OpenShift 4: Automatic LDAP group synchronization

If you need to use LDAP for authentication in OpenShift 4, the documentation is pretty clear and everything works nicely [1].

But if you need to grant privileges based on LDAP groups [2], the situation gets complicated.
The synchronization from [2] works ok but you need to run it manually. I was searching for an automated solution and I have found a definition [3] which works for OpenShift 3.x so I updated it work with OpenShift 4 and here it is [4]:

For this to work properly, you need to configure LDAP authentication first [1], so you will have v4-0-config-user-idp-0-ca and v4-0-config-user-idp-0-bind-password objects created.

You also need to edit some fields in ConfigMap containing EDIT_THIS string or freely modify it according to [2]. You can also change the schedule of CronJob (schedule: "*/10 * * * *") to make it more or less frequent.

Links

  1. https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
  2. https://docs.openshift.com/container-platform/4.3/authentication/ldap-syncing.html
  3. https://github.com/redhat-cop/openshift-management/blob/master/jobs/cronjob-ldap-group-sync.yml
  4. https://gist.github.com/danielkucera/49dcc1d7b0010f0d4ee4adaeb1e15930

2 thoughts on “OpenShift 4: Automatic LDAP group synchronization”

  1. Nice work. What is the motivation to run in the name space openshift-authentication instead in openshift-config? Then the none version specific secret ldap-secrect en configmap ca-config-map can be used.

    1. Thanks. I just felt it logically belongs together, one can potentially create a new namespace/project and grant required privileges to external resources. openshift-config doesn’t run any workload if I remember correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.