only consider the object specified by the base DN given for the query.

    one

    Consider all of the objects on the same level in the tree as the base DN for the query.

    sub

    Consider the entire subtree rooted at the base DN given for the query.

    Table 2. LDAP dereferencing behaviors
    Dereferencing behaviorDescription

    never

    Never dereference any aliases found in the LDAP tree.

    search

    Only dereference aliases found while searching.

    base

    Only dereference aliases while finding the base object.

    always

    Always dereference all aliases found in the LDAP tree.

    User-defined name mapping

    A user-defined name mapping explicitly maps the names of OKD groups to unique identifiers that find groups on your LDAP server. The mapping uses normal YAML syntax. A user-defined mapping can contain an entry for every group in your LDAP server or only a subset of those groups. If there are groups on the LDAP server that do not have a user-defined name mapping, the default behavior during sync is to use the attribute specified as the OKD group’s name.

    User-defined name mapping

    1. groupUIDNameMapping:
    2. "cn=group1,ou=groups,dc=example,dc=com": firstgroup
    3. "cn=group2,ou=groups,dc=example,dc=com": secondgroup
    4. "cn=group3,ou=groups,dc=example,dc=com": thirdgroup

    The RFC 2307 schema requires you to provide an LDAP query definition for both user and group entries, as well as the attributes with which to represent them in the internal OKD records.

    For clarity, the group you create in OKD should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of an OKD group by their e-mail, and use the name of the group as the common name. The following configuration file creates these relationships:

    If using user-defined name mappings, your configuration file will differ.

    LDAP sync configuration that uses RFC 2307 schema: rfc2307_config.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. url: ldap://LDAP_SERVICE_IP:389 (1)
    4. insecure: false (2)
    5. rfc2307:
    6. groupsQuery:
    7. baseDN: "ou=groups,dc=example,dc=com"
    8. scope: sub
    9. derefAliases: never
    10. pageSize: 0
    11. groupUIDAttribute: dn (3)
    12. groupNameAttributes: [ cn ] (4)
    13. groupMembershipAttributes: [ member ] (5)
    14. usersQuery:
    15. baseDN: "ou=users,dc=example,dc=com"
    16. scope: sub
    17. derefAliases: never
    18. pageSize: 0
    19. userUIDAttribute: dn (6)
    20. userNameAttributes: [ mail ] (7)
    21. tolerateMemberNotFoundErrors: false
    22. tolerateMemberOutOfScopeErrors: false
    1The IP address and host of the LDAP server where this group’s record is stored.
    2When false, secure LDAP (ldaps://) URLs connect using TLS, and insecure LDAP (ldap://) URLs are upgraded to TLS. When true, no TLS connection is made to the server and you cannot use ldaps:// URL schemes.
    3The attribute that uniquely identifies a group on the LDAP server. You cannot specify groupsQuery filters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
    4The attribute to use as the name of the group.
    5The attribute on the group that stores the membership information.
    6The attribute that uniquely identifies a user on the LDAP server. You cannot specify usersQuery filters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
    7The attribute to use as the name of the user in the OKD group record.

    About the Active Directory configuration file

    The Active Directory schema requires you to provide an LDAP query definition for user entries, as well as the attributes to represent them with in the internal OKD group records.

    For clarity, the group you create in OKD should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of an OKD group by their e-mail, but define the name of the group by the name of the group on the LDAP server. The following configuration file creates these relationships:

    LDAP sync configuration that uses Active Directory schema: active_directory_config.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. url: ldap://LDAP_SERVICE_IP:389
    4. activeDirectory:
    5. usersQuery:
    6. baseDN: "ou=users,dc=example,dc=com"
    7. scope: sub
    8. derefAliases: never
    9. filter: (objectclass=person)
    10. pageSize: 0
    11. userNameAttributes: [ mail ] (1)
    12. groupMembershipAttributes: [ memberOf ] (2)
    1The attribute to use as the name of the user in the OKD group record.
    2The attribute on the user that stores the membership information.

    About the augmented Active Directory configuration file

    The augmented Active Directory schema requires you to provide an LDAP query definition for both user entries and group entries, as well as the attributes with which to represent them in the internal OKD group records.

    For clarity, the group you create in OKD should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of an OKD group by their e-mail, and use the name of the group as the common name. The following configuration file creates these relationships.

    LDAP sync configuration that uses augmented Active Directory schema: augmented_active_directory_config.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. url: ldap://LDAP_SERVICE_IP:389
    4. augmentedActiveDirectory:
    5. groupsQuery:
    6. baseDN: "ou=groups,dc=example,dc=com"
    7. scope: sub
    8. derefAliases: never
    9. pageSize: 0
    10. groupUIDAttribute: dn (1)
    11. groupNameAttributes: [ cn ] (2)
    12. usersQuery:
    13. baseDN: "ou=users,dc=example,dc=com"
    14. scope: sub
    15. derefAliases: never
    16. filter: (objectclass=person)
    17. pageSize: 0
    18. userNameAttributes: [ mail ] (3)
    19. groupMembershipAttributes: [ memberOf ] (4)
    1The attribute that uniquely identifies a group on the LDAP server. You cannot specify groupsQuery filters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
    2The attribute to use as the name of the group.
    3The attribute to use as the name of the user in the OKD group record.
    4The attribute on the user that stores the membership information.

