This post covers integrating OpenShift v3 with Microsoft Active Directory for user authentication. An Active Directory domain can be configured as an identity provider in OpenShift to provide centralized authentication. OpenShift can also utilize Active Directory groups for RBAC (Role Based Access Control).
An "openshift" user account was created in the Active Directory domain to support the bind operation.
Modify the OpenShift master configuration file (/etc/origin/master/master-config.yaml)
- name: "Active_Directory" challenge: true login: true provider: apiVersion: v1 kind: LDAPPasswordIdentityProvider attributes: id: - dn email: - mail name: - cn preferredUsername: - uid bindDN: "cn=openshift,cn=users,dc=grt,dc=local" bindPassword: "[email protected]$$w0rd" insecure: true url: "ldap://grt.local:389/cn=users,dc=grt,dc=local?sAMAccountName"
The common name of the openshift user account followed by the OU of the account and the domain name.
bindPassword: "[email protected]$w0rd"
The password of the openshift user account.
The setting for whether an insecure or secure communication should be used between the OpenShift master and the Domain Controller. The secure method requires the Domain Controller to utilize a SSL certificate for LDAPS.
The base search path for user accounts.
Restart the OpenShift master service
systemctl restart origin-master
OpenShift Documentation https://docs.openshift.org/latest/installconfig/configuringauthentication.html