Bug 1279756 - Write wrong master configration when installing with LDAP auth
Write wrong master configration when installing with LDAP auth
Status: CLOSED NOTABUG
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Andrew Butcher
Ma xiaoqiang
: UpcomingRelease
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-10 03:44 EST by Ma xiaoqiang
Modified: 2016-07-03 20:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-10 13:45:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ma xiaoqiang 2015-11-10 03:44:54 EST
Description of problem:
Write wrong master configration when installing with LDAP auth

Version-Release number of selected component (if applicable):
https://github.com/openshift/openshift-ansible master

How reproducible:
Always


Steps to Reproduce:

1. Install env with LDAP auth
openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": "dn", "email": "mail", "name": "uid", "preferredUsername:": "uid"}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}]




Actual results:
Fail to start the openshift master service

#vim /etc/origin/master/master-config.yaml
  identityProviders:
  - name: LDAPauth
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        preferredUsername::
        - u
        - i
        - d
        email:
        - m
        - a
        - i
        - l
        id:
        - d
        - n
        name:
        - u
        - i
        - d
      bindDN: ""
      bindPassword: ""
      ca: ""
      insecure: true
      url: ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid



Expected results:
Should write the correct configuration 

Additional info:
Workround in 'roles/openshift_master/templates/v1_partials/oauthConfig.j2'
{% for attribute_key in identity_provider.attributes %}
        {{ attribute_key }}:
        - {{ identity_provider.attributes[attribute_key] }}
{% endfor %}
Comment 1 Andrew Butcher 2015-11-10 13:43:25 EST
From the documentation, a list of attributes can be provided for identity, email, name and preferred username and the first non-empty attribute will be chosen.

https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html#LDAPPasswordIdentityProvider

The inventory variable should be as follows, per the example in the byo host inventory in openshift-ansible, where these values for id, name, email and preferedUsername have been wrapped in square brackets.

There is also an extra ':' after preferredUsername in the description.

openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn"], "email": ["mail"], "name": ["uid"], "preferredUsername:" ["uid"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}]

https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.example

Using the example in openshift-ansible I have a config that appears like so and the master starts without issue.

  identityProviders:
  - name: my_ldap_provider
    challenge: true
    login: true
    provider:
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
      attributes:
        email:
        - mail
        preferredUsername:
        - uid
        id:
        - dn
        name:
        - cn
      bindDN: ""
      bindPassword: ""
      ca: ""
      insecure: false
      url: ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid
Comment 2 Ma xiaoqiang 2015-11-12 20:21:02 EST
Do you mean we can configure the hosts as following:
openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn","uid"], "email": ["mail"], "name": ["uid","dn"], "preferredUsername:" ["uid","mail"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}
Comment 3 Andrew Butcher 2015-11-13 15:39:20 EST
Yes, there are a few typos in that provider string here is a corrected one. Master will start with this configuration.

openshift_master_identity_providers=[{"name": "LDAPauth", "login": "true", "challenge": "true", "kind": "LDAPPasswordIdentityProvider", "attributes": {"id": ["dn","uid"], "email": ["mail"], "name": ["uid","dn"], "preferredUsername": ["uid","mail"]}, "bindDN": "", "bindPassword": "", "ca": "", "insecure":"true", "url": "ldap://10.66.79.109:389/ou=People,dc=my-domain,dc=com?uid"}]

Note You need to log in before you can comment on or make changes to this bug.