    Running LDAP sync

    Once you have created a sync configuration file, you can begin to sync. OKD allows administrators to perform a number of different sync types with the same server.

    Syncing the LDAP server with OKD

    You can sync all groups from the LDAP server with OKD.

    Prerequisites

    • Create a sync configuration file.

    Procedure

    • To sync all groups from the LDAP server with OKD:

      1. $ oc adm groups sync --sync-config=config.yaml --confirm

      By default, all group synchronization operations are dry-run, so you must set the —confirm flag on the oc adm groups sync command to make changes to OKD group records.

    Syncing OKD groups with the LDAP server

    You can sync all groups already in OKD that correspond to groups in the LDAP server specified in the configuration file.

    Prerequisites

    • Create a sync configuration file.

    Procedure

    • To sync OKD groups with the LDAP server:

      1. $ oc adm groups sync --type=openshift --sync-config=config.yaml --confirm

      By default, all group synchronization operations are dry-run, so you must set the —confirm flag on the oc adm groups sync command to make changes to OKD group records.

    You can sync a subset of LDAP groups with OKD using whitelist files, blacklist files, or both.

    You can use any combination of blacklist files, whitelist files, or whitelist literals. Whitelist and blacklist files must contain one unique group identifier per line, and you can include whitelist literals directly in the command itself. These guidelines apply to groups found on LDAP servers as well as groups already present in OKD.

    Prerequisites

    • Create a sync configuration file.

    Procedure

    • To sync a subset of LDAP groups with OKD, use any the following commands:

      1. $ oc adm groups sync --whitelist=<whitelist_file> \
      2. --sync-config=config.yaml \
      3. --confirm
      1. $ oc adm groups sync --blacklist=<blacklist_file> \
      2. --sync-config=config.yaml \
      3. --confirm
      1. $ oc adm groups sync <group_unique_identifier> \
      2. --sync-config=config.yaml \
      3. --confirm
      1. $ oc adm groups sync <group_unique_identifier> \
      2. --whitelist=<whitelist_file> \
      3. --blacklist=<blacklist_file> \
      4. --sync-config=config.yaml \
      5. --confirm
      1. $ oc adm groups sync --type=openshift \
      2. --whitelist=<whitelist_file> \
      3. --sync-config=config.yaml \
      4. --confirm

      By default, all group synchronization operations are dry-run, so you must set the —confirm flag on the oc adm groups sync command to make changes to OKD group records.

    An administrator can also choose to remove groups from OKD records if the records on the LDAP server that created them are no longer present. The prune job will accept the same sync configuration file and whitelists or blacklists as used for the sync job.

    For example:

    1. $ oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
    1. $ oc adm prune groups --whitelist=/path/to/whitelist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
    1. $ oc adm prune groups --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm

    Automatically syncing LDAP groups

    You can automatically sync LDAP groups on a periodic basis by configuring a cron job.

    Prerequisites

    • You have access to the cluster as a user with the cluster-admin role.

    • You have configured an LDAP identity provider (IDP).

      This procedure assumes that you created an LDAP secret named ldap-secret and a config map named ca-config-map.

    Procedure

    1. Create a project where the cron job will run:

      1This procedure uses a project called ldap-sync.
    2. Locate the secret and config map that you created when configuring the LDAP identity provider and copy them to this new project.

      The secret and config map exist in the openshift-config project and must be copied to the new ldap-sync project.

    3. Define a service account:

      Example ldap-sync-service-account.yaml

      1. kind: ServiceAccount
      2. apiVersion: v1
      3. metadata:
      4. name: ldap-group-syncer
      5. namespace: ldap-sync
    4. Create the service account:

      1. $ oc create -f ldap-sync-service-account.yaml
    5. Define a cluster role:

      Example ldap-sync-cluster-role.yaml

      1. apiVersion: rbac.authorization.k8s.io/v1
      2. kind: ClusterRole
      3. metadata:
      4. name: ldap-group-syncer
      5. rules:
      6. - apiGroups:
      7. - ''
      8. - user.openshift.io
      9. resources:
      10. - groups
      11. verbs:
      12. - get
      13. - list
      14. - create
      15. - update
    6. Create the cluster role:

      1. $ oc create -f ldap-sync-cluster-role.yaml
    7. Define a cluster role binding to bind the cluster role to the service account:

      Example ldap-sync-cluster-role-binding.yaml

      1. kind: ClusterRoleBinding
      2. apiVersion: rbac.authorization.k8s.io/v1
      3. metadata:
      4. name: ldap-group-syncer
      5. subjects:
      6. - kind: ServiceAccount
      7. name: ldap-group-syncer (1)
      8. namespace: ldap-sync
      9. roleRef:
      10. apiGroup: rbac.authorization.k8s.io
      11. kind: ClusterRole
      12. name: ldap-group-syncer (2)
    8. Create the cluster role binding:

