Description of problem: It seems that Openshift tries to find the group by name instead of search by openshift.io/ldap.uid when pruning Version-Release number of selected component (if applicable): 3.4.0 How reproducible: I'm using the following scenario to reproduce it: http://tcms-openshift.rhcloud.com/case/4060/ aad_config.yaml kind: LDAPSyncConfig apiVersion: v1 url: ldap://192.168.1.111:389 insecure: true groupUIDNameMapping: cn=group1,ou=groups,ou=adextended,dc=example,dc=com: tc509127group1 cn=group2,ou=groups,ou=adextended,dc=example,dc=com: tc509127group2 cn=group3,ou=groups,ou=adextended,dc=example,dc=com: tc509127group3 augmentedActiveDirectory: usersQuery: baseDN: "ou=people,ou=adextended,dc=example,dc=com" scope: sub derefAliases: never filter: (objectclass=inetOrgPerson) groupMembershipAttributes: [ testMemberOf ] userNameAttributes: [ mail ] groupsQuery: baseDN: "ou=groups,ou=adextended,dc=example,dc=com" scope: sub derefAliases: never groupUIDAttribute: dn groupNameAttributes: [ cn ] - whitelist cn=group1,ou=groups,ou=adextended,dc=example,dc=com $ oadm groups sync --sync-config=aad_config.yaml --whitelist=whitelist --confirm group/tc509127group1 $ oc describe group/tc509127group1 Name: tc509127group1 Namespace: <none> Created: 4 minutes ago Labels: openshift.io/ldap.host=192.168.1.111 Annotations: openshift.io/ldap.sync-time=2017-08-23T18:24:48-0400 openshift.io/ldap.uid=cn=group1,ou=groups,ou=adextended,dc=example,dc=com openshift.io/ldap.url=192.168.1.111:389 Users: person1smith person2smith person3smith person4smith person5smith $ oadm groups prune --sync-config=aad_config.yaml --whitelist=whitelist groups "cn=group1,ou=groups,ou=adextended,dc=example,dc=com" not found It seems that Openshift tries to find the group by name instead of search by openshift.io/ldap.uid Therefore the command runs successfully without the whitelist param $ oadm groups prune --sync-config=aad_config.yaml --loglevel=4 I0823 18:28:13.891783 44961 grouppruner.go:45] LDAPGroupPruner listing groups to prune with &{map[] 0xc4202c4090 192.168.1.111:389 map[]} I0823 18:28:13.893489 44961 grouppruner.go:51] LDAPGroupPruner will attempt to prune ldapGroupUIDs [cn=group1,ou=groups,ou=adextended,dc=example,dc=com] I0823 18:28:13.893510 44961 grouppruner.go:54] Checking LDAP group cn=group1,ou=groups,ou=adextended,dc=example,dc=com I0823 18:28:13.894145 44961 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN: len(BbindPassword): 0 Insecure: true} with dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" and scope 0 for (objectClass=*) requesting [cn dn] I0823 18:28:13.894904 44961 query.go:245] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" I0823 18:28:13.894937 44961 query.go:198] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" for (objectClass=*) I0823 18:28:13.895574 44961 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN: len(BbindPassword): 0 Insecure: true} with dn="ou=people,ou=adextended,dc=example,dc=com" and scope 2 for (&((objectclass=inetOrgPerson))(testMemberOf=cn=group1,ou=groups,ou=adextended,dc=example,dc=com)) requesting [mail testMemberOf] I0823 18:28:13.897036 44961 query.go:245] found dn="cn=Person1,ou=people,ou=adextended,dc=example,dc=com" I0823 18:28:13.897063 44961 query.go:245] found dn="cn=Person2,ou=people,ou=adextended,dc=example,dc=com" I0823 18:28:13.897072 44961 query.go:245] found dn="cn=Person3,ou=people,ou=adextended,dc=example,dc=com" I0823 18:28:13.897079 44961 query.go:245] found dn="cn=Person4,ou=people,ou=adextended,dc=example,dc=com" I0823 18:28:13.897087 44961 query.go:245] found dn="cn=Person5,ou=people,ou=adextended,dc=example,dc=com" In order to confirm that the prune is trying to search the group by name, I did the