Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Instructions

Your company requires you to configure a Red Hat Directory Services (RHDS) Identity Provider (IdP), which is available on the rhds machine as an LDAP IdP for RHOCP.

1. As the admin user, locate and then navigate to the Red Hat OpenShift web console.

   1. Use the terminal to log in to the OpenShift cluster as the admin user with the redhatocp password.

      [student@workstation ~]$ oc login -u admin -p redhatocp \
        https://api.ocp4.example.com:6443
      ...output omitted...

   2. Identify the URL for the OpenShift web console.

      [student@workstation ~]$ oc whoami --show-console
      https://console-openshift-console.apps.ocp4.example.com

   3. Open a web browser and navigate to https://console-openshift-console.apps.ocp4.example.com. Either type the URL in a web browser, or right-click and select Open Link from the terminal.

2. Log in to the OpenShift web console as the admin user.

   1. Click Red Hat Identity Management and log in as the admin user with the redhatocp password.

3. Navigate to the Configuration page for OAuth in the RHOCP cluster web console.

   1. Click Administration > Cluster Settings from the sidebar.

   2. Click the Configuration tab to browse the list of configurable resources.

   3. Scroll through the alphabetical list of configuration resources and select OAuth.

4. View the existing YAML configuration for the Red Hat Identity Management IdP.

   1. Click the YAML tab and scroll down to the bottom of the configuration file.

      Note

      You can view the cluster OAuth configuration from the CLI in YAML format, by using the oc get oauth cluster --output yaml command.

      You can also view the cluster OAuth configuration details from the CLI, by using the oc describe oauth command.

   2. The settings for the existing Red Hat Identity Management IdP are shown in the spec keys on lines 57-78.

      spec:
        identityProviders:
          - ldap:
              attributes:
                email:
                  - mail
                id:
                  - dn
                name:
                  - cn
                preferredUsername:
                  - uid
              bindDN: 'uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com'
              bindPassword:
                name: ldap-secret
              ca:
                name: ca-config-map
              insecure: false
              url: >-
                ldap://idm.ocp4.example.com/cn=users,cn=accounts,dc=ocp4,dc=example,dc=com?uid
            mappingMethod: claim
            name: Red Hat Identity Management
            type: LDAP

5. From the CLI, test the RHDS credentials to ensure a valid LDAP connection, before configuring the additional IdP.

   1. Open a terminal on the workstation, and create an ldapsearch query with the information in the following table:

      Query option	Value
      Base DN (-D)	cn=Directory Manager
      URI (-H)	ldaps://rhds.ocp4.example.com
      Password (-w)	redhatocp

   2. From the CLI, test the ldapsearch connection by using the authored query. With the -w option that is shown, you can supply the password, in plain text.

      [student@workstation ~] ldapsearch -D "cn=Directory Manager" \
        -w redhatocp -H ldaps://rhds.ocp4.example.com
      
      # extended LDIF
      #
      # LDAPv3
      # base <> (default) with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
      
      # example.com
      dn: dc=example,dc=com
      objectClass: top
      objectClass: domain
      dc: example
      description: dc=example,dc=com
      
      # people, example.com
      dn: ou=people,dc=example,dc=com
      objectClass: top
      objectClass: organizationalUnit
      ou: people
      
      # kristendelgado, people, example.com
      dn: uid=kristendelgado,ou=people,dc=example,dc=com
      objectClass: top
      objectClass: account
      objectClass: posixAccount
      objectClass: shadowAccount
      objectClass: nsMemberOf
      cn: Kristen Delgado
      uid: kristendelgado
      uidNumber: 10001
      gidNumber: 101
      homeDirectory: /home/kristendelgado
      loginShell: /bin/bash
      gecos: kristendelgado
      shadowLastChange: 0
      shadowMax: 0
      shadowWarning: 0
      userPassword:: e1NTSEF9Wm1sMWd1WjJLajlRM1dKZGlFVnV6aTNEaCs5NzFPeFg=
      memberOf: cn=administrators,ou=people,dc=example,dc=com
      
      # administrators, people, example.com
      dn: cn=administrators,ou=people,dc=example,dc=com
      objectClass: top
      objectClass: groupOfUniqueNames
      cn: administrators
      uniqueMember: uid=kristendelgado,ou=people,dc=example,dc=com
      
      # search result
      search: 2
      result: 0 Success
      
      # numResponses: 5
      # numEntries: 4

6. In the web console, add a new IdP for RHDS by using the validated information.

   1. Return to the previous page by clicking the Details tab.

      Note

      The existing Red Hat Identity Management IdP is shown in the list of available IdPs.

   2. In the Identity providers section, select LDAP from the Add dropdown.

   3. Complete the corresponding form fields by using the information in the following table:

      Form field	Value
      Name	Red Hat Directory Server
      URL & BaseDN	ldaps://rhds.ocp4.example.com/dc=example,dc=com?uid
      Bind DN	cn=Directory Manager
      Bind password	redhatocp
      Email	mail

      Note

      Use the default values for all other fields.

   4. In the CA File field, enter the certificate for the RHDS server from the rhds classroom machine, which is provided on the workstation machine in the file /home/student/DO380/labs/auth-ldap/rhds_ca.crt.

      [student@workstation ~] cat /home/student/DO380/labs/auth-ldap/rhds_ca.crt
      
      -----BEGIN CERTIFICATE-----
      ...output omitted...

   5. Click Add.

7. Verify the addition of the new IdP.

   1. View the new entry in the IdP list on the OAuth details page.

   2. Review the configuration additions on the YAML tab on lines 78-98.

      spec:
        identityProviders:
          - ldap:
              attributes:
                email:
                  - mail
                id:
                  - dn
                name:
                  - cn
                preferredUsername:
                  - uid
              bindDN: 'cn=Directory Manager'
              bindPassword:
                name: ldap-bind-password-cjckt
              ca:
                name: ca-config-map
              insecure: false
              url: >-
                ldaps://rhds.ocp4.example.com/dc=example,dc=com?uid
            mappingMethod: claim
            name: Red Hat Directory Server
            type: LDAP

   3. From the upper-right dropdown menu, log out of the web console to return to the authentication page.

   4. The new IdP appears in the list as Red Hat Directory Server.

      Note

      It might take several minutes for the cluster to redeploy the pods and for the new IdP to appear.

8. Select the Red Hat Directory Server IdP, and verify the authentication function by using the kristendelgado username and the redhat123 password to log in to the cluster.