[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syncing ldap groups with openshift 1.4



Hi Joseph,

Yes, it's not possible do a sync without an objectClass, but you it's possible to use DN as objectClass. I had some problems syncing the LDAPGroups in a client before, and after change the scopes and attributes a lot of times, I got to this LDAPSyncConfig, to work correctly. I think that you just need to find the right parameters =).

kind: LDAPSyncConfig
apiVersion: v1
url: "ldap://ldapserver.client.com.br"
insecure: true
bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM"
bindPassword: "password"
rfc2307:
    groupsQuery:
        baseDN: "ou=openShift,ou=accounts,o=client.com"
        scope: sub
        derefAliases: never
        filter: (objectClass=groupOfNames)
    groupUIDAttribute: dn
    groupNameAttributes: [ ou ]
    groupMembershipAttributes: [ member ]
    usersQuery:
        baseDN: "O=CLIENT.COM"
        scope: sub
        derefAliases: never
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false

Hope this can help!!

Regards,


Rodrigo Bersa
Cloud Consultant | Red Hat Brasil
rbersa@redhat.com | M: +55 11 9 9557-5841
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil.
RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
Red Hat

On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <jaloren gmail com> wrote:
Hi all,

I am following the documentation here:


I used a yaml config here:


Which failed with:

error: validation of LDAP sync config failed: usersQuery.filter: Invalid value: "(objectclass=inetOrgPerson)": cannot specify a filter when using "dn" as the UID attribute

Seems like the bug here in the docs has not actually been fixed.

But okay so you can't use DN with a object class filter that's fine. So then I tried it without an object class but left everything else the same and now I see this:

error: validation of LDAP sync config failed: groupsQuery.filter: Invalid value: "": invalid query filter: LDAP Result Code 201 "": ldap: filter does not start with an '('

So if I can't use an object class with a DN as the UID attribute and I can't do a sync without an object class, my questions are: how does one get this to work where the DN is the UID attribute and if DN is not acceptable for the UID attribute, then what is?

Thanks,

Joe


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]