following: $ oc delete groups --all group "tc509127group1" deleted aad_config.yaml - commented groupUIDNameMapping group1 and changed groupNameAttributes to "dn" kind: LDAPSyncConfig apiVersion: v1 url: ldap://192.168.1.111:389 insecure: true groupUIDNameMapping: # cn=group1,ou=groups,ou=adextended,dc=example,dc=com: tc509127group1 cn=group2,ou=groups,ou=adextended,dc=example,dc=com: tc509127group2 cn=group3,ou=groups,ou=adextended,dc=example,dc=com: tc509127group3 augmentedActiveDirectory: usersQuery: baseDN: "ou=people,ou=adextended,dc=example,dc=com" scope: sub derefAliases: never filter: (objectclass=inetOrgPerson) groupMembershipAttributes: [ testMemberOf ] userNameAttributes: [ mail ] groupsQuery: baseDN: "ou=groups,ou=adextended,dc=example,dc=com" scope: sub derefAliases: never groupUIDAttribute: dn groupNameAttributes: [ dn ] $oadm groups sync --sync-config=aad_config.yaml --whitelist=whitelist --confirm group/cn=group1,ou=groups,ou=adextended,dc=example,dc=com Then the prune runs without problems: $oadm groups prune --sync-config=aad_config.yaml --whitelist=whitelist --confirm --loglevel=4 I0823 18:45:34.902337 46543 grouppruner.go:45] LDAPGroupPruner listing groups to prune with &{[cn=group1,ou=groups,ou=adextended,dc=example,dc=com] map[] 0xc42069c0a0 192.168.1.111:389 map[]} I0823 18:45:34.903940 46543 grouppruner.go:51] LDAPGroupPruner will attempt to prune ldapGroupUIDs [cn=group1,ou=groups,ou=adextended,dc=example,dc=com] I0823 18:45:34.903960 46543 grouppruner.go:54] Checking LDAP group cn=group1,ou=groups,ou=adextended,dc=example,dc=com I0823 18:45:34.904671 46543 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN: len(BbindPassword): 0 Insecure: true} with dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" and scope 0 for (objectClass=*) requesting [dn] I0823 18:45:34.905556 46543 query.go:245] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" I0823 18:45:34.905593 46543 query.go:198] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" for (objectClass=*) I0823 18:45:34.906253 46543 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN: len(BbindPassword): 0 Insecure: true} with dn="ou=people,ou=adextended,dc=example,dc=com" and scope 2 for (&((objectclass=inetOrgPerson))(testMemberOf=cn=group1,ou=groups,ou=adextended,dc=example,dc=com)) requesting [mail testMemberOf] I0823 18:45:34.907548 46543 query.go:245] found dn="cn=Person1,ou=people,ou=adextended,dc=example,dc=com" I0823 18:45:34.907570 46543 query.go:245] found dn="cn=Person2,ou=people,ou=adextended,dc=example,dc=com" I0823 18:45:34.907576 46543 query.go:245] found dn="cn=Person3,ou=people,ou=adextended,dc=example,dc=com" I0823 18:45:34.907580 46543 query.go:245] found dn="cn=Person4,ou=people,ou=adextended,dc=example,dc=com" I0823 18:45:34.907585 46543 query.go:245] found dn="cn=Person5,ou=people,ou=adextended,dc=example,dc=com" Actual results: groups "cn=group1,ou=groups,ou=adextended,dc=example,dc=com" not found Expected results: Search the group correctly and run the prune command withou problems
looks like the whitelist needs to run through the mapping transformation if present
As a temporary workaround, the customer could create a second whitelist with the mapped values: tc509127group1 tc509127group2 tc509127group3 This would allow for normal use of the prune command.
moving to Mo, only because he has a PR almost ready to go, can be moved to others as necessary
https://github.com/openshift/origin/pull/16071
The PR is merged into 3.7 master.
Verified with lastest 3.7 build, search the group correctly and run the prune command withou problems. # openshift version openshift v3.7.0-0.126.4 kubernetes v1.7.0+80709908fd etcd 3.2.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188