      1. $ oc create -f ldap-sync-cluster-role-binding.yaml
    9. Define a config map that specifies the sync configuration file:

      Example ldap-sync-config-map.yaml

      1. kind: ConfigMap
      2. apiVersion: v1
      3. metadata:
      4. name: ldap-group-syncer
      5. namespace: ldap-sync
      6. data:
      7. ldap-group-sync.yaml: | (1)
      8. kind: LDAPSyncConfig
      9. apiVersion: v1
      10. url: ldaps://10.0.0.0:389 (2)
      11. insecure: false
      12. bindDN: cn=admin,dc=example,dc=com (3)
      13. bindPassword:
      14. file: "/etc/secrets/bindPassword"
      15. ca: /etc/ldap-ca/ca.crt
      16. rfc2307: (4)
      17. groupsQuery:
      18. baseDN: "ou=groups,dc=example,dc=com" (5)
      19. scope: sub
      20. filter: "(objectClass=groupOfMembers)"
      21. pageSize: 0
      22. groupUIDAttribute: dn
      23. groupNameAttributes: [ cn ]
      24. groupMembershipAttributes: [ member ]
      25. usersQuery:
      26. baseDN: "ou=users,dc=example,dc=com" (6)
      27. scope: sub
      28. derefAliases: never
      29. pageSize: 0
      30. userUIDAttribute: dn
      31. userNameAttributes: [ uid ]
      32. tolerateMemberNotFoundErrors: false
      33. tolerateMemberOutOfScopeErrors: false
      1Define the sync configuration file.
      2Specify the URL.
      3Specify the bindDN.
      4This example uses the RFC2307 schema; adjust values as necessary. You can also use a different schema.
      5Specify the baseDN for groupsQuery.
      6Specify the baseDN for usersQuery.
    10. Create the config map:

      1. $ oc create -f ldap-sync-config-map.yaml
    11. Define a cron job:

      Example ldap-sync-cron-job.yaml

      1. kind: CronJob
      2. apiVersion: batch/v1
      3. metadata:
      4. name: ldap-group-syncer
      5. namespace: ldap-sync
      6. spec: (1)
      7. schedule: "*/30 * * * *" (2)
      8. concurrencyPolicy: Forbid
      9. jobTemplate:
      10. spec:
      11. backoffLimit: 0
      12. template:
      13. spec:
      14. containers:
      15. - name: ldap-group-sync
      16. image: "openshift/origin-cli:latest"
      17. command:
      18. - "/bin/bash"
      19. - oc adm groups sync
      20. - --sync-config=/etc/config/ldap-group-sync.yaml --confirm (3)
      21. volumeMounts:
      22. - mountPath: "/etc/config"
      23. name: "ldap-sync-volume"
      24. - mountPath: "/etc/secrets"
      25. name: "ldap-bind-password"
      26. - mountPath: "/etc/ldap-ca"
      27. name: "ldap-ca"
      28. volumes:
      29. - name: "ldap-sync-volume"
      30. configMap:
      31. name: "ldap-group-syncer"
      32. - name: "ldap-bind-password"
      33. secret:
      34. secretName: "ldap-secret" (4)
      35. - name: "ldap-ca"
      36. configMap:
      37. name: "ca-config-map" (5)
      38. restartPolicy: "Never"
      39. terminationGracePeriodSeconds: 30
      40. activeDeadlineSeconds: 500
      41. dnsPolicy: "ClusterFirst"
      42. serviceAccountName: "ldap-group-syncer"
      1Configure the settings for the cron job. See “Creating cron jobs” for more information on cron job settings.
      2The schedule for the job specified in . This example cron job runs every 30 minutes. Adjust the frequency as necessary, making sure to take into account how long the sync takes to run.
      3The LDAP sync command for the cron job to run. Passes in the sync configuration file that was defined in the config map.
      4This secret was created when the LDAP IDP was configured.
      5This config map was created when the LDAP IDP was configured.
    12. Create the cron job:

      1. $ oc create -f ldap-sync-cron-job.yaml

    Additional resources

    This section contains examples for the RFC 2307, Active Directory, and augmented Active Directory schemas.

    These examples assume that all users are direct members of their respective groups. Specifically, no groups have other groups as members. See the Nested Membership Sync Example for information on how to sync nested groups.

    Syncing groups using the RFC 2307 schema

    For the RFC 2307 schema, the following examples synchronize a group named admins that has two members: Jane and Jim. The examples explain:

    • How the group and users are added to the LDAP server.

    • What the resulting group record in OKD will be after synchronization.

    These examples assume that all users are direct members of their respective groups. Specifically, no groups have other groups as members. See the Nested Membership Sync Example for information on how to sync nested groups.

