Red Hat Bugzilla – Bug 1472224
AD LDAP sync only users within group with oadm sync command
Last modified: 2017-10-05 13:53:00 EDT
Description of problem:
Customer configured the AD ldap and it works correctly. Customer configured the group DEV_USERS. The script was configured similar to below.
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ memberOf ]
userNameAttributes: [ sAMAccountName ]
Unfortunately, there are two kinds of users in DEV_USERS, one in ou=local,ou=users,dc=example,dc=com and one in ou=people,ou=users,dc=example,dc=com. The users in "local" are able to login and see the projects (based on privileges). But users from "people" are not in this group, therefore can't see the projects as users in "local".
When edit the usersQuery.baseDN to the 'people', then the openshift wants to download all the users in ldap, more than 1001+ (approx 30000), and it will fail 'Limit Exceeded'.
The question is how to configure to download only the users within the group?
Change the baseDN to "ou=users,dc=example,dc=com" and configure the filter parameter?
We tried to do it as:
But it didn't work, the sync group didn't show any error, but the users are not in the group in openshift.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.5
The bug is urgent due this is a stopper for customer. Is there any workaround? Adding the roles to users is not an option as there is a lot of users.
To get around the "limit exceeded" error, set pageSize on the usersQuery to something other than 0 to avoid pulling in the whole set at once
I would have expected the user filter to work. What do you see when manually running an ldap search with that filter?
what is the full DN of the DEV_USERS group?
how to configure the filter so it will work with ldap sync? To just take the users from People but only from the group?