Bug 1639080 - [DOCS] [Bug] LDAP oauthConfig When insecure=true , ca certificate value should be ignored
Summary: [DOCS] [Bug] LDAP oauthConfig When insecure=true , ca certificate value shou...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.10.0
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Kathryn Alexander
QA Contact: Chuan Yu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-15 02:41 UTC by Muhammad Selim Jahangir
Modified: 2021-12-10 17:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-10 21:38:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Muhammad Selim Jahangir 2018-10-15 02:41:56 UTC 
Description of problem:
Client is using LDAP as identity provider without TLS. For insecure connection ca certificate declaration should be ignored but it is taking into effect.

https://docs.openshift.com/container-platform/3.10/install_config/syncing_groups_with_ldap.html#ldap-client-configuration

Here is the details:

master-config.yaml
-------------------
oauthConfig:
  assetPublicURL: https://master.example.comn:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: ldap_provider_name
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: ''
      bindPassword: "********"

      ca: /etc/origin/master/linux_provider_ca.crt <=====
      insecure: true <=====

      kind: LDAPPasswordIdentityProvider
      url: ldap://192.168.100.1/ou=People,o=unixteam?uid

With this configuration the master-api did not start. After changing the value ca: ' ' i.e. empty it master-api pod started working.

How reproducible:
 In master-config.yaml file , if following ca value is used , the master-api pod  does not start.

~~
 ca: /etc/origin/master/linux_provider_ca.crt 

~~

Actual results:

if insecure=true is used then ca value should be ignored as per documentation 

Expected results:
ca='xxxx' whatever , master-api pod should be started 

Additional info:
Comment 2 Erica von Buelow 2018-10-15 21:23:28 UTC 
The error is coming from loading the config and not being able to load the ca from that file (likely because it doesn't exist).

The documentation is slightly off from the actual behavior: no matter what is set for `insecure`, if the url scheme is `ldaps` it will attempt to make a TLS connection using the given `ca`. This seems like reasonable behavior, so we should update the docs.
Comment 3 Kathryn Alexander 2018-10-24 18:29:18 UTC 
PR's here: https://github.com/openshift/openshift-docs/pull/12631

Jianlin, will you PTAL?

Erica, I'd like your opinion on the new wording, too.
Comment 4 Erica von Buelow 2018-11-13 20:12:11 UTC 
I commented on the PR.
Comment 5 openshift-github-bot 2018-11-30 13:17:57 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/33a81aeb08b341cd6b70ceafff6fab7593cda19e
bug 1639080 clarifying insecure connection override

https://github.com/openshift/openshift-docs/commit/30c3e2a4bb1c12eb783ee552da037f7570cce996
Merge pull request #12631 from kalexand-rh/BZ1639080

bug 1639080 clarifying insecure connection override
Comment 6 Kathryn Alexander 2018-11-30 13:24:22 UTC 
Erica and Chuan Yu agreed to merge the PR. I'm waiting for the change to go live.
Comment 7 Kathryn Alexander 2018-12-10 21:38:18 UTC 
This change is live on docs.openshift, eg: https://docs.openshift.com/container-platform/3.11/install_config/syncing_groups_with_ldap.html#ldap-client-configuration

and on the portal, eg: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/configuring_clusters/index#ldap-client-configuration
Note You need to log in before you can comment on or make changes to this bug.