Hello,
I couldn't find documentation on configuring LDAP authentication via the OpenShift Operator Kasten K10 instead of the Helm chart. I need to include certificate to autenticate in to ldap.
I have certificated stored in config map.
Best regards, Mike
+2
You will have to add a configMap in K10 namespace with the filename as custom-ca-bundle.pem . Please refer this documentation(https://docs.kasten.io/latest/install/advanced.html#install-root-ca-in-k10-s-namespace) for creating this configmap.
K10 operand resource schema is very similar to the helm values except it has spec as a top level field.
Please take a look at this KB article https://kb.kasten.io/knowledge/updating-k10-configuration-in-k10-operator for more details.
Let us know if you need any clarification.
Regards,
Jaiganesh
I already did this:
This is my curent yaml file:
Yaml:
spec:
auth:
basicAuth:
enabled: false
htpasswd: ''
secretName: ''
ldap:
enabled: true
bindPW:
name: ldap-secret-k10
usernameClaim: email
groupSearch:
baseDN: 'ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si'
filter: (objectClass=group)
nameAttr: cn
userMatchers:
- groupAttr: member
userAttr: distinguishedName
bindDN: okdldap
host: qwe01.qw.qwe.si
usernamePrefix: '-'
insecureNoSSL: true
groupnameClaim: groups
userSearch:
baseDN: 'ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si'
emailAttr: userPrincipalName
filter: null
idAttr: sAMAccountName
nameAttr: givenName
username: sAMAccountName
restartPod: false
insecureSkipVerifySSL: false
startTLS: true
usernamePrompt: Email Address
secretName: ''
dashboardURL: 'https://k10-route-kasten-io.apps.okd-dev.qw.qwe.si/k10/'
groupnamePrefix: '-'
tokenAuth:
enabled: false
cacertconfigmap:
name: custom-ca-bundle-store
global:
+2
Thanks for sharing this.
Everthing looks good. Would you be able to change the distinguishedName to DN under userattr in groupSearch
groupSearch:
baseDN: 'ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si'
filter: (objectClass=group)
nameAttr: cn
userMatchers:
- groupAttr: member
userAttr: DNThe ldap connector that K10 uses expects this value in upper case(https://github.com/dexidp/dex/issues/1190)
I have changed the CR a little bit:
In the auth logs I can find log:
time="2024-05-09T07:50:38Z" level=info msg="performing ldap search ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si sub (&(objectClass=user)(sAMAccountName=adminqwe))"
13time="2024-05-09T07:50:38Z" level=error msg="ldap: no results returned for filter: \"(&(objectClass=user)(sAMAccountName=adminqwe))\""
Based on the log, I believe I have successfully connected to LDAP.
ldap:
enabled: true
k10AdminUsers: []
bindPW:
name: ldap-secret-k10
groupSearch:
baseDN: 'ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si'
filter: (objectClass=group)
nameAttr: cn
userMatchers:
- groupAttr: member
userAttr: DN
bindDN: okdldap
host: 'qwe01.qw.qwe.si:636'
insecureNoSSL: false
userSearch:
baseDN: 'ou=Fim-Managed Groups,dc=qw,dc=qwe,dc=si'
emailAttr: sAMAccountName
filter: >-
(&(objectClass=user)(memberOf=CN=openshift-admin,OU=FIM-Managed
Groups,DC=qw,DC=qwe,DC=si))
idAttr: sAMAccountName
nameAttr: sAMAccountName
preferredUsernameAttr: sAMAccountName
username: sAMAccountName
insecureSkipVerifySSL: false
startTLS: false
k10AdminGroups:
- openshift-admin
dashboardURL: 'https://k10-route-kasten-io.apps.okd-dev.qw.qwe.si/k10/'
tokenAuth:
enabled: false
cacertconfigmap:
name: custom-ca-bundle-store
Br, Mike
This is the filter I want to configure:
(&(objectCategory=user)(memberOf=CN=openshift-admin,OU=FIM-Managed Groups,DC=qw,DC=qwe,DC=si))
Br, Mike
Based on the log output, I need to adjust the filter to include: (&(objectCategory=user)(memberOf=CN=openshift-admin,OU=FIM-Managed Groups,DC=qw,DC=qwe,DC=si)). I'm wondering how I can do this in a YAML file?
Br, Mike
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.