Bug 1254061 - [DOCS] Document LDAP Support in OSE
[DOCS] Document LDAP Support in OSE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Ashley Hardin
Chuan Yu
Vikram Goyal
: 1275687 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-08-17 01:08 EDT by Vikram Goyal
Modified: 2017-08-04 13:36 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-04 13:36:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vikram Goyal 2015-08-17 01:08:15 EDT
Based on the trello card: https://trello.com/c/UC2rGgJ2/442-3-enable-ldap-auth-integration-security and the upstream docs: https://github.com/openshift/openshift-docs/pull/741.

This should be documented from the view of a OSE user. Goes into admin guide.
Comment 2 Vikram Goyal 2015-08-21 07:11:15 EDT
Some more relevant information might be in this card: https://trello.com/c/lZQSxUxn/215-2-design-ldap-sync-manage-team (which seems to be the tracking card for all LDAP related stuff).
Comment 3 Vikram Goyal 2015-10-27 16:43:27 EDT
*** Bug 1275687 has been marked as a duplicate of this bug. ***
Comment 6 Steven Walter 2017-03-30 15:01:14 EDT
Ran into more confusion with the LDAP sync docs. In the RFC2307 specification, it states:

 	The attribute that uniquely identifies a user on the LDAP server. You cannot specify usersQuery filters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.

I understand how to do this via whitelist for *groups*, and created a KCS on this at https://access.redhat.com/solutions/2399131 after this bug was originally filed. However what does it mean to require a whitelist for users?

- Do you have to specify every single user? Does this not defeat the purpose of an LDAP sync which is supposed to minimize effort?
- What would the format of a whitelist file for users look like?
Comment 10 Jordan Liggitt 2017-07-17 14:38:52 EDT
the closest thing to whitelisting users for an LDAP integration in openshift would be to use the `lookup` mappingMethod. That would require a cluster admin to create an Identity and User object before a login from LDAP would be allowed.
Comment 11 Ashley Hardin 2017-07-20 13:15:09 EDT
Work in progress: https://github.com/openshift/openshift-docs/pull/4828
Comment 12 Chuan Yu 2017-07-25 20:54:03 EDT
The doc change lgtm, thx
Comment 13 openshift-github-bot 2017-07-26 09:42:49 EDT
Commits pushed to master at https://github.com/openshift/openshift-docs

Bug 1254061, added note on whitelisting users

Merge pull request #4828 from ahardin-rh/ldap-whitelisting

Bug 1254061, added note on whitelisting users

Note You need to log in before you can comment on or make changes to this bug.