Introduction
In OpenShift 4.10, a new capability was added to import groups from an IDP provider. For example, while using LDAP, you can import the groups of which a user is member of. This allows you to create RBAC based on your IDP provider group.
LDAP Configuration
In the Authrealm, you can add a section explaining how to query the groups the user belong too.
Let’s say for example you have this ldap entries.
# testuser, example.com
dn: cn=testuser,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
sn: user
cn: test
cn: testuser
mail: testuser@example.com
userPassword:: Zm9vYmFy
# mygroup, example.com
dn: cn=mygroup,dc=example,dc=com
objectClass: groupOfNames
cn: mygroup
member: cn=testuser,dc=example,dc=com
You can add in your Authrealm the LDAPExtraConfigs section to import the groups
ldapExtraConfigs:
<your_idp_name>:
baseDN: dc=example,dc=com
filter: (objectClass=person)
groupSearch:
baseDN: dc=example,dc=com
filter: (objectClass=groupOfNames)
nameAttr: cn
userMatchers:
- groupAttr: member
userAttr: DN
Now when the user testuser@example.com
will login, the group mygroup
will be automatically created on the managed cluster. You can check it after login to the managedcluster with admin role by running this command.
oc get groups
or if you have cm-cli
with from the hub.
cm with cc <your_clusterclaim_name> -- oc get groups
result:
NAME USERS
mygroup testuser@example.com