[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Limiting which LDAP users can login

On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson <japearson agiledigital com au> wrote:

I just wanted to check what the proper way is to limit which users are allowed to login to OpenShift via an LDAP group.

There doesn't seem to be a way during authentication, but on the authorisation side of things I found that if I removed "system:authenticated" from the basic-user cluster role binding then that seemed to have the desired effect.  Is this the right way? 

No, removing that role breaks things like `oc whoami`, `oc auth can-i`, and web console login.

You have two options for gating logins during authentication:

1. Specify a filter on the user query to limit to a particular set of users. See the filter documentation at https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider for more information. For example, to limit to users with an openshiftUser=true attribute:
url: "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true)

2. Instead of automatically provisioning User and Identity objects in openshift at login time, require them to be pre-created out of band using `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does not have a configured Identity and User object will fail. See https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users for more details.

So I ran these 2 commands:

oc adm policy add-cluster-role-to-group basic-user staff
oc adm policy remove-cluster-role-from-group basic-user system:authenticated

After which only users in the staff group can login if that don't already have other permissions.

The effect on the console is a little odd.  You can login ok and it shows an error screen, then you click continue and then you are redirected back to the login screen.



users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]