How to create user, identity and map user and identity in LDAP authentication for 'mappingMethod' as 'lookup' inside the OAuth manifest

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4

Issue

  • LDAP users and identity inside the Red Hat OCP cluster will not be created automatically when 'mappingMethod' as 'lookup' inside the OAuth manifest
  • How to prevent users that are not part of certain LDAP groups from authenticating and logging in
  • Administrator wants to create user object and grant permission to user object before the actual LDAP user logins

Resolution

What is 'mappingMethod' as 'lookup' inside the OAuth manifest?

  • Looks up an existing identity, user identity mapping, and user, but does not automatically provision users or identities
  • This allows cluster administrators to set up identities and users manually, or using an external process
  • Using this method requires you to manually provision users

Create User

  • Creating a user with username as 'myuser' 
     $ oc create user myuser

Base64 encode that LDAP user

  • To create a user Identity in the next step, We need a base64 encoded LDAP string for the user
  • The following step depends on how you set ldap.attributes.id. If you set ldap.attributes.id to dn, then you need to encode the whole dn like this:
    # Change 'uid', 'cn' and 'dc' values as per your LDAP config
    $ echo -n "uid=myuser,cn=users,cn=department,dc=ocp4,dc=example,dc=com" | base64
  ==> dWlkPW15dXNlcixjbj11c2Vycyxjbj1kZXBhcnRtZW50LGRjPW9jcDQsZGM9ZXhhbXBsZSxkYz1jb20=
  • Remove last 'K' or '=' or '==' if you get it and make sure it's in one line. This is because the Content from github.com is not included.code will use base64.RawURLEncoding.EncodeToString to encode the string and the padding character will be removed. To ensure the encoded string will work you could refer to the golang program in Diagnostic Steps.
  • The final string will look something like this 'dWlkPW15dXNlcixjbj11c2Vycyxjbj1kZXBhcnRtZW50LGRjPW9jcDQsZGM9ZXhhbXBsZSxkYz1jb20'
  • If you set ldap.attributes.id to a specified attribute, like sAMAccount in AD, then you only need to encode the sAMAccount
  • To confirm how you set ldap.attributes.id, you could verify this by checking
    $ oc get oauth cluster -o yaml

Create the Identity

  • Creating the identity for LDAP identity provider by considering we have LDAP Identity working with the name 'ldapauth'. This name could be verified by running oc get oauth cluster -o yaml
  • Replace 'ldapauth' and base64 encoded values with your encoded ldap.attributes.id. In the following example, it is assumed that you set dn as the ldap.attributes.id, and your LDAP provider name is ldapauth.
    $ oc create identity ldapauth:dWlkPW15dXNlcixjbj11c2Vycyxjbj1kZXBhcnRtZW50LGRjPW9jcDQsZGM9ZXhhbXBsZSxkYz1jb20

User and identity Mapping

  • After the creation of user and identity, map both by using the user and identity mapping.
  • In the following example, it is assumed that you set dn as the ldap.attributes.id, and your LDAP provider name is ldapauth.
    $ oc create useridentitymapping ldapauth:dWlkPW15dXNlcixjbj11c2Vycyxjbj1kZXBhcnRtZW50LGRjPW9jcDQsZGM9ZXhhbXBsZSxkYz1jb20 myuser

Diagnostic Steps

Check user and identity and do the test login

    $ oc get user
    $ oc get identity
    $ oc login -u myuser -p ldap-password-for-myuser

If the result is unexpected, enable the oauth debug log and check the Pod logs

    $ oc edit authentications.operator
    spec:
      logLevel: Debug # <======

    $ oc get pods -n openshift-authentication
    $ oc logs oauth-openshift-XXXXXX -n openshift-authentication

A sample golang program that will encode the identity

$ cat /tmp/encode.go

package main

import (
    "encoding/base64"
    "fmt"
    "os"
)

func main() {
    if len(os.Args) < 2 {
        fmt.Println("Usage: go run main.go <string_to_encode>")
        os.Exit(1)
    }

    input := os.Args[1]
    encodedString := base64.RawURLEncoding.EncodeToString([]byte(input))

    fmt.Println("Encoded String:", encodedString)
}

$ go run /tmp/encode.go "uid=myuser,cn=users,cn=department,dc=ocp4,dc=example,dc=com"
Encoded String: dWlkPW15dXNlcixjbj11c2Vycyxjbj1kZXBhcnRtZW50LGRjPW9jcDQsZGM9ZXhhbXBsZSxkYz1jb20
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.