    LDAP entries that use RFC 2307 schema: rfc2307.ldif

    1. dn: ou=users,dc=example,dc=com
    2. objectClass: organizationalUnit
    3. ou: users
    4. dn: cn=Jane,ou=users,dc=example,dc=com
    5. objectClass: person
    6. objectClass: organizationalPerson
    7. objectClass: inetOrgPerson
    8. cn: Jane
    9. sn: Smith
    10. displayName: Jane Smith
    11. mail: jane.smith@example.com
    12. dn: cn=Jim,ou=users,dc=example,dc=com
    13. objectClass: person
    14. objectClass: organizationalPerson
    15. objectClass: inetOrgPerson
    16. cn: Jim
    17. sn: Adams
    18. displayName: Jim Adams
    19. mail: jim.adams@example.com
    20. dn: ou=groups,dc=example,dc=com
    21. objectClass: organizationalUnit
    22. ou: groups
    23. dn: cn=admins,ou=groups,dc=example,dc=com (1)
    24. objectClass: groupOfNames
    25. cn: admins
    26. owner: cn=admin,dc=example,dc=com
    27. description: System Administrators
    28. member: cn=Jane,ou=users,dc=example,dc=com (2)
    29. member: cn=Jim,ou=users,dc=example,dc=com
    1The group is a first-class entry in the LDAP server.
    2Members of a group are listed with an identifying reference as attributes on the group.

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the rfc2307_config.yaml file:

      1. $ oc adm groups sync --sync-config=rfc2307_config.yaml --confirm

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the rfc2307_config.yaml file

      1. apiVersion: user.openshift.io/v1
      2. kind: Group
      3. metadata:
      4. annotations:
      5. openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400 (1)
      6. openshift.io/ldap.uid: cn=admins,ou=groups,dc=example,dc=com (2)
      7. openshift.io/ldap.url: LDAP_SERVER_IP:389 (3)
      8. creationTimestamp:
      9. name: admins (4)
      10. users: (5)
      11. - jane.smith@example.com
      12. - jim.adams@example.com
      1The last time this OKD group was synchronized with the LDAP server, in ISO 6801 format.
      2The unique identifier for the group on the LDAP server.
      3The IP address and host of the LDAP server where this group’s record is stored.
      4The name of the group as specified by the sync file.
      5The users that are members of the group, named as specified by the sync file.

    Syncing groups using the RFC2307 schema with user-defined name mappings

    When syncing groups with user-defined name mappings, the configuration file changes to contain these mappings as shown below.

    LDAP sync configuration that uses RFC 2307 schema with user-defined name mappings: rfc2307_config_user_defined.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. groupUIDNameMapping:
    4. "cn=admins,ou=groups,dc=example,dc=com": Administrators (1)
    5. rfc2307:
    6. groupsQuery:
    7. baseDN: "ou=groups,dc=example,dc=com"
    8. scope: sub
    9. derefAliases: never
    10. pageSize: 0
    11. groupUIDAttribute: dn (2)
    12. groupNameAttributes: [ cn ] (3)
    13. groupMembershipAttributes: [ member ]
    14. usersQuery:
    15. baseDN: "ou=users,dc=example,dc=com"
    16. scope: sub
    17. derefAliases: never
    18. pageSize: 0
    19. userUIDAttribute: dn (4)
    20. userNameAttributes: [ mail ]
    21. tolerateMemberNotFoundErrors: false
    22. tolerateMemberOutOfScopeErrors: false
    1The user-defined name mapping.
    2The unique identifier attribute that is used for the keys in the user-defined name mapping. You cannot specify groupsQuery filters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
    3The attribute to name OKD groups with if their unique identifier is not in the user-defined name mapping.
    4The attribute that uniquely identifies a user on the LDAP server. You cannot specify usersQuery filters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the rfc2307_config_user_defined.yaml file:

      1. $ oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the rfc2307_config_user_defined.yaml file

      1The name of the group as specified by the user-defined name mapping.

    Syncing groups using RFC 2307 with user-defined error tolerances

    By default, if the groups being synced contain members whose entries are outside of the scope defined in the member query, the group sync fails with an error:

    1. Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with dn="<user-dn>" would search outside of the base dn specified (dn="<base-dn>")".

    This often indicates a misconfigured baseDN in the usersQuery field. However, in cases where the baseDN intentionally does not contain some of the members of the group, setting tolerateMemberOutOfScopeErrors: true allows the group sync to continue. Out of scope members will be ignored.

    Similarly, when the group sync process fails to locate a member for a group, it fails outright with errors:

    1. Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" refers to a non-existent entry".
    2. Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" and filter "<filter>" did not return any results".

    This often indicates a misconfigured usersQuery field. However, in cases where the group contains member entries that are known to be missing, setting tolerateMemberNotFoundErrors: true allows the group sync to continue. Problematic members will be ignored.

    Enabling error tolerances for the LDAP group sync causes the sync process to ignore problematic member entries. If the LDAP group sync is not configured correctly, this could result in synced OKD groups missing members.

