Description of problem: The same ldap config from 3.9 no longer works correctly in 3.10 without adding ca: instead of using openshift_master_ldap_ca_file. openshift_master_identity_providers=[{'name':'my_ldap_provider','challenge':'true','login':'true','kind':'LDAPPasswordIdentityProvider','attributes':{'id':['dn'],'email':['mail'],'name':['displayName'],'preferredUsername':['sAMAccountName']},'insecure':'false','bindDN':'CN=my_auth,OU=MyAccounts,OU=Generic,OU=My_Integration,DC=my,DC=com','bindPassword':'password','url':'ldaps://myldap.my.com:636/DC=my,DC=com?sAMAccountName?sub?(&(objectClass=person)(objectClass=user))'}] # Configuring the ldap ca certificate openshift_master_ldap_ca_file=/etc/pki/ca-trust/source/anchors/my-ca.pem This results in a LDAP config like: oauthConfig: identityProviders: - challenge: true login: true mappingMethod: claim name: my_ldap_provider provider: apiVersion: v1 attributes: email: - mail id: - dn name: - displayName preferredUsername: - sAMAccountName bindDN: CN=my_auth,OU=MyAccounts,OU=Generic,OU=My_Integration,DC=my,DC=com bindPassword: password insecure: false kind: LDAPPasswordIdentityProvider url: ldaps://myldap.my.com:636/DC=my,DC=com?sAMAccountName?sub?(&(objectClass=person)(objectClass=user)) ca: Which results in: E0809 13:00:57.977574 1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority E0809 13:00:59.750261 1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority E0809 13:01:01.384381 1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority E0809 13:01:03.144610 1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority Needed to manually edit the config to add if you do not use it during the install: ca: ldap_ca.crt Version-Release number of the following components: 3.10 How reproducible: Always Steps to Reproduce: 1. Use above ldap config Actual results: LDAP does not work with the same config as 3.9 Expected results: Should still work correctly
Reported here as well: https://github.com/openshift/openshift-ansible/issues/9397
I think this is happening because ldap_ca gets set via openshift_master_facts by a file lookup on openshift_master_ldap_ca_file but I don't think that openshift_master_facts role has been called.
>The same ldap config from 3.9 no longer works correctly in 3.10 without adding ca: instead of using openshift_master_ldap_ca_file. This is expected - previously API server ran as a systemd service thus it was sharing CA store with the host. Setting 'openshift_master_ldap_ca_file=/etc/pki/ca-trust/..' copied the file to the host and added this CA to the store automatically. As a result there is no need to set 'ca:' there In 3.10 several changes were introduced: * API servers now run in static pods, so they don't share CA store with the host anymore * Mounts to API server container are limited to /etc/origin/master So in 3.10 the user can't replace container CA store entirely. openshift_master_ldap_ca_file would be copied to the host and mounted in /etc/origin/master/<basename>. As a result 'ca:' is required to be set if openshift_master_ldap_ca_file is used. Matthew, could you verify openshift_master_ldap_ca_file is being copied correctly on host and works with 'ca:' set?
Thanks for the info. I guess we should document it because it's a change in behaviour customers may not expect. I confirmed that when setting openshift_master_ldap_ca_file it is correctly copied into the master directory and all that was necessary was to set the ca: value.
Will doing so put us into a situation where we hit https://bugzilla.redhat.com/show_bug.cgi?id=1614425 ?
If Im not wrong, the 'ca' value has to be exactly this, right? 'ca': '/etc/origin/master/ldap_ca.crt'. This is the path where openshift-ansible copies the file set in the var "openshift_master_ldap_ca_file", otherwise It wont work. At least this is how I made it work, here: https://access.redhat.com/support/cases/#/case/02166420
PR to ignore `ca:` field in 3.10.z - https://github.com/openshift/openshift-ansible/pull/9803
Fix is available in openshift-ansible-3.10.43-1
Verify this bug with openshift-ansible-3.10.44-1.git.0.8c64e8d.el7.noarch Specify LDAP CA certificate in openshift_master_ldap_ca_file openshift_master_identity_providers=[{'name': 'testldap', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldaps://x.x.x.x/ou=users,dc=redhat,dc=com?uid'}] openshift_master_ldap_ca_file=/root/ldap.ca.crt After installation, LDAP CA certificate was copied to master as /etc/origin/master/testldap_ldap_ca.crt , master config was like: oauthConfig: assetPublicURL: https://xxx.xxx.xxx:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: testldap provider: apiVersion: v1 attributes: email: - mail id: - dn name: - cn preferredUsername: - uid bindDN: '' bindPassword: '' ca: /etc/origin/master/testldap_ldap_ca.crt insecure: false kind: LDAPPasswordIdentityProvider url: ldaps://x.x.x.x/ou=users,dc=redhat,dc=com?uid