Bug 1472224

Summary: AD LDAP sync only users within group with oadm sync command
Product: OpenShift Container Platform Reporter: Vladislav Walek <vwalek>
Component: apiserver-authAssignee: Mo <mkhan>
Status: CLOSED NOTABUG QA Contact: Vladislav Walek <vwalek>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: akestert, aos-bugs, chuyu, jliggitt, mkhan, pweil, skuznets, vwalek
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-08 06:40:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladislav Walek 2017-07-18 09:32:58 UTC 
Description of problem:

Customer configured the AD ldap and it works correctly. Customer configured the group DEV_USERS. The script was configured similar to below.

groupsQuery:
        baseDN: "ou=groups,dc=example,dc=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ memberOf ] 
    usersQuery:
        baseDN: "ou=local,ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectClass=*)
        pageSize: 0
    userNameAttributes: [ sAMAccountName ]

Unfortunately, there are two kinds of users in DEV_USERS, one in ou=local,ou=users,dc=example,dc=com and one in ou=people,ou=users,dc=example,dc=com. The users in "local" are able to login and see the projects (based on privileges). But users from "people" are not in this group, therefore can't see the projects as users in "local".
When edit the usersQuery.baseDN to the 'people', then the openshift wants to download all the users in ldap, more than 1001+ (approx 30000), and it will fail 'Limit Exceeded'.

The question is how to configure to download only the users within the group? 
Change the baseDN to "ou=users,dc=example,dc=com" and configure the filter parameter?

We tried to do it as:
filter: (&(objectClass=user)(memberOf=cn=DEV_USERS,ou=groups,dc=example,dc=com))

But it didn't work, the sync group didn't show any error, but the users are not in the group in openshift.

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.5


Additional info:
The bug is urgent due this is a stopper for customer. Is there any workaround? Adding the roles to users is not an option as there is a lot of users.
Comment 2 Jordan Liggitt 2017-07-18 14:11:36 UTC 
To get around the "limit exceeded" error, set pageSize on the usersQuery to something other than 0 to avoid pulling in the whole set at once

I would have expected the user filter to work. What do you see when manually running an ldap search with that filter?
Comment 3 Jordan Liggitt 2017-07-18 15:22:30 UTC 
what is the full DN of the DEV_USERS group?
Comment 5 Vladislav Walek 2017-08-08 06:44:28 UTC 
Hello,

how to configure the filter so it will work with ldap sync? To just take the users from People but only from the group?
Thank you
Comment 17 Chuan Yu 2017-11-08 06:40:16 UTC 
Since there is no change, just update the used testing file, close it as NOTABUG.