8.2.2. Authenticating Using LDAP

Edit the /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf file to configure LDAP authentication to allow OpenShift Enterprise users. The following process assumes that an Active Directory server already exists.
OpenShift Enterprise uses the Apache module mod_authnz_ldap for support in authenticating to directory servers. Therefore, every other directory server with the same option is supported by OpenShift Enterprise. To configure the mod_authnz_ldap option, configure the openshift-origin-auth-remote-user.conf file on the broker host to allow both broker and node host access.
Alternatively, use the example configuration provided, specifying your existing LDAP service parameters. Use the following commands to locate the example configuration: 
# cd /var/www/openshift/broker/httpd/conf.d/
# cp openshift-origin-auth-remote-user-ldap.conf.sample openshift-origin-auth-remote-user.conf
# vim openshift-origin-auth-remote-user.conf

Important

Note that if you have installed the OpenShift Enterprise Management Console, or plan on installing it, you must also perform the same actions with the /var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user.conf file.
This example file specifies an example server and query that must be modified to suit the requirements of your LDAP service. The most important information required is the AuthLDAPURL setting. Ensure the LDAP server's firewall is configured to allow access by the broker hosts. See the mod_authnz_ldap documentation at http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html for more information.
Restart the broker application for the changes to take effect: 
# service openshift-broker restart

Note

Using this method, user administration must be performed with your LDAP service.