Some more relevant information might be in this card: https://trello.com/c/lZQSxUxn/215-2-design-ldap-sync-manage-team (which seems to be the tracking card for all LDAP related stuff).

*** Bug 1275687 has been marked as a duplicate of this bug. ***

Ran into more confusion with the LDAP sync docs. In the RFC2307 specification, it states:

 	The attribute that uniquely identifies a user on the LDAP server. You cannot specify usersQuery filters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.

I understand how to do this via whitelist for *groups*, and created a KCS on this at https://access.redhat.com/solutions/2399131 after this bug was originally filed. However what does it mean to require a whitelist for users?

- Do you have to specify every single user? Does this not defeat the purpose of an LDAP sync which is supposed to minimize effort?
- What would the format of a whitelist file for users look like?

the closest thing to whitelisting users for an LDAP integration in openshift would be to use the `lookup` mappingMethod. That would require a cluster admin to create an Identity and User object before a login from LDAP would be allowed.

Work in progress: https://github.com/openshift/openshift-docs/pull/4828

The doc change lgtm, thx

Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/247cadea56418b4ff3394b683bc7df38fdce9b38
Bug 1254061, added note on whitelisting users

https://github.com/openshift/openshift-docs/commit/024a9ad9352c72feb30512c71c5aadc04684ac7b
Merge pull request #4828 from ahardin-rh/ldap-whitelisting

Bug 1254061, added note on whitelisting users

Content is now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.5/html-single/installation_and_configuration/#ldap-example-config