1472224 – AD LDAP sync only users within group with oadm sync command

Bug 1472224 - AD LDAP sync only users within group with oadm sync command

Summary: AD LDAP sync only users within group with oadm sync command

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Mo
QA Contact:	Vladislav Walek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-18 09:32 UTC by Vladislav Walek
Modified:	2020-12-14 09:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-11-08 06:40:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Vladislav Walek 2017-07-18 09:32:58 UTC

Description of problem:

Customer configured the AD ldap and it works correctly. Customer configured the group DEV_USERS. The script was configured similar to below.

groupsQuery:
        baseDN: "ou=groups,dc=example,dc=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ memberOf ] 
    usersQuery:
        baseDN: "ou=local,ou=users,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectClass=*)
        pageSize: 0
    userNameAttributes: [ sAMAccountName ]

Unfortunately, there are two kinds of users in DEV_USERS, one in ou=local,ou=users,dc=example,dc=com and one in ou=people,ou=users,dc=example,dc=com. The users in "local" are able to login and see the projects (based on privileges). But users from "people" are not in this group, therefore can't see the projects as users in "local".
When edit the usersQuery.baseDN to the 'people', then the openshift wants to download all the users in ldap, more than 1001+ (approx 30000), and it will fail 'Limit Exceeded'.

The question is how to configure to download only the users within the group? 
Change the baseDN to "ou=users,dc=example,dc=com" and configure the filter parameter?

We tried to do it as:
filter: (&(objectClass=user)(memberOf=cn=DEV_USERS,ou=groups,dc=example,dc=com))

But it didn't work, the sync group didn't show any error, but the users are not in the group in openshift.

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.5


Additional info:
The bug is urgent due this is a stopper for customer. Is there any workaround? Adding the roles to users is not an option as there is a lot of users.

Comment 2 Jordan Liggitt 2017-07-18 14:11:36 UTC

To get around the "limit exceeded" error, set pageSize on the usersQuery to something other than 0 to avoid pulling in the whole set at once

I would have expected the user filter to work. What do you see when manually running an ldap search with that filter?

Comment 3 Jordan Liggitt 2017-07-18 15:22:30 UTC

what is the full DN of the DEV_USERS group?

Comment 5 Vladislav Walek 2017-08-08 06:44:28 UTC

Hello,

how to configure the filter so it will work with ldap sync? To just take the users from People but only from the group?
Thank you

Comment 17 Chuan Yu 2017-11-08 06:40:16 UTC

Since there is no change, just update the used testing file, close it as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.