    LDAP entries that use RFC 2307 schema with problematic group membership: rfc2307_problematic_users.ldif

    1. dn: ou=users,dc=example,dc=com
    2. objectClass: organizationalUnit
    3. ou: users
    4. dn: cn=Jane,ou=users,dc=example,dc=com
    5. objectClass: person
    6. objectClass: organizationalPerson
    7. objectClass: inetOrgPerson
    8. cn: Jane
    9. sn: Smith
    10. displayName: Jane Smith
    11. mail: jane.smith@example.com
    12. dn: cn=Jim,ou=users,dc=example,dc=com
    13. objectClass: person
    14. objectClass: organizationalPerson
    15. objectClass: inetOrgPerson
    16. cn: Jim
    17. sn: Adams
    18. displayName: Jim Adams
    19. mail: jim.adams@example.com
    20. dn: ou=groups,dc=example,dc=com
    21. objectClass: organizationalUnit
    22. ou: groups
    23. dn: cn=admins,ou=groups,dc=example,dc=com
    24. objectClass: groupOfNames
    25. cn: admins
    26. owner: cn=admin,dc=example,dc=com
    27. description: System Administrators
    28. member: cn=Jane,ou=users,dc=example,dc=com
    29. member: cn=Jim,ou=users,dc=example,dc=com
    30. member: cn=INVALID,ou=users,dc=example,dc=com (1)
    31. member: cn=Jim,ou=OUTOFSCOPE,dc=example,dc=com (2)
    1A member that does not exist on the LDAP server.
    2A member that may exist, but is not under the baseDN in the user query for the sync job.

    To tolerate the errors in the above example, the following additions to your sync configuration file must be made:

    LDAP sync configuration that uses RFC 2307 schema tolerating errors: rfc2307_config_tolerating.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. url: ldap://LDAP_SERVICE_IP:389
    4. rfc2307:
    5. groupsQuery:
    6. baseDN: "ou=groups,dc=example,dc=com"
    7. scope: sub
    8. derefAliases: never
    9. groupUIDAttribute: dn
    10. groupNameAttributes: [ cn ]
    11. groupMembershipAttributes: [ member ]
    12. usersQuery:
    13. baseDN: "ou=users,dc=example,dc=com"
    14. scope: sub
    15. derefAliases: never
    16. userUIDAttribute: dn (1)
    17. userNameAttributes: [ mail ]
    18. tolerateMemberOutOfScopeErrors: true (3)
    1The attribute that uniquely identifies a user on the LDAP server. You cannot specify usersQuery filters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
    2When true, the sync job tolerates groups for which some members were not found, and members whose LDAP entries are not found are ignored. The default behavior for the sync job is to fail if a member of a group is not found.
    3When true, the sync job tolerates groups for which some members are outside the user scope given in the usersQuery base DN, and members outside the member query scope are ignored. The default behavior for the sync job is to fail if a member of a group is out of scope.

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the rfc2307_config_tolerating.yaml file:

      1. $ oc adm groups sync --sync-config=rfc2307_config_tolerating.yaml --confirm

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the rfc2307_config.yaml file

      1. apiVersion: user.openshift.io/v1
      2. kind: Group
      3. metadata:
      4. annotations:
      5. openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400
      6. openshift.io/ldap.uid: cn=admins,ou=groups,dc=example,dc=com
      7. openshift.io/ldap.url: LDAP_SERVER_IP:389
      8. creationTimestamp:
      9. name: admins
      10. users: (1)
      11. - jane.smith@example.com
      12. - jim.adams@example.com
      1The users that are members of the group, as specified by the sync file. Members for which lookup encountered tolerated errors are absent.

    Syncing groups using the Active Directory schema

    In the Active Directory schema, both users (Jane and Jim) exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user. The following snippet of ldif defines the users and group for this schema:

    LDAP entries that use Active Directory schema: active_directory.ldif

    1. dn: ou=users,dc=example,dc=com
    2. objectClass: organizationalUnit
    3. ou: users
    4. dn: cn=Jane,ou=users,dc=example,dc=com
    5. objectClass: person
    6. objectClass: organizationalPerson
    7. objectClass: inetOrgPerson
    8. objectClass: testPerson
    9. cn: Jane
    10. sn: Smith
    11. displayName: Jane Smith
    12. mail: jane.smith@example.com
    13. memberOf: admins (1)
    14. dn: cn=Jim,ou=users,dc=example,dc=com
    15. objectClass: person
    16. objectClass: organizationalPerson
    17. objectClass: inetOrgPerson
    18. objectClass: testPerson
    19. cn: Jim
    20. sn: Adams
    21. displayName: Jim Adams
    22. mail: jim.adams@example.com
    23. memberOf: admins
    1The user’s group memberships are listed as attributes on the user, and the group does not exist as an entry on the server. The memberOf attribute does not have to be a literal attribute on the user; in some LDAP servers, it is created during search and returned to the client, but not committed to the database.

