openshift 4.3 using ldap

演示场景如下

• 部署openlap，并部署web前端
• 在openlap上配置2个group，一个是admins，一个是users，并给每个group配置一个user
• ocp上配置ldap方式的用户认证
• 在ocp上使用命令行，同步ldap，查看已经生成了group和user
• 用这个用户登录ocp，发现什么都干不了
• 在ocp上使用命令行，给admins group授予cluster view的权限，给users group授予demo project view的权限。
• 重新登录/刷新页面，可以看到admin用户可以看到整个集群的内容，users的用户有了demo project的权限。

video

• https://youtu.be/Sg3euS3ip4k
• https://www.bilibili.com/video/BV1XA411b7N6/

参考资料：

• https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
• https://docs.openshift.com/container-platform/4.3/authentication/ldap-syncing.html
• https://www.cnblogs.com/ericnie/p/10063816.html
• https://access.redhat.com/solutions/2484371
• https://access.redhat.com/solutions/3419841

openldap

skopeo copy docker://docker.io/osixia/openldap:latest docker://registry.redhat.ren:5443/docker.io/osixia/openldap:latest

skopeo copy docker://docker.io/osixia/phpldapadmin:latest docker://registry.redhat.ren:5443/docker.io/osixia/phpldapadmin:latest

# 启动openldap服务
podman run -p 389:389 --name openldap --hostname ldap.redhat.ren --env LDAP_ORGANISATION="redhat" --env LDAP_DOMAIN="redhat.ren" --env LDAP_ADMIN_PASSWORD="ldap123" --detach registry.redhat.ren:5443/docker.io/osixia/openldap:latest
# 默认登录用户名：admin

podman run -d -p 5080:80 --name phpldapadmin --env PHPLDAPADMIN_HTTPS=false --env PHPLDAPADMIN_LDAP_HOSTS=117.177.241.16 --detach registry.redhat.ren:5443/docker.io/osixia/phpldapadmin:latest
# http://helper.hsc.redhat.ren:5080
# Login DN： cn=admin,dc=redhat,dc=ren
# Password： ldap123

podman rm -fv phpldapadmin
podman rm -fv openldap

yum install -y openldap openldap-clients openldap-servers

systemctl status slapd

# 为ldap添加测试用户数据
cat << EOF > base.ldif
dn: ou=users,dc=redhat,dc=ren
objectClass: organizationalUnit
objectClass: top
ou: users

dn: ou=groups,dc=redhat,dc=ren
objectClass: organizationalUnit
objectClass: top
ou: groups  
EOF

ldapadd -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -f base.ldif

# 创建用户密码
slappasswd -s redhat
# {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK

cat << EOF >users.ldif 
dn: cn=ocpadm,ou=users,dc=redhat,dc=ren
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: ocpadm
sn: ocpadm
uid: ocpadm
displayName: ocpadm
mail: ocpadm@redhat.ren
userPassword: {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK

dn: cn=wzh,ou=users,dc=redhat,dc=ren
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: wzh
sn: wzh
uid: wzh
displayName: wzh
mail: wzh@redhat.ren
userPassword: {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK

dn: cn=admins,ou=groups,dc=redhat,dc=ren
objectClass: groupOfNames
cn: admins
owner: cn=admin,dc=redhat,dc=ren
member: cn=ocpadm,ou=users,dc=redhat,dc=ren

dn: cn=normals,ou=groups,dc=redhat,dc=ren
objectClass: groupOfNames
cn: normals
owner: cn=admin,dc=redhat,dc=ren
member: cn=wzh,ou=users,dc=redhat,dc=ren

EOF
ldapadd -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -f users.ldif 

ldapsearch -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -b dc=redhat,dc=ren 

ocp operation

oc get user
oc get group
oc get identity

# cleanup 垃圾用户数据
oc get user | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete user DEMO
oc get identity | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete identity DEMO

# 创建登录密码
oc create secret generic ldap-secret --from-literal=bindPassword=ldap123 -n openshift-config

# 创建ldap登录入口
cat << EOF > ldap.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: "Local Password"
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpasswd
  - name: ldapidp 
    mappingMethod: claim 
    type: LDAP
    ldap:
      attributes:
        id: 
        - dn
        email: 
        - mail
        name: 
        - cn
        preferredUsername: 
        - uid
      bindDN: "cn=admin,dc=redhat,dc=ren"
      bindPassword: 
        name: ldap-secret
      insecure: true 
      url: "ldap://registry.redhat.ren:389/ou=users,dc=redhat,dc=ren?uid" 
EOF
oc apply -f ldap.yaml

# 从ldap同步group数据
cat << EOF > ldapsync.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://registry.redhat.ren:389
insecure: true
bindDN: cn=admin,dc=redhat,dc=ren
bindPassword: ldap123 
groupUIDNameMapping:
  "cn=admins,ou=groups,dc=redhat,dc=ren": Administrators 
  "cn=normals,ou=groups,dc=redhat,dc=ren": NormalUsers 
rfc2307:
    groupsQuery:
        baseDN: "ou=groups,dc=redhat,dc=ren"
        scope: sub
        derefAliases: never
        pageSize: 0
        filter: (objectclass=groupOfNames)
    groupUIDAttribute: dn 
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ member ]
    usersQuery:
        baseDN: "ou=users,dc=redhat,dc=ren"
        scope: sub
        derefAliases: never
        pageSize: 0
    userUIDAttribute: dn 
    userNameAttributes: [ cn ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false
EOF

oc adm groups sync --sync-config=ldapsync.yaml --confirm

# 删除ldap上已经删除的用户组
# oc adm prune groups --sync-config=ldapsync.yaml --confirm

# 在这个时候，可以用wzh/ocpadm登录系统，但是可以看到没有任何project的权限

# 准备为用户组赋权
oc get clusterrole
oc get role 

# 赋予admin和normal组不同的权限
oc adm policy add-cluster-role-to-group cluster-reader Administrators
oc policy add-role-to-group view NormalUsers -n demo 

# 再次登录系统，可以看到用户有了相应的权限

# 撤销用户组权限
oc adm policy remove-cluster-role-from-group cluster-reader Administrators
oc policy remove-role-from-group view NormalUsers -n demo 

# remove ldap 
# cleanup 垃圾用户数据
oc get user | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete user DEMO
oc get identity | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete identity DEMO

cat << EOF > ldap.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: "Local Password"
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpasswd
EOF
oc apply -f ldap.yaml

free ipa

skopeo copy docker://docker.io/freeipa/freeipa-server:latest docker://registry.redhat.ren:5443/docker.io/freeipa/freeipa-server:latest

mkdir -p /data/freeipa
cat << EOF > /data/freeipa/ipa-server-install-options
--realm=redhat.ren
--ds-password=The-directory-server-password
--admin-password=The-admin-password
EOF

# setsebool -P container_manage_cgroup 1

docker run --name freeipa-server-container -ti --privileged   \
    -e IPA_SERVER_IP=10.66.208.240 \
    -p 3080:80 -p 3443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
    -p 88:88/udp -p 464:464/udp -p 123:123/udp \
   -h ipa.redhat.ren \
   -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
   --tmpfs /run --tmpfs /tmp \
   -v /data/freeipa:/data:Z \
   docker.io/freeipa/freeipa-server ipa-server-install

docker start -ai freeipa-server-container

docker rm -fv $(docker ps -qa)

firewall-cmd --zone=public --add-port=3443/tcp --permanent
firewall-cmd --reload