If you need to use LDAP for authentication in OpenShift 4, the documentation is pretty clear and everything works nicely .
But if you need to grant privileges based on LDAP groups , the situation gets complicated.
The synchronization from  works ok but you need to run it manually. I was searching for an automated solution and I have found a definition  which works for OpenShift 3.x so I updated it work with OpenShift 4 and here it is :
For this to work properly, you need to configure LDAP authentication first , so you will have
v4-0-config-user-idp-0-bind-password objects created.
You also need to edit some fields in ConfigMap containing
EDIT_THIS string or freely modify it according to . You can also change the schedule of CronJob (
schedule: "*/10 * * * *") to make it more or less frequent.
2 thoughts on “OpenShift 4: Automatic LDAP group synchronization”
Nice work. What is the motivation to run in the name space openshift-authentication instead in openshift-config? Then the none version specific secret ldap-secrect en configmap ca-config-map can be used.
Thanks. I just felt it logically belongs together, one can potentially create a new namespace/project and grant required privileges to external resources. openshift-config doesn’t run any workload if I remember correctly.