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the active_directory_config.yaml file:

      1. $ oc adm groups sync --sync-config=active_directory_config.yaml --confirm

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the active_directory_config.yaml file

      1. apiVersion: user.openshift.io/v1
      2. kind: Group
      3. metadata:
      4. annotations:
      5. openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400 (1)
      6. openshift.io/ldap.uid: admins (2)
      7. openshift.io/ldap.url: LDAP_SERVER_IP:389 (3)
      8. creationTimestamp:
      9. name: admins (4)
      10. users: (5)
      11. - jane.smith@example.com
      12. - jim.adams@example.com

    In the augmented Active Directory schema, both users (Jane and Jim) and groups exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user. The following snippet of ldif defines the users and group for this schema:

    LDAP entries that use augmented Active Directory schema: augmented_active_directory.ldif

    1. dn: ou=users,dc=example,dc=com
    2. objectClass: organizationalUnit
    3. ou: users
    4. dn: cn=Jane,ou=users,dc=example,dc=com
    5. objectClass: person
    6. objectClass: organizationalPerson
    7. objectClass: testPerson
    8. cn: Jane
    9. sn: Smith
    10. displayName: Jane Smith
    11. mail: jane.smith@example.com
    12. memberOf: cn=admins,ou=groups,dc=example,dc=com (1)
    13. dn: cn=Jim,ou=users,dc=example,dc=com
    14. objectClass: person
    15. objectClass: organizationalPerson
    16. objectClass: inetOrgPerson
    17. objectClass: testPerson
    18. cn: Jim
    19. sn: Adams
    20. displayName: Jim Adams
    21. mail: jim.adams@example.com
    22. memberOf: cn=admins,ou=groups,dc=example,dc=com
    23. dn: ou=groups,dc=example,dc=com
    24. objectClass: organizationalUnit
    25. ou: groups
    26. dn: cn=admins,ou=groups,dc=example,dc=com (2)
    27. objectClass: groupOfNames
    28. cn: admins
    29. owner: cn=admin,dc=example,dc=com
    30. description: System Administrators
    31. member: cn=Jane,ou=users,dc=example,dc=com
    32. member: cn=Jim,ou=users,dc=example,dc=com
    1The user’s group memberships are listed as attributes on the user.
    2The group is a first-class entry on the LDAP server.

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the augmented_active_directory_config.yaml file:

      1. $ oc adm groups sync --sync-config=augmented_active_directory_config.yaml --confirm

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the augmented_active_directory_config.yaml file

      1. apiVersion: user.openshift.io/v1
      2. kind: Group
      3. metadata:
      4. annotations:
      5. openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400 (1)
      6. openshift.io/ldap.uid: cn=admins,ou=groups,dc=example,dc=com (2)
      7. openshift.io/ldap.url: LDAP_SERVER_IP:389 (3)
      8. creationTimestamp:
      9. name: admins (4)
      10. users: (5)
      11. - jane.smith@example.com
      12. - jim.adams@example.com
      1The last time this OKD group was synchronized with the LDAP server, in ISO 6801 format.
      2The unique identifier for the group on the LDAP server.
      3The IP address and host of the LDAP server where this group’s record is stored.
      4The name of the group as specified by the sync file.
      5The users that are members of the group, named as specified by the sync file.

    LDAP nested membership sync example

    Groups in OKD do not nest. The LDAP server must flatten group membership before the data can be consumed. Microsoft’s Active Directory Server supports this feature via the .aspx) rule, which has the OID 1.2.840.113556.1.4.1941. Furthermore, only explicitly whitelisted groups can be synced when using this matching rule.

    This section has an example for the augmented Active Directory schema, which synchronizes a group named admins that has one user Jane and one group otheradmins as members. The otheradmins group has one user member: Jim. This example explains:

    • How the group and users are added to the LDAP server.

    • What the LDAP sync configuration file looks like.

    • What the resulting group record in OKD will be after synchronization.

    In the augmented Active Directory schema, both users (Jane and Jim) and groups exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user or the group. The following snippet of ldif defines the users and groups for this schema:

    LDAP entries that use augmented Active Directory schema with nested members: augmented_active_directory_nested.ldif

    1. dn: ou=users,dc=example,dc=com
    2. objectClass: organizationalUnit
    3. ou: users
    4. dn: cn=Jane,ou=users,dc=example,dc=com
    5. objectClass: person
    6. objectClass: organizationalPerson
    7. objectClass: inetOrgPerson
    8. objectClass: testPerson
    9. cn: Jane
    10. sn: Smith
    11. displayName: Jane Smith
    12. mail: jane.smith@example.com
    13. memberOf: cn=admins,ou=groups,dc=example,dc=com (1)
    14. dn: cn=Jim,ou=users,dc=example,dc=com
    15. objectClass: person
    16. objectClass: organizationalPerson
    17. objectClass: inetOrgPerson
    18. objectClass: testPerson
    19. cn: Jim
    20. sn: Adams
    21. displayName: Jim Adams
    22. mail: jim.adams@example.com
    23. memberOf: cn=otheradmins,ou=groups,dc=example,dc=com (1)
    24. dn: ou=groups,dc=example,dc=com
    25. objectClass: organizationalUnit
    26. ou: groups
    27. dn: cn=admins,ou=groups,dc=example,dc=com (2)
    28. objectClass: group
    29. cn: admins
    30. owner: cn=admin,dc=example,dc=com
    31. description: System Administrators
    32. member: cn=Jane,ou=users,dc=example,dc=com
    33. member: cn=otheradmins,ou=groups,dc=example,dc=com
    34. dn: cn=otheradmins,ou=groups,dc=example,dc=com (2)
    35. objectClass: group
    36. cn: otheradmins
    37. owner: cn=admin,dc=example,dc=com
    38. description: Other System Administrators
    39. memberOf: cn=admins,ou=groups,dc=example,dc=com (1) (3)
    40. member: cn=Jim,ou=users,dc=example,dc=com
    1The user’s and group’s memberships are listed as attributes on the object.
    2The groups are first-class entries on the LDAP server.
    3The otheradmins group is a member of the admins group.

