Description of problem: Write wrong master configration when installing with LDAP auth Version-Release number of selected component (if applicable): https://github.com/openshift/openshift-ansible master How reproducible: Always Steps to Reproduce: 1. Install env with LDAP auth openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": "dn", "email": "mail", "name": "uid", "preferredUsername:": "uid"}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}] Actual results: Fail to start the openshift master service #vim /etc/origin/master/master-config.yaml identityProviders: - name: LDAPauth challenge: true login: true provider: apiVersion: v1 kind: LDAPPasswordIdentityProvider attributes: preferredUsername:: - u - i - d email: - m - a - i - l id: - d - n name: - u - i - d bindDN: "" bindPassword: "" ca: "" insecure: true url: ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid Expected results: Should write the correct configuration Additional info: Workround in 'roles/openshift_master/templates/v1_partials/oauthConfig.j2' {% for attribute_key in identity_provider.attributes %} {{ attribute_key }}: - {{ identity_provider.attributes[attribute_key] }} {% endfor %}
From the documentation, a list of attributes can be provided for identity, email, name and preferred username and the first non-empty attribute will be chosen. https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#LDAPPasswordIdentityProvider The inventory variable should be as follows, per the example in the byo host inventory in openshift-ansible, where these values for id, name, email and preferedUsername have been wrapped in square brackets. There is also an extra ':' after preferredUsername in the description. openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn"], "email": ["mail"], "name": ["uid"], "preferredUsername:" ["uid"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}] https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.example Using the example in openshift-ansible I have a config that appears like so and the master starts without issue. identityProviders: - name: my_ldap_provider challenge: true login: true provider: apiVersion: v1 kind: LDAPPasswordIdentityProvider attributes: email: - mail preferredUsername: - uid id: - dn name: - cn bindDN: "" bindPassword: "" ca: "" insecure: false url: ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid
Do you mean we can configure the hosts as following: openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn","uid"], "email": ["mail"], "name": ["uid","dn"], "preferredUsername:" ["uid","mail"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}
Yes, there are a few typos in that provider string here is a corrected one. Master will start with this configuration. openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn","uid"], "email": ["mail"], "name": ["uid","dn"], "preferredUsername": ["uid","mail"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}]