Description of problem: Could not authenticate to my ActiveDirectory. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Deploy fresh 4.3 cluster 2. Follow documentation to bind authentication to Ldap https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html 3. Try to log in Actual results: Client side : $ oc login -u test error: x509: certificate signed by unknown authority Server side : oc logs -f oauth-openshift-xxxxxxxxxxxxx -n openshift-authentication http: TLS handshake error from <ip>:<port>: remote error: tls: bad certificate Expected results: Authentication succeeded Here is my configuration : apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: ldapidp login: true mappingMethod: claim type: LDAP ldap: attributes: id: - cn name: - cn bindDN: "mybinddn" bindPassword: name: ldap-secret insecure: true url: "ldap://<active_directory>/dc=test,dc=testroot?uid"
I redeployed an ldap configuration and I have this issue only from my CLI client. When I try it from webconsole, that is working. But when I set the "--insecure-skip-tls-verify=true" I have the certificate error from CLI. oc login --insecure-skip-tls-verify=true When I use the --certificate-authority='' with custom ca, the authentication succeed. Could you help me with what I must be missing with the insecure option? Regards, Clement.
Moving to correct component, no oauth-apiserver existed in 4.3 (just the oauth-server). The most likely cause would be that your system does not trust the cluster router certificate and you have configured an exception in your browser. Can you share the full logs of `oc login --loglevel 10`?
Hello, Thank you for your help and your time. Here is the full logs of the requested command, I also attach more command in case you need it. I didn't specified but run those command on a RedHat Entreprise Linux COreOS release 4.3 (from the bootstrap instance in an Openstack) [core@rhoc-4-3-rlf2c-bootstrap ~]$ oc login --loglevel 10 I0323 09:26:07.403542 26556 loader.go:375] Config loaded from file: kubeconfig I0323 09:26:07.403886 26556 round_trippers.go:423] curl -k -v -XHEAD 'https://api.XXXXXXXXXXXXXXXXXX:6443/' I0323 09:26:07.410282 26556 round_trippers.go:443] HEAD https://api.XXXXXXXXXXXXXXXXXX:6443/ 403 Forbidden in 6 milliseconds I0323 09:26:07.410292 26556 round_trippers.go:449] Response Headers: I0323 09:26:07.410299 26556 round_trippers.go:452] X-Content-Type-Options: nosniff I0323 09:26:07.410303 26556 round_trippers.go:452] Content-Length: 186 I0323 09:26:07.410306 26556 round_trippers.go:452] Date: Mon, 23 Mar 2020 09:26:15 GMT I0323 09:26:07.410309 26556 round_trippers.go:452] Audit-Id: f051d7f3-61d5-4b5f-8b96-ee136a512653 I0323 09:26:07.410313 26556 round_trippers.go:452] Cache-Control: no-cache, private I0323 09:26:07.410316 26556 round_trippers.go:452] Content-Type: application/json I0323 09:26:07.410323 26556 request_token.go:86] GSSAPI Enabled I0323 09:26:07.410344 26556 round_trippers.go:423] curl -k -v -XGET -H "X-Csrf-Token: 1" 'https://api.XXXXXXXXXXXXXXXXXX:6443/.well-known/oauth-authorization-server' I0323 09:26:07.411129 26556 round_trippers.go:443] GET https://api.XXXXXXXXXXXXXXXXXX:6443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds I0323 09:26:07.411140 26556 round_trippers.go:449] Response Headers: I0323 09:26:07.411143 26556 round_trippers.go:452] Audit-Id: d6f0ee3d-46b5-44b4-91ca-96df42acbd27 I0323 09:26:07.411149 26556 round_trippers.go:452] Cache-Control: no-cache, private I0323 09:26:07.411154 26556 round_trippers.go:452] Content-Type: application/json I0323 09:26:07.411158 26556 round_trippers.go:452] Content-Length: 603 I0323 09:26:07.411163 26556 round_trippers.go:452] Date: Mon, 23 Mar 2020 09:26:15 GMT I0323 09:26:07.411222 26556 round_trippers.go:423] curl -k -v -XHEAD 'https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX' I0323 09:26:07.437370 26556 round_trippers.go:443] HEAD https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX in 26 milliseconds I0323 09:26:07.437391 26556 round_trippers.go:449] Response Headers: I0323 09:26:07.437396 26556 request_token.go:438] falling back to kubeconfig CA due to possible x509 error: x509: certificate signed by unknown authority I0323 09:26:07.437432 26556 round_trippers.go:423] curl -k -v -XGET -H "X-Csrf-Token: 1" 'https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX/oauth/authorize?client_id=openshift-challenging-client&code_challenge=5N97hQ3rV9M0r4OwuoN-1r4jTVT1BmWdwu4q5vmvZWE&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.XXXXXXXXXXXXXXXXXX%2Foauth%2Ftoken%2Fimplicit&response_type=code' I0323 09:26:07.442572 26556 round_trippers.go:443] GET https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX/oauth/authorize?client_id=openshift-challenging-client&code_challenge=5N97hQ3rV9M0r4OwuoN-1r4jTVT1BmWdwu4q5vmvZWE&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.XXXXXXXXXXXXXXXXXX%2Foauth%2Ftoken%2Fimplicit&response_type=code in 5 milliseconds I0323 09:26:07.442587 26556 round_trippers.go:449] Response Headers: I0323 09:26:07.442866 26556 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: oc/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://api.XXXXXXXXXXXXXXXXXX:6443/api/v1/namespaces/openshift/configmaps/motd' I0323 09:26:07.444246 26556 round_trippers.go:443] GET https://api.XXXXXXXXXXXXXXXXXX:6443/api/v1/namespaces/openshift/configmaps/motd 403 Forbidden in 1 milliseconds I0323 09:26:07.444258 26556 round_trippers.go:449] Response Headers: I0323 09:26:07.444266 26556 round_trippers.go:452] Audit-Id: c618b654-309e-4dfb-add1-b7d4a579c5e1 I0323 09:26:07.444273 26556 round_trippers.go:452] Cache-Control: no-cache, private I0323 09:26:07.444278 26556 round_trippers.go:452] Content-Type: application/json I0323 09:26:07.444284 26556 round_trippers.go:452] X-Content-Type-Options: nosniff I0323 09:26:07.444289 26556 round_trippers.go:452] Content-Length: 303 I0323 09:26:07.444292 26556 round_trippers.go:452] Date: Mon, 23 Mar 2020 09:26:15 GMT I0323 09:26:07.444309 26556 request.go:968] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"configmaps \"motd\" is forbidden: User \"system:anonymous\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"openshift\"","reason":"Forbidden","details":{"name":"motd","kind":"configmaps"},"code":403} F0323 09:26:07.444689 26556 helpers.go:114] error: x509: certificate signed by unknown authority
Created attachment 1672591 [details] oc_login_logs_commands More logs that might be needed
I don't think the bootstrap instance really trusts the routes. Please, if you want to log in to your cluster as a user of the configured identity providers, do not do that from the nodes, but instead either use the kubeconfig provided by the installer, or log in from a system that is configured to trust the certificates issued by the cluster's router CA.
Ok thank you for your help, I will close this case.