[caasp-beta] Dex AD group membership not showing
JenTing Hsiao
jenting.hsiao at suse.com
Wed Aug 7 23:46:50 MDT 2019
Hi Ian,
Image version both are correct!
The gangway manifest is generated when executes `skuba cluster init`, I am not sure when you upgrade from Beta4 to Beta5, did you redeploy the whole cluster?
JenTing
Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>> 於 2019年8月8日 週四 下午1:23寫道:
I have installed Beta 5, but perhaps it didn’t install correctly over Beta 4. What version of caasp-dex and gangway images should there be?
I show:
image: registry.suse.com/caasp/v4/caasp-dex:2.16.0<http://registry.suse.com/caasp/v4/caasp-dex:2.16.0>
image: registry.suse.com/caasp/v4/gangway:3.1.0<http://registry.suse.com/caasp/v4/gangway:3.1.0>
Ian Donaldson
Unix Systems Administrator
Office: 336-435-3983
ian.donaldson at NGIC.com
[cid:image001.png at 01CF32FA.7C387000]
From: JenTing Hsiao <jenting.hsiao at suse.com<mailto:jenting.hsiao at suse.com>>
Sent: Thursday, August 8, 2019 1:09 AM
To: Donaldson, Ian <Ian.Donaldson at NGIC.COM<mailto:Ian.Donaldson at NGIC.COM>>
Cc: caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Subject: Re: [caasp-beta] Dex AD group membership not showing
WARNING:
This Message came from an external source. Please exercise caution when opening any attachments or clicking on links.
________________________________
Hi Ian,
Thanks for your reporting. The group scope was added at Beta 5.
JenTing
Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>> 於 2019年8月8日 週四 上午2:13寫道:
The issue was not with Dex. The issue is that gangway by default doesn’t have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s.
I found that this is missing from gangway, and prevents group from even being searched.
Gangway yaml requires:
scopes: ["openid", "profile", "email", "offline_access", "groups"]
Once I added the scope line (it wasn’t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter.
usernamePrompt: User Name
userSearch:
baseDN: OU=NGIC,DC=NGIC,DC=COM
filter: "(objectClass=person)"
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: mail
nameAttr: DN
groupSearch:
baseDN: OU=NGIC,DC=NGIC,DC=COM
filter: "(objectCategory=group)"
userAttr: DN
groupAttr: member
nameAttr: sAMAccountName
Ian Donaldson
Unix Systems Administrator
Office: 336-435-3983
ian.donaldson at NGIC.com<mailto:ian.donaldson at NGIC.com>
[cid:image001.png at 01CF32FA.7C387000]
From: Donaldson, Ian
Sent: Tuesday, August 6, 2019 11:58 AM
To: 'caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>' <caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>>
Subject: Dex AD group membership not showing
How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to...
2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))"
2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM"
2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM<mailto:Ian.Donaldson at NGIC.COM>\", groups=[]"
[CL test] root at plctapconwc001:/var/log/containers #
Here is my config:
# This is a sample with LDAP as connector.
# Requires a update to fulfill your environment.
connectors:
- type: ldap
id: AD
name: AD
config:
host: adldap.ngic.com:389<http://adldap.ngic.com:389>
insecureNoSSL: true
insecureSkipVerify: true
startTLS: true
bindDN: "CN=my bind account"
bindPW: 'password'
usernamePrompt: User Name
userSearch:
baseDN: OU=NGIC,DC=NGIC,DC=COM
filter: "(objectClass=person)"
username: sAMAccountName
#idAttr: DN
#emailAttr: sAMAccountName
#nameAttr: cn
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: OU=NGIC,DC=NGIC,DC=COM
filter: "(objectClass=group)"
#userAttr: distinguishedName
#groupAttr: member
#nameAttr: sAMAccountName
# username: userPrincipalName
userAttr: DN
groupAttr: member
nameAttr: cn
----------------------------------------------------------------------
Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying
to the message and deleting it from your computer. Thank you.
________________________________
Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying
to the message and deleting it from your computer. Thank you.
_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mailman_listinfo_caasp-2Dbeta&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=Glp7DdQmsT1dJ4cXgjT2lsXHNbJU3st2Gx6QTT5m3GM&s=iXf0USm87XXKp_O12GhSjSTA0yv-Lqxxhis0YMZLhPE&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190808/e3659e61/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2857 bytes
Desc: image001.png
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190808/e3659e61/attachment.png>
More information about the caasp-beta
mailing list