Bug 1268179 - [DOCS] [3.1] [Feature] Document LDAP Synchronization
[DOCS] [3.1] [Feature] Document LDAP Synchronization
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
3.0.0
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Timothy
weiwei jiang
Vikram Goyal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-01 22:47 EDT by Vikram Goyal
Modified: 2017-03-08 13 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 20:13:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vikram Goyal 2015-10-01 22:47:29 EDT
Document LDAP group synchronization.

Developer Trello Card:

* https://trello.com/c/BHXCoFqG/485-5-build-ldap-sync-for-users-as-first-class-objects

Possible Guide:

* Administration
Comment 2 Alex Dellapenta 2015-10-19 15:45:41 EDT
Initial docs PR from dev here: https://github.com/openshift/openshift-docs/pull/1066
Comment 5 Timothy 2015-11-10 02:00:27 EST
https://github.com/openshift/openshift-docs/pull/1173

^ Submitted docs pull request
Comment 7 weiwei jiang 2015-11-12 02:32:31 EST
Checked, and found

for rfc2307 scheme:

1. the ldif file is correct, but since this file not contain "ou=rfc2307", so will fail to sync with the following LDAPSyncConfig. 
groupsQuery:
        baseDN: "ou=groups,dc=example,dc=com"
usersQuery:
        baseDN: "ou=users,dc=example,dc=com"

2. The LDAPSyncConfig better have ldap server info like the Active Directory config
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://LDAP_SERVICE_IP:389
insecure: true

3. The userQuery.baseDN should be
 usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
since the ldif have no ou=people.


For Active Directory scheme:

1. The userQuery.baseDN should be
 usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
since the ldif have no ou=people.


For Augmented Active Directory scheme:

1. The userQuery.baseDN should be
 usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
since the ldif have no ou=people.
Comment 8 Timothy 2015-11-12 19:22:41 EST
Thank you, Weiwei.

I have updated my pull request with your corrections: https://github.com/openshift/openshift-docs/pull/1173

Moved along to peer review now.
Comment 10 weiwei jiang 2015-11-13 01:25:57 EST
Checked again, and 

For rfc2307 scheme:
1. The rfc2307_config_user_defined.yaml should be: 
kind: LDAPSyncConfig
apiVersion: v1
groupUIDNameMapping:
  "cn=admins,ou=groups,dc=example,dc=com": Administrators 
rfc2307:
    groupsQuery:
        baseDN: "ou=groups,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=groupOfNames)
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ member ]
    usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
    userUIDAttribute: dn
    userNameAttributes: [ mail ]


For Active Directory scheme:
1. The active_directory.ldif should be
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=Jane,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jane
sn: Smith
displayName: Jane Smith
mail: jane.smith@example.com
testMemberOf: group1

dn: cn=Jim,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jim
sn: Adams
displayName: Jim Adams
mail: jim.adams@example.com
testMemberOf: group1

2. The active_directory_config.yaml should be:
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://LDAP_SERVICE_IP:389
insecure: true
activeDirectory:
    usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
    userNameAttributes: [ mail ] 
    groupMembershipAttributes: [ testMemberOf ]



For Augmented Active Directory:
1. The augmented_active_directory.ldif should be:
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=Jane,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jane
sn: Smith
displayName: Jane Smith
mail: jane.smith@example.com
testMemberOf: cn=admins,ou=groups,dc=example,dc=com

dn: cn=Jim,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jim
sn: Adams
displayName: Jim Adams
mail: jim.adams@example.com
testMemberOf: cn=admins,ou=groups,dc=example,dc=com

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=admins,ou=groups,dc=example,dc=com 
objectClass: groupOfNames
cn: admins
owner: cn=admin,dc=example,dc=com
description: System Adminstrators
member: cn=Jane,ou=users,dc=example,dc=com
member: cn=Jim,ou=users,dc=example,dc=com

2. The augmented_active_directory_config.yaml should be:
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://LDAP_SERVICE_IP:389
insecure: true
augmentedActiveDirectory:
    usersQuery:
        baseDN: "ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
    groupMembershipAttributes: [ testMemberOf ]
    userNameAttributes: [ mail ]
    groupsQuery:
        baseDN: "ou=groups,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=groupOfNames)
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]



Others look good to me.
Comment 11 Timothy 2015-11-13 02:15:04 EST
Thank you again, Weiwei.

I have updated my pull request with your corrections: https://github.com/openshift/openshift-docs/pull/1173
Comment 13 weiwei jiang 2015-11-13 03:04:31 EST
checked, and this time:

1. We'd better to make active_directory.ldif to use admins as group name to make it same with others
testMemberOf: admins

2. The note for testMemberOf attribute should be 
The user’s group memberships are listed as attributes on the user, and the group does not exist as an entry on the server. The testMemberOf attribute cannot be a literal attribute on the user; it can be created during search and returned to the client but not committed to the database.

3. the active_directory_config.yaml should be the following if the group name is admins
apiVersion: v1
kind: Group
metadata:
  annotations:
    openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400 
    openshift.io/ldap.uid: admins
    openshift.io/ldap.url: LDAP_SERVER_IP:389 
  creationTimestamp:
  name: admins 
users: 
- jane.smith@example.com
- jim.adams@example.com
Comment 14 Timothy 2015-11-15 19:45:55 EST
Thank you, Weiwei. Updated now as per your comment#13

PR updated: https://github.com/openshift/openshift-docs/pull/1173
Comment 16 weiwei jiang 2015-11-15 21:07:33 EST
Checked, and look good to me, thanks!
Comment 17 Timothy 2015-11-15 21:19:05 EST
Thank you, Weiwei!
Comment 18 Timothy 2015-11-16 23:44:07 EST
docs PR has merged: 

https://github.com/openshift/openshift-docs/pull/1173

Note You need to log in before you can comment on or make changes to this bug.