-
Language:
English
-
Language:
English
4.2. Creating Global Teams and Synchronizing with LDAP Groups
With the release of OpenShift Enterprise 2.1, you can create global teams and synchronize membership from an already existing source, such as an LDAP database. This enables you to have full control over global team membership. For example, if a global team is synchronized to an LDAP database, and a developer leaves your company, the privileges granted through the global team membership will be removed and you will be able to reassign or remove any of the individual's work across the platform.
Create global teams and synchronize membership with LDAP with the folowing procedure. However, a plain sync file can be created from any source to perform the same process if LDAP is not in use.
Note
This is a basic workflow. For more information, consult the
oo-admin-ctl-team
command man pages for detailed descriptions of each command shown in the following instructions.
Procedure 4.1. To Synchronize a Global Team with LDAP Groups:
- Create an LDAP configuration file in the
/etc/openshift/
directory. This file specifies how your instance will connect to the LDAP server and query for LDAP groups and group membership. - Create one or more global teams. If you are not using LDAP groups, then the
--maps-to
option can be specified as anything:#
oo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=com
Alternatively, you can create a global team straight from LDAP groups using the--groups
option. In this case, you must indicate your LDAP config file and the LDAP groups to create the global team from:#
oo-admin-ctl-team --config-file
/etc/openshift/File_Name.yml
-c create --groups Group_Name1,Group_Name2Example 4.1. Sample LDAP configuration File
Host: server.example.com Port: 389 Get-Group: Base: dc=example,dc=com Filter: (cn=<group_cn>) Get-Group-Users: Base: <group_dn> Attributes: [member] Get-User: Base: dc=example,dc=com Filter: (uid=<user_id>) Attributes: [emailAddress] Openshift-Username: emailAddress
Example 4.2. Sample Active Directory based LDAP configuration File
Host: server.example.com Port: 389 Username: CN=username.gen,OU=Generics,OU=Company Users,DC=company,DC=com Password: xxxxxxxxxxxxxx #get group entry so we can map team to the group distinguished name Get-Group: Base: dc=example,dc=com Filter: (cn=<group_cn>) #get all the users in the group Get-Group-Users: Base: <group_dn> Filter: (memberOf=<group_dn>) Attributes: [emailaddress] Openshift-Username: emailaddress
- Next, synchronize global team membership with LDAP:
#
This step can be performed in a cron job in order to regularly synchronize OpenShift Enterprise with LDAP.oo-admin-ctl-team --config-file
/etc/openshift/File_Name.yml
-c sync --create-new-users --remove-old-usersAlternatively, use a sync file to synchronize global team membership with LDAP with the following command:#
This command creates a file you can modify to suit your requirements. The format is the entity to act upon, an action, then the user names.oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-users
The following example sync file adds users to an OpenShift Enterprise instance, then adds them as members to the team named "myteam".Example 4.3. Synchronizing Global Team Membership with a Sync File
USER|ADD|user1 ... USER|ADD|user100 MEMBER|ADD|myteam|user1,...,user100
Alternatively, create this file from any source and sync team members from the specified file with the following command:#
oo-admin-ctl-team -c sync-from-file --in-file
teams.sync
4.2.1. Encrypting an LDAP Global Team Connection
When synchronizing a global team with LDAP groups, you can choose to encrypt all communication with the LDAP server by adding a parameter to the LDAP
.yml
file. This encrypts any communication between the LDAP client and server and is only intended for instances where the LDAP server is a trusted source. simple_tls
encryption establishes an SSL/TLS encryption with the LDAP server before any LDAP protocol data is exchanged, meaning that no validation of the LDAP server's SSL certificate is performed. Therefore, no errors are reported if the SSL certificate of the client is not trusted. If you have communication errors, see your LDAP server administrator.
To encrypt an LDAP and global team connection edit the
/etc/openshift/File_Name.yml
file and replace it with the following:
Host: server.example.com Port: 636 Encryption: simple_tls Get-Group: Base: dc=example,dc=com Filter: (cn=<group_cn>) Get-Group-Users: Base: <group_dn> Attributes: [member] Get-User: Base: dc=example,dc=com Filter: (uid=<user_id>) Attributes: [emailAddress] Openshift-Username: emailAddress
Note that the port must be changed from the initial example in Section 4.2, “Creating Global Teams and Synchronizing with LDAP Groups” to the above example for encryption to successfully occur. An LDAP server cannot support both plaintext and
simple_tls
connections on the same port.