Bug 1472224 - AD LDAP sync only users within group with oadm sync command
AD LDAP sync only users within group with oadm sync command
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: 3.7.0
Assigned To: Mo
Vladislav Walek
Depends On:
  Show dependency treegraph
Reported: 2017-07-18 05:32 EDT by Vladislav Walek
Modified: 2017-11-28 03:28 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-11-08 01:40:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vladislav Walek 2017-07-18 05:32:58 EDT
Description of problem:

Customer configured the AD ldap and it works correctly. Customer configured the group DEV_USERS. The script was configured similar to below.

        baseDN: "ou=groups,dc=example,dc=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ memberOf ] 
        baseDN: "ou=local,ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectClass=*)
        pageSize: 0
    userNameAttributes: [ sAMAccountName ]

Unfortunately, there are two kinds of users in DEV_USERS, one in ou=local,ou=users,dc=example,dc=com and one in ou=people,ou=users,dc=example,dc=com. The users in "local" are able to login and see the projects (based on privileges). But users from "people" are not in this group, therefore can't see the projects as users in "local".
When edit the usersQuery.baseDN to the 'people', then the openshift wants to download all the users in ldap, more than 1001+ (approx 30000), and it will fail 'Limit Exceeded'.

The question is how to configure to download only the users within the group? 
Change the baseDN to "ou=users,dc=example,dc=com" and configure the filter parameter?

We tried to do it as:
filter: (&(objectClass=user)(memberOf=cn=DEV_USERS,ou=groups,dc=example,dc=com))

But it didn't work, the sync group didn't show any error, but the users are not in the group in openshift.

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.5

Additional info:
The bug is urgent due this is a stopper for customer. Is there any workaround? Adding the roles to users is not an option as there is a lot of users.
Comment 2 Jordan Liggitt 2017-07-18 10:11:36 EDT
To get around the "limit exceeded" error, set pageSize on the usersQuery to something other than 0 to avoid pulling in the whole set at once

I would have expected the user filter to work. What do you see when manually running an ldap search with that filter?
Comment 3 Jordan Liggitt 2017-07-18 11:22:30 EDT
what is the full DN of the DEV_USERS group?
Comment 5 Vladislav Walek 2017-08-08 02:44:28 EDT

how to configure the filter so it will work with ldap sync? To just take the users from People but only from the group?
Thank you
Comment 17 Chuan Yu 2017-11-08 01:40:16 EST
Since there is no change, just update the used testing file, close it as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.