4.2. Creating Global Teams and Synchronizing with LDAP Groups

With the release of OpenShift Enterprise 2.1, you can create global teams and synchronize membership from an already existing source, such as an LDAP database. This enables you to have full control over global team membership. For example, if a global team is synchronized to an LDAP database, and a developer leaves your company, the privileges granted through the global team membership will be removed and you will be able to reassign or remove any of the individual's work across the platform.

Create global teams and synchronize membership with LDAP with the folowing procedure. However, a plain sync file can be created from any source to perform the same process if LDAP is not in use.

Note

This is a basic workflow. For more information, consult the oo-admin-ctl-team command man pages for detailed descriptions of each command shown in the following instructions.

Procedure 4.1. To Synchronize a Global Team with LDAP Groups:

Create an LDAP configuration file in the /etc/openshift/ directory. This file specifies how your instance will connect to the LDAP server and query for LDAP groups and group membership.

Create one or more global teams. If you are not using LDAP groups, then the --maps-to option can be specified as anything:

# oo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=com

Alternatively, you can create a global team straight from LDAP groups using the --groups option. In this case, you must indicate your LDAP config file and the LDAP groups to create the global team from:

# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2

Example 4.1. Sample LDAP configuration File

Host: server.example.com
Port: 389
Get-Group:
	Base: dc=example,dc=com
	Filter: (cn=<group_cn>)
Get-Group-Users:
	Base: <group_dn>
	Attributes: [member]
Get-User:
	Base: dc=example,dc=com
	Filter: (uid=<user_id>)
	Attributes: [emailAddress]
Openshift-Username: emailAddress

Example 4.2. Sample Active Directory based LDAP configuration File

Host: server.example.com
Port: 389
Username: CN=username.gen,OU=Generics,OU=Company Users,DC=company,DC=com
Password: xxxxxxxxxxxxxx

#get group entry so we can map team to the group distinguished name
Get-Group: 
	Base: dc=example,dc=com
	Filter: (cn=<group_cn>)

#get all the users in the group
Get-Group-Users:
	Base: <group_dn>
	Filter: (memberOf=<group_dn>)
	Attributes: [emailaddress]

Openshift-Username: emailaddress

Next, synchronize global team membership with LDAP:
```
# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync --create-new-users --remove-old-users
```
This step can be performed in a cron job in order to regularly synchronize OpenShift Enterprise with LDAP.
Alternatively, use a sync file to synchronize global team membership with LDAP with the following command:
```
# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-users
```
This command creates a file you can modify to suit your requirements. The format is the entity to act upon, an action, then the user names.
The following example sync file adds users to an OpenShift Enterprise instance, then adds them as members to the team named "myteam".
Example 4.3. Synchronizing Global Team Membership with a Sync File
```
USER|ADD|user1
...
USER|ADD|user100
MEMBER|ADD|myteam|user1,...,user100
```
Alternatively, create this file from any source and sync team members from the specified file with the following command:
```
# oo-admin-ctl-team -c sync-from-file --in-file teams.sync
```

4.2.1. Encrypting an LDAP Global Team Connection

When synchronizing a global team with LDAP groups, you can choose to encrypt all communication with the LDAP server by adding a parameter to the LDAP .yml file. This encrypts any communication between the LDAP client and server and is only intended for instances where the LDAP server is a trusted source. simple_tls encryption establishes an SSL/TLS encryption with the LDAP server before any LDAP protocol data is exchanged, meaning that no validation of the LDAP server's SSL certificate is performed. Therefore, no errors are reported if the SSL certificate of the client is not trusted. If you have communication errors, see your LDAP server administrator.

To encrypt an LDAP and global team connection edit the /etc/openshift/File_Name.yml file and replace it with the following:

Host: server.example.com
Port: 636
Encryption: simple_tls
Get-Group:
	Base: dc=example,dc=com
	Filter: (cn=<group_cn>)
Get-Group-Users:
	Base: <group_dn>
	Attributes: [member]
Get-User:
	Base: dc=example,dc=com
	Filter: (uid=<user_id>)
	Attributes: [emailAddress]
Openshift-Username: emailAddress

Note that the port must be changed from the initial example in Section 4.2, “Creating Global Teams and Synchronizing with LDAP Groups” to the above example for encryption to successfully occur. An LDAP server cannot support both plaintext and simple_tls connections on the same port.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

4.2. Creating Global Teams and Synchronizing with LDAP Groups

4.2.1. Encrypting an LDAP Global Team Connection

Where did the comment section go?