14.2. Running LDAP sync

Once you have created a sync configuration file, you can begin to sync. OpenShift Container Platform allows administrators to perform a number of different sync types with the same server.

14.2.1. Syncing the LDAP server with OpenShift Container Platform

You can sync all groups from the LDAP server with OpenShift Container Platform.

Prerequisites

  • Create a sync configuration file.

Procedure

  • To sync all groups from the LDAP server with OpenShift Container Platform: 

    $ oc adm groups sync --sync-config=config.yaml --confirm
    注意

    By default, all group synchronization operations are dry-run, so you must set the --confirm flag on the oc adm groups sync command in order to make changes to OpenShift Container Platform group records.

14.2.2. Syncing OpenShift Container Platform groups with the LDAP server

You can sync all groups already in OpenShift Container Platform that correspond to groups in the LDAP server specified in the configuration file.

Prerequisites

  • Create a sync configuration file.

Procedure

  • To sync OpenShift Container Platform groups with the LDAP server: 

    $ oc adm groups sync --type=openshift --sync-config=config.yaml --confirm
    注意

    By default, all group synchronization operations are dry-run, so you must set the --confirm flag on the oc adm groups sync command in order to make changes to OpenShift Container Platform group records.

14.2.3. Syncing subgroups from the LDAP server with OpenShift Container Platform

You can sync a subset of LDAP groups with OpenShift Container Platform using whitelist files, blacklist files, or both.

注意

You can use any combination of blacklist files, whitelist files, or whitelist literals. Whitelist and blacklist files must contain one unique group identifier per line, and you can include whitelist literals directly in the command itself. These guidelines apply to groups found on LDAP servers as well as groups already present in OpenShift Container Platform.

Prerequisites

  • Create a sync configuration file.

Procedure

  • To sync a subset of LDAP groups with OpenShift Container Platform, use any the following commands: 

    $ oc adm groups sync --whitelist=<whitelist_file> \
                   --sync-config=config.yaml      \
                   --confirm
    $ oc adm groups sync --blacklist=<blacklist_file> \
                   --sync-config=config.yaml      \
                   --confirm
    $ oc adm groups sync <group_unique_identifier>    \
                   --sync-config=config.yaml      \
                   --confirm
    $ oc adm groups sync <group_unique_identifier>  \
                   --whitelist=<whitelist_file> \
                   --blacklist=<blacklist_file> \
                   --sync-config=config.yaml    \
                   --confirm
    $ oc adm groups sync --type=openshift           \
                   --whitelist=<whitelist_file> \
                   --sync-config=config.yaml    \
                   --confirm
    注意

    By default, all group synchronization operations are dry-run, so you must set the --confirm flag on the oc adm groups sync command in order to make changes to OpenShift Container Platform group records.