[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Limiting which LDAP users can login





On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson <japearson agiledigital com au> wrote:
Hi,

I just wanted to check what the proper way is to limit which users are allowed to login to OpenShift via an LDAP group.

There doesn't seem to be a way during authentication, but on the authorisation side of things I found that if I removed "system:authenticated" from the basic-user cluster role binding then that seemed to have the desired effect.  Is this the right way? 


No, removing that role breaks things like `oc whoami`, `oc auth can-i`, and web console login.

You have two options for gating logins during authentication:

1. Specify a filter on the user query to limit to a particular set of users. See the filter documentation at https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider for more information. For example, to limit to users with an openshiftUser=true attribute:
url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true)

2. Instead of automatically provisioning User and Identity objects in openshift at login time, require them to be pre-created out of band using `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does not have a configured Identity and User object will fail. See https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users for more details.



So I ran these 2 commands:

oc adm policy add-cluster-role-to-group basic-user staff
oc adm policy remove-cluster-role-from-group basic-user system:authenticated

After which only users in the staff group can login if that don't already have other permissions.

The effect on the console is a little odd.  You can login ok and it shows an error screen, then you click continue and then you are redirected back to the login screen.

Thanks,

Joel

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]