[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syncing ldap groups with openshift 1.4

Hi Joseph,

Yes, it's not possible do a sync without an objectClass, but you it's possible to use DN as objectClass. I had some problems syncing the LDAPGroups in a client before, and after change the scopes and attributes a lot of times, I got to this LDAPSyncConfig, to work correctly. I think that you just need to find the right parameters =).

kind: LDAPSyncConfig
apiVersion: v1
url: "ldap://ldapserver.client.com.br"
insecure: true
bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM"
bindPassword: "password"
        baseDN: "ou=openShift,ou=accounts,o=client.com"
        scope: sub
        derefAliases: never
        filter: (objectClass=groupOfNames)
    groupUIDAttribute: dn
    groupNameAttributes: [ ou ]
    groupMembershipAttributes: [ member ]
        baseDN: "O=CLIENT.COM"
        scope: sub
        derefAliases: never
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false

Hope this can help!!


Rodrigo Bersa
Cloud Consultant | Red Hat Brasil
rbersa@redhat.com | M: +55 11 9 9557-5841
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil.
RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
Red Hat

On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <jaloren gmail com> wrote:
Hi all,

I am following the documentation here:

I used a yaml config here:

Which failed with:

error: validation of LDAP sync config failed: usersQuery.filter: Invalid value: "(objectclass=inetOrgPerson)": cannot specify a filter when using "dn" as the UID attribute

Seems like the bug here in the docs has not actually been fixed.

But okay so you can't use DN with a object class filter that's fine. So then I tried it without an object class but left everything else the same and now I see this:

error: validation of LDAP sync config failed: groupsQuery.filter: Invalid value: "": invalid query filter: LDAP Result Code 201 "": ldap: filter does not start with an '('

So if I can't use an object class with a DN as the UID attribute and I can't do a sync without an object class, my questions are: how does one get this to work where the DN is the UID attribute and if DN is not acceptable for the UID attribute, then what is?



users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]