Document URL: https://access.redhat.com/documentation/en/openshift-container-platform/3.3/single/installation-and-configuration/#running-ldap-sync Section Number and Name: 13.5. SYNC EXAMPLES Describe the issue: A change went into 3.3 which prevents filters being used when UserUIDAttribute = dn https://github.com/openshift/ose/commit/9351adc9cb35ee67ab82659c165dcb4f3799e33d Suggestions for improvement: All of our doc currently specify a filter with UserUIDAttribute dn Additional information: The above commit removes all of the filers in question from the test YAML files. usersQuery: baseDN: "ou=users,dc=example,dc=com" scope: sub derefAliases: never filter: (objectclass=inetOrgPerson) pageSize: 0 userUIDAttribute: dn 6 filter: (objectclass=inetOrgPerson) is no longer valid. Would get an error during sync; error: validation of LDAP sync config failed: usersQuery.filter: Invalid value: "(\u0026(objectclass=user)(memberof=cn=Super_Admins,dc=company,dc=com))": cannot specify a filter when using "dn" as the UID attribute
Matthew: Your suggestion for improvement is "All of our doc currently specify a filter with UserUIDAttribute dn", are you suggesting that mentions of using this filter with the UserUIDAttribute DN simply need to be removed? Or will the impact on OpenShift users be more significant than that? Is there a new DN that they must specify instead, one that allows them to use filters? Are there other manual changes that must now take place? Any additional information you can point me to would be very helpful, thank you.
Correct, they need to be removed. If you look at the above commit, you can see all of the 'filters' were removed as part of this change. There are no filters allowed when using DN for UserUIDAttribute. The recommendation for finer grained filtering is to use the already documented whitelist / blacklist approach.
Thank you, Matthew. I've updated everything now. :) Ready for docs QA review. Docs update PR: https://github.com/openshift/openshift-docs/pull/3077 Nicely-rendered docs for easy reading, updated in 3 spots: 1. Here, Example 5: http://file.bne.redhat.com/~tpoitras/2016/ldapfilter/openshift-enterprise/ldapfilter-BZ1381674/install_config/syncing_groups_with_ldap.html#sync-ldap-rfc-2307 2. Here, Example 7: http://file.bne.redhat.com/~tpoitras/2016/ldapfilter/openshift-enterprise/ldapfilter-BZ1381674/install_config/syncing_groups_with_ldap.html#rfc2307-with-user-defined-name-mappings 3. And Here, Example 10: http://file.bne.redhat.com/~tpoitras/2016/ldapfilter/openshift-enterprise/ldapfilter-BZ1381674/install_config/syncing_groups_with_ldap.html#rfc2307-with-error-tolerances
Tim's PR has merged: https://github.com/openshift/openshift-docs/pull/3077 Plus, I created a follow up PR to address the one he missed: https://github.com/openshift/openshift-docs/pull/3132 Moving this BZ to release pending
Link to released docs: https://docs.openshift.com/container-platform/3.3/install_config/syncing_groups_with_ldap.html#sync-ldap-augmented-active-directory