    When syncing nested groups with Active Directory, you must provide an LDAP query definition for both user entries and group entries, as well as the attributes with which to represent them in the internal OKD group records. Furthermore, certain changes are required in this configuration:

    • The oc adm groups sync command must explicitly whitelist groups.

    • The user’s groupMembershipAttributes must include "memberOf:1.2.840.113556.1.4.1941:" to comply with the LDAP_MATCHING_RULE_IN_CHAIN.aspx) rule.

    • The groupUIDAttribute must be set to dn.

    • The groupsQuery:

      • Must not set filter.

      • Must set a valid derefAliases.

      • Should not set baseDN as that value is ignored.

      • Should not set scope as that value is ignored.

    For clarity, the group you create in OKD should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of an OKD group by their e-mail, and use the name of the group as the common name. The following configuration file creates these relationships:

    LDAP sync configuration that uses augmented Active Directory schema with nested members: augmented_active_directory_config_nested.yaml

    1. kind: LDAPSyncConfig
    2. apiVersion: v1
    3. url: ldap://LDAP_SERVICE_IP:389
    4. augmentedActiveDirectory:
    5. groupsQuery: (1)
    6. derefAliases: never
    7. pageSize: 0
    8. groupUIDAttribute: dn (2)
    9. groupNameAttributes: [ cn ] (3)
    10. usersQuery:
    11. baseDN: "ou=users,dc=example,dc=com"
    12. scope: sub
    13. derefAliases: never
    14. filter: (objectclass=person)
    15. pageSize: 0
    16. userNameAttributes: [ mail ] (4)
    17. groupMembershipAttributes: [ "memberOf:1.2.840.113556.1.4.1941:" ] (5)
    1groupsQuery filters cannot be specified. The groupsQuery base DN and scope values are ignored. groupsQuery must set a valid derefAliases.
    2The attribute that uniquely identifies a group on the LDAP server. It must be set to dn.
    3The attribute to use as the name of the group.
    4The attribute to use as the name of the user in the OKD group record. mail or sAMAccountName are preferred choices in most installations.
    5The attribute on the user that stores the membership information. Note the use of .

    Prerequisites

    • Create the configuration file.

    Procedure

    • Run the sync with the augmented_active_directory_config_nested.yaml file:

      1. $ oc adm groups sync \
      2. 'cn=admins,ou=groups,dc=example,dc=com' \
      3. --confirm

      You must explicitly whitelist the cn=admins,ou=groups,dc=example,dc=com group.

      OKD creates the following group record as a result of the above sync operation:

      OKD group created by using the augmented_active_directory_config_nested.yaml file

      1The last time this OKD group was synchronized with the LDAP server, in ISO 6801 format.
      2The unique identifier for the group on the LDAP server.
      3The IP address and host of the LDAP server where this group’s record is stored.
      4The name of the group as specified by the sync file.
      5The users that are members of the group, named as specified by the sync file. Note that members of nested groups are included since the group membership was flattened by the Microsoft Active Directory Server.

    LDAP sync configuration specification

    The object specification for the configuration file is below. Note that the different schema objects have different fields. For example, v1.ActiveDirectoryConfig has no groupsQuery field whereas v1.RFC2307Config and v1.AugmentedActiveDirectoryConfig both do.

    There is no support for binary attributes. All attribute data coming from the LDAP server must be in the format of a UTF-8 encoded string. For example, never use a binary attribute, such as objectGUID, as an ID attribute. You must use string attributes, such as sAMAccountName or userPrincipalName, instead.

    v1.LDAPSyncConfig

    LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync.

    NameDescriptionSchema

    kind

    String value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds

    string

    apiVersion

    Defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info:

    string

    url

    Host is the scheme, host and port of the LDAP server to connect to: scheme://host:port

    string

    bindDN

    Optional DN to bind to the LDAP server with.

    string

    bindPassword

    Optional password to bind with during the search phase.

    v1.StringSource

    insecure

    If true, indicates the connection should not use TLS. If false, ldaps:// URLs connect using TLS, and ldap:// URLs are upgraded to a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. If you set insecure to true, you cannot use ldaps:// URL schemes.

    boolean

    ca

    Optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used.

    string

    groupUIDNameMapping

    Optional direct mapping of LDAP group UIDs to OKD group names.

    object

    rfc2307

    Holds the configuration for extracting data from an LDAP server set up in a fashion similar to RFC2307: first-class group and user entries, with group membership determined by a multi-valued attribute on the group entry listing its members.

    activeDirectory

    Holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory: first-class user entries, with group membership determined by a multi-valued attribute on members listing groups they are a member of.

    v1.ActiveDirectoryConfig

    augmentedActiveDirectory

    Holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory as described above, with one addition: first-class group entries exist and are used to hold metadata but not group membership.

    v1.AugmentedActiveDirectoryConfig

    v1.StringSource

    StringSource allows specifying a string inline, or externally via environment variable or file. When it contains only a string value, it marshals to a simple JSON string.

