Can I configure my OpenShift Enterprise nodes for LDAP or NIS based user authentication?

Solution Unverified - Updated 2015-06-11T08:25:09+00:00 -

Environment

OpenShift Enterprise (OSE) 2.x
Centralized user management (LDAP, NIS, etc)

Issue

The corporate policy mandates that all server systems must get user authentication/authorization information from our corporate directory system.

OpenShift Enterprise nodes must comply with the policy, so they are expected to have user information from the corporate directory.

Resolution

You must configure your OpenShift nodes to use a UID/GID range that does not conflict with the values used in the user database. See the article about Avoiding UID/GID Conflicts in OpenShift Enterprise for background about this.

The range of UIDs is specified in the broker configuration as DISTRICTS_FIRST_UID and DISTRICTS_MAX_CAPACITY in /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf.
For backward compatibility the range should also be specified in the nodes via the GEAR_MIN_UID / GEAR_MAX_UID values in /etc/openshift/node.conf.

The correspondence of these values is:

DISTRICTS_FIRST_UID = GEAR_MIN_UID
DISTRICTS_MAX_CAPACITY = GEAR_MAX_UID - GEAR_MIN_UID

As an example, if your user database uses UIDs and GIDs below 4000 you can set for example:

Broker: /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf:
  DISTRICTS_FIRST_UID=4000
  DISTRICTS_MAX_CAPACITY=6000

Nodes: /etc/openshift/node.conf:
  GEAR_MIN_UID=4000
  GEAR_MAX_UID=10000

Important Notes

Please review How do I plan or layout my OpenShift Nodes into districts for additional guidance in selecting a range/capacity for your districts.
OSE 2.0 has an upper limit for uid/gid for OpenShift of 65535 as per Bug 1064631. This means that the whole range of uids must be below 65535 in OSE 2.0, i.e. GEAR_MAX_UID must be lower than 65535. OSE 2.1 removes this restriction and the upper limit in 2.1 is RHEL's default (2^32).
Setting all these values is an initial configuration tasks. If you change these values on an environment that already has content (districts, apps, gears) you might need to recreate them.

Related bugs

At the time of this writing there are some bugs that affect this type of customization. Please keep the following in mind:

OSE 2.0 has Bug 1053485 that causes problems if your GID_MIN has been altered. To avoid this problem UID_* / GID_* in /etc/login.defs should be set to match the gear UID range too so that GID_MIN=GEAR_MIN_UID and GID_MAX=GEAR_MAX_UID. This bug was fixed in OSE 2.1.
To avoid Bug 1051015 for the time being please specify both GEAR_MIN_UID and UID_BEGIN in node.conf, both with the same value.

Root Cause

OpenShift gears use local users and groups. The node code works with local user/group information only.

If your environment has a centralized user management system it surely has a centralized management environment and OpenShift is not supposed to interfere with it.

OpenShift checks for uid/gid uniqueness in the local node only when assigning users/groups to gears, and if the specified range of uid/gids overlaps with the centralized user management system there will be clashes and this would cause operational problems for OpenShift.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories