OpenShift Origin Active Directory Integration

This post covers integrating OpenShift v3 with Microsoft Active Directory for user authentication. An Active Directory domain can be configured as an identity provider in OpenShift to provide centralized authentication. OpenShift can also utilize Active Directory groups for RBAC (Role Based Access Control).

An “openshift” user account was created in the Active Directory domain to support the bind operation.

Modify the OpenShift master configuration file (/etc/origin/master/master-config.yaml)

  - name: "Active_Directory"
    challenge: true
    login: true
      apiVersion: v1
      kind: LDAPPasswordIdentityProvider
        - dn
        - mail
        - cn
        - uid
      bindDN: "cn=openshift,cn=users,dc=grt,dc=local"
      bindPassword: "[email protected]$$w0rd"
      insecure: true
      url: "ldap://grt.local:389/cn=users,dc=grt,dc=local?sAMAccountName"

bindDN: “cn=openshift,cn=users,dc=grt,dc=local”

The common name of the openshift user account followed by the OU of the account and the domain name.

bindPassword: “[email protected]$w0rd”

The password of the openshift user account.

insecure: true
The setting for whether an insecure or secure communication should be used between the OpenShift master and the Domain Controller. The secure method requires the Domain Controller to utilize a SSL certificate for LDAPS.

url: “ldap://grt.local:389/cn=users,dc=grt,dc=local?sAMAccountName”
The base search path for user accounts.

Restart the OpenShift master service

systemctl restart origin-master


OpenShift Documentation