    NameDescriptionSchema

    value

    Specifies the cleartext value, or an encrypted value if keyFile is specified.

    string

    env

    Specifies an environment variable containing the cleartext value, or an encrypted value if the keyFile is specified.

    string

    file

    References a file containing the cleartext value, or an encrypted value if a keyFile is specified.

    string

    keyFile

    References a file containing the key to use to decrypt the value.

    string

    v1.LDAPQuery

    LDAPQuery holds the options necessary to build an LDAP query.

    NameDescriptionSchema

    baseDN

    DN of the branch of the directory where all searches should start from.

    string

    scope

    The optional scope of the search. Can be base: only the base object, one: all objects on the base level, sub: the entire subtree. Defaults to sub if not set.

    string

    derefAliases

    The optional behavior of the search with regards to alisases. Can be never: never dereference aliases, search: only dereference in searching, base: only dereference in finding the base object, always: always dereference. Defaults to always if not set.

    string

    timeout

    Holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is 0, no client-side limit is imposed.

    integer

    filter

    A valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN.

    string

    pageSize

    Maximum preferred page size, measured in LDAP entries. A page size of 0 means no paging will be done.

    integer

    v1.RFC2307Config

    RFC2307Config holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the RFC2307 schema.

    NameDescriptionSchema

    groupsQuery

    Holds the template for an LDAP query that returns group entries.

    v1.LDAPQuery

    groupUIDAttribute

    Defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)

    string

    groupNameAttributes

    Defines which attributes on an LDAP group entry will be interpreted as its name to use for an OKD group.

    string array

    groupMembershipAttributes

    Defines which attributes on an LDAP group entry will be interpreted as its members. The values contained in those attributes must be queryable by your UserUIDAttribute.

    string array

    usersQuery

    Holds the template for an LDAP query that returns user entries.

    v1.LDAPQuery

    userUIDAttribute

    Defines which attribute on an LDAP user entry will be interpreted as its unique identifier. It must correspond to values that will be found from the GroupMembershipAttributes.

    string

    userNameAttributes

    Defines which attributes on an LDAP user entry will be used, in order, as its OKD user name. The first attribute with a non-empty value is used. This should match your PreferredUsername setting for your LDAPPasswordIdentityProvider. The attribute to use as the name of the user in the OKD group record. mail or sAMAccountName are preferred choices in most installations.

    string array

    tolerateMemberNotFoundErrors

    Determines the behavior of the LDAP sync job when missing user entries are encountered. If true, an LDAP query for users that does not find any will be tolerated and an only and error will be logged. If false, the LDAP sync job will fail if a query for users doesn’t find any. The default value is false. Misconfigured LDAP sync jobs with this flag set to true can cause group membership to be removed, so it is recommended to use this flag with caution.

    boolean

    tolerateMemberOutOfScopeErrors

    Determines the behavior of the LDAP sync job when out-of-scope user entries are encountered. If true, an LDAP query for a user that falls outside of the base DN given for the all user query will be tolerated and only an error will be logged. If false, the LDAP sync job will fail if a user query would search outside of the base DN specified by the all user query. Misconfigured LDAP sync jobs with this flag set to true can result in groups missing users, so it is recommended to use this flag with caution.

    boolean

    ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema.

    NameDescriptionSchema

    usersQuery

    Holds the template for an LDAP query that returns user entries.

    v1.LDAPQuery

    userNameAttributes

    Defines which attributes on an LDAP user entry will be interpreted as its OKD user name. The attribute to use as the name of the user in the OKD group record. mail or sAMAccountName are preferred choices in most installations.

    string array

    groupMembershipAttributes

    Defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of.

    string array

    v1.AugmentedActiveDirectoryConfig

    AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema.

    NameDescriptionSchema

    usersQuery

    Holds the template for an LDAP query that returns user entries.

    v1.LDAPQuery

    userNameAttributes

    Defines which attributes on an LDAP user entry will be interpreted as its OKD user name. The attribute to use as the name of the user in the OKD group record. mail or sAMAccountName are preferred choices in most installations.

    string array

    groupMembershipAttributes

    Defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of.

    string array

    groupsQuery

    Holds the template for an LDAP query that returns group entries.

    v1.LDAPQuery

    groupUIDAttribute

    Defines which attribute on an LDAP group entry will be interpreted as its unique identifier. (ldapGroupUID)

    string

    string array