How to re-sync ldap group with different ldap server?
Environment
- Openshift Container Platform 4
- OpenShift Container Platform 3.5 ~ 3.11
Issue
- When ldap server need to be changed to another new ldap server and the hostname is different from previous ldap server, Openshift needs to resync group with the new ldap server. However, openshift complains with following messages:
openshift.io/ldap.host label did not match sync host: wanted old-ldap.example.com, got new-ldap.example.com.
- How to re-sync ldap group with new ldap server?
Resolution
-
Follow the below steps from 0 to 4 for re-syncing the new LDAP server in RHOCP 4 however for RHOCP 3.5 ~ 3.11 follow the other two steps 5 and 6 as well.
-
Synchronizing LDAP group creates only group objects on Openshift side, So delete group objects and sync group with new ldap server or re-sync with new LDAP server after changing some metadata.
NOTE: Try these commands on the sandbox first before applying them in to production.
0.Backup data
oc get groups -o yaml >group_list.yaml
oc get identity -o yaml >identity_list.yaml
oc get users -o yaml > user_list.yaml
1. Update group information:
export ORIGINAL_SERVER_URL=ldap2.example.com:389 <===== Old ldap information
export NEW_SERVER_URL=ldap.example.com:389 <===== New ldap information
for group in $( oc get groups -o name ); do
ldap_url=$( oc get ${group} -o go-template=$'{{index .metadata.annotations "openshift.io/ldap.url"}}')
if [[ "${ldap_url}" == "${ORIGINAL_SERVER_URL}" ]]; then
echo ""
echo "*** ${ldap_url} of ${group} is changed to ${NEW_SERVER_URL} ***"
echo ""
oc annotate "${group}" "openshift.io/ldap.url=${NEW_SERVER_URL}" --overwrite
oc label "${group}" "openshift.io/ldap.host=$(echo ${NEW_SERVER_URL}|cut -d: -f1)" --overwrite
fi
done
2. Update sync-config.yaml
kind: LDAPSyncConfig
....
url: ldap://ldap.example.com:389 <=== New ldap information
...
..
3. Sync groups (dry-run)
oadm groups sync --sync-config=/usr/local/src/sync-config.yaml
4. Sync groups (confirm) if there are no issues and the data is correct
oadm groups sync --sync-config=/usr/local/src/sync-config.yaml --confirm
5. Update master-config.yaml on all master servers.
- challenge: true
login: true
name: ldap
.....
url: ldap://ldap.example.com:389/dc=example,dc=com?uid <== New ldap information (only change hostname)
6. Restart atomic-openshift-master-api on all master servers.
systemctl restart atomic-openshift-atomic-api
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments