DO380 - ch01s05

Bookmark this page

Guided Exercise: Automate LDAP Group Synchronization

Automate group synchronization between OpenShift OAuth and an LDAP server.

Outcomes

Configure an automated group synchronization for the Red Hat Directory Services (RHDS) LDAP identity provider (IdP).

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start auth-sync

Instructions

Note

This exercise requires the completion of the previous Guided Exercise to configure the IdP. Ensure that you completed the previous section before proceeding.

Configure an automated group synchronization for the secondary RHDS IdP to maintain updated user and group information.

The implementation configures the cluster administrator privilege for the the administrators group, which includes the kristendelgado user.

The RHDS LDAP IdP information is in the following table:

`ldapsearch` option	Value
Bind DN (`-D`)	`cn=Directory Manager,dc=example,dc=com`
URI (`-H`)	`ldaps://rhds.ocp4.example.com`
Password (`-w`)	`redhatocp`

From the CLI, test the RHDS connection by using the ldapsearch command with the information in the table.

[student@workstation ~]$ ldapsearch -D "cn=Directory Manager" \
  -w redhatocp -H ldaps://rhds.ocp4.example.com
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
description: dc=example,dc=com

# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

# kristendelgado, people, example.com
dn: uid=kristendelgado,ou=people,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: nsMemberOf
cn: Kristen Delgado
uid: kristendelgado
uidNumber: 10001
gidNumber: 101
homeDirectory: /home/kristendelgado
loginShell: /bin/bash
gecos: kristendelgado
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9Wm1sMWd1WjJLajlRM1dKZGlFVnV6aTNEaCs5NzFPeFg=
memberOf: cn=administrators,ou=people,dc=example,dc=com

# administrators, people, example.com
dn: cn=administrators,ou=people,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: administrators
uniqueMember: uid=kristendelgado,ou=people,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

Verify that you can log in to the cluster as the kristendelgado user with redhat123 as the password, to ensure that the user from the RHDS IdP is available.
```
[student@workstation ~]$ oc login -u kristendelgado -p redhat123 \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...
```
Change to the ~/DO380/labs/auth-sync/sync directory and switch back to using the admin user and the redhatocp password.
1. Change to the ~/DO380/labs/auth-sync/sync directory.
```
[student@workstation ~]$ cd ~/DO380/labs/auth-sync/sync
[student@workstation sync]$
```
2. Connect to the OpenShift cluster as the admin user with redhatocp as the password.
```
[student@workstation sync]$ oc login -u admin -p redhatocp \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...
```

Create the auth-rhds-sync project.

[student@workstation sync]$ oc new-project auth-rhds-sync
Now using project "auth-rhds-sync" on server "https://api.ocp4.example.com:6443".
...output omitted...

Create a service account with permissions to synchronize groups from the RHDS server.

Create a service account called rhds-group-syncer.

[student@workstation sync]$ oc create sa rhds-group-syncer
serviceaccount/rhds-group-syncer created

Create the rhds-group-syncer cluster role with the get,list,create,update verbs.

[student@workstation sync]$ oc create clusterrole rhds-group-syncer \
  --verb get,list,create,update --resource groups
clusterrole.rbac.authorization.k8s.io/rhds-group-syncer created

Create the cluster role binding for the rhds-group-syncer service account and cluster role.

[student@workstation sync]$ oc adm policy add-cluster-role-to-user \
  rhds-group-syncer -z rhds-group-syncer
clusterrole.rbac.authorization.k8s.io/rhds-group-syncer added: "rhds-group-syncer"

Create a secret that contains the provided RHDS bind password.

[student@workstation sync]$ oc create secret generic rhds-secret \
  --from-literal bindPassword='redhatocp'
secret/rhds-secret created

Create the configuration files for the RHDS automated group synchronization.

Create the RHDS synchronization configuration from the example that is provided in the rhds-sync.yaml file in the working directory to supply the bind DN and password.

kind: LDAPSyncConfig
apiVersion: v1
url: ldaps://rhds.ocp4.example.com:636
bindDN: 'cn=Directory Manager'
bindPassword:
  file: /etc/secrets/bindPassword
ca: /etc/config/ca.crt
augmentedActiveDirectory:
    groupsQuery:
        baseDN: "ou=people,dc=example,dc=com"
        scope: sub
        derefAliases: never
        pageSize: 0
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    usersQuery:
        baseDN: "ou=people,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=account)
        pageSize: 0
    userNameAttributes: [ uid ]
    groupMembershipAttributes: [ memberOf ]

Create a configuration map that contains the LDAPSyncConfig file and the trusted certificate.

[student@workstation sync]$ oc create configmap rhds-config \
  --from-file rhds-sync.yaml=rhds-sync.yaml,ca.crt=rhds_ca.crt
configmap/rhds-config created

Create the cron job for the automated schedule to synchronize groups every minute.

Update the cron job configuration for the group synchronization example that is provided in the rhds-groups-cronjob.yaml file in the working directory to supply the secret and service account information.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: rhds-group-sync
  namespace: auth-rhds-sync
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          containers:
            - name: ldap-group-sync
              image: "registry.ocp4.example.com:8443/openshift4/ose-cli:v4.12"
              command:
                - "/bin/sh"
                - "-c"
                - "oc adm groups sync --sync-config=/etc/config/rhds-sync.yaml --confirm"
              volumeMounts:
                - mountPath: "/etc/config"
                  name: "ldap-sync-volume"
                - mountPath: "/etc/secrets"
                  name: "ldap-bind-password"
          volumes:
            - name: "ldap-sync-volume"
              configMap:
                name: "rhds-config"
            - name: "ldap-bind-password"
              secret:
                secretName: "rhds-secret"
          serviceAccountName: rhds-group-syncer
          serviceAccount: rhds-group-syncer

Create the cron job from the rhds-groups-cronjob.yaml file.

[student@workstation sync]$ oc create -f rhds-groups-cronjob.yaml
...output omitted...
cronjob.batch/rhds-group-sync created

Wait for one minute for the cron job to trigger, and verify the synchronization of the administrators group from RHDS.

[student@workstation sync]$ oc get groups
NAME                USERS
Default SMB Group
administrators      kristendelgado
...output omitted...

Apply the cluster-admin role to the administrators group.

[student@workstation sync]$ oc adm policy add-cluster-role-to-group \
  cluster-admin administrators
clusterrole.rbac.authorization.k8s.io/cluster-admin added: "administrators"

Log in to the cluster as the kristendelgado user and verify that the user has cluster administrator privileges from the administrators group membership.
1. Log into the cluster.
```
[student@workstation sync]$ oc login -u kristendelgado -p redhat123
Login successful.
...output omitted...
```
2. Verify you can perform an administrative task.
```
[student@workstation sync]$ oc auth can-i create users -A
yes
```
Change to the /home/student directory.
```
[student@workstation sync]$ cd
```

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-sync

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507