Openshift LDAP authentication
Page content
Configure Openshift Cluster to use LDAP as a user backend for login with Ansible-openshift
Parts of the Openshift series
- Part1: Install Opeshift
- Part2: How to Enable Auto Approval of CSR in Openshift v3.11
- Part3: Add new workers to Openshift cluster
- Part4: Chane the certificates of the Openshift cluster
- Part5: LDAP authentication for Openshift
- Part6: Keycloak SSO authentication for Openshift
- Part7: Gitlab SSO authentication for Openshift
- Part8a: Ceph persistent storage for Openshift
- Part8b: vSphere persistent storage for Openshift
- Part9: Helm on Openshift
- Part10: Tillerless Helm on Openshift
- Part11: Use external docker registry on Openshift
- Part12: Secondary router on Openshift
- Part13a: Use Letsencrypt on Openshift
- Part13b: Install cert-managger on Openshift
- Part14: Create Openshift operators
- Part15: Convert docker-compose file to Opeshift
- Part16a: Opeshift elasticsearch search-guard error
- Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)
In the last post I used the basic htpasswd authentication method for the installatipn. But I can use Ansible-openshift to configure an LDAP backed at the install for the authentication.
Environment
192.168.1.40 deployer
192.168.1.41 openshift01 # master node
192.168.1.42 openshift02 # infra node
192.168.1.43 openshift03 # worker node
With Ansible-openshift you can not change the authetication method after Install !! If you installed the cluster with htpasswd, then change to LDAP the playbook trys to add a second authentication methot for the config. It is forbidden to add a second type of identity provider in the version 3.11 of Ansible-openshift so choose wisely.
Configurate Installer
# deployer
nano /etc/ansible/ansible.cfg
# use HTPasswd for authentication
#openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
# LDAP
openshift_master_identity_providers=[{'name': 'email_jira_ldap', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['mail'], 'email': ['mail'], 'name': ['displayName'], 'preferredUsername': ['mail']}, 'bindDN': 'CN=ldapbrowser,DC=mydomain,DC=myintra', 'bindPassword': '*******', 'insecure': 'true', 'url': 'ldap://ldap01.mydomain.myintra/dc=mydomain,dc=myintra?mail?sub?(objectClass=*)'}]
Run the Installer
# deployer
cd /usr/share/ansible/openshift-ansible/
sudo ansible-playbook -i inventory/hosts.localhost playbooks/prerequisites.yml
sudo ansible-playbook -i inventory/hosts.localhost playbooks/deploy_cluster.yml