LDAP Sync TODO list

[stevekuznetsov]

Dev-cut:

• create LDAPInterface for Active Directory schema (@deads2k) ldap sync active directory #4972
• install OpenLDAP client on Jenkins so that our sync jobs can mutate LDAP at will with bash calls (@deads2k) add openldap-clients and jq vagrant-openshift#336
• create LDAPInterface for enhanced AD schema (FTF) Augmented AD ldap sync #5086
• union name mapper (some defined by users, others by rule) (FTF) @deads2k Union group mapper #5100
• extended test for: union name mapper (FTF) @deads2k Union group mapper #5100
• extended test for: pin OpenShift Group name for LDAP sync - sync OpenShift group to same UID (don't change LDAPUID annotation if LDAP group changes) (@deads2k) pin openshift group name mappings when referencing from openshift groups #5108
• blacklist {OpenShift,LDAP} groups from sync (@deads2k) pin openshift group name mappings when referencing from openshift groups #5108

---

• add ldap entries for other schema to image (@stevekuznetsov) added LDAP entries for other schemas #4923
• add memberof overlay to openldap image (@stevekuznetsov) add memberof and refint overlays openldap#10
• add test schema to openldap image (@stevekuznetsov) added test schema openldap#11
• extended test for: whitelist defined in {file,paramters} from {OpenShift,LDAP} (@stevekuznetsov) add extended tests for LDAP sync #5047
• extended test for: user-defined mapping from LDAP UID to OpenShift UID (@stevekuznetsov) add extended tests for LDAP sync #5047
• documentation for {rfc2307,ad,augmented-ad} exposed config (@stevekuznetsov) added LDAP sync doc openshift-docs#1066
• add a label to the sync job for the host (@stevekuznetsov) add an LDAP host label #5101

---

Post dev-cut:

• remove Ginkgo tests, clean up authentication.sh (@stevekuznetsov) removed useless ginkgo test for LDAP #5110
• add sane readiness check to LDAP server pod added readiness check to LDAP server pod #5064
• clean up help text (@stevekuznetsov) fix group-sync help text #5099
• delete orphaned groups from OpenShift records (--prune) (@stevekuznetsov /FTF) implemented LDAP group pruning and added unit testing for LDAP group parts #5145
• extended test for: delete orphaned groups (determine orphanage from OpenShift records) (@stevekuznetsov /FTF) implemented LDAP group pruning and added unit testing for LDAP group parts #5145
• bash autocompletion for sync-groups (@stevekuznetsov) added bash autocompletion for ldap sync config #5174
• use internal git server to push current branch so that we can use updated files on extended tests (@stevekuznetsov)
• change valid*.txt --> valid*.yaml (@stevekuznetsov)
• allow OpenLDAP image to support upgrate to TLS (@stevekuznetsov)
• extended test for: secured LDAP (@stevekuznetsov)
• pretty-print sync config validation results (@stevekuznetsov)
• handle nested groups by flattening (@stevekuznetsov) documenting (@enj)
• Better LDAP failover handling RFE per LDAP Sync TODO list #4851 (comment) denied per https://bugzilla.redhat.com/show_bug.cgi?id=1459046

[deads2k]

@stevekuznetsov Schema1 works with an exposed config. Once you get enough tests done for it, we can claim the trello card.

[deads2k]

"install openldap client" - openshift/vagrant-openshift#336

[deads2k]

Need union group name mappings to allow user-defined if present and attributes otherwise.

Also, we need to make a label of the hostname on groups we sync. Its not perfect, but its better than nothing.

We also need to add a custom --label flag to add custom labels.

[stevekuznetsov]

We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).

[deads2k]

We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).

Yeah, we couldn't do host:port, but we need some kind of selector. We'll do host by default (which should work) and we'll leave custom labels for people doing crazy things.

[lypht]

Happy New Year, all! Is there a branch that is in sync with the Openshift Origin documentation? Running oadm groups sync --type=openshift --sync-config=foo.yml as per these instructions throws unknown command: sync and unknown flag: --type errors respectively. We have validated that the command fails on both a libvirt bin/cluster development build and a GCE BYO stack, both built from openshift/openshift-ansible.

[stevekuznetsov]

@lypht Current Origin HEAD is in sync with the documentation, and the last changes for this command were made in commit stevekuznetsov@6eb1b36, merged fifteen days ago. Perhaps the build is picking up an older version? Does openshift ex sync-groups work in place of oadm groups sync?

[lypht]

Thanks, Steve. It looks like what is being deployed through Ansible is from December 2nd. Should I build from origin source to get these commits?

[stevekuznetsov]

The version from December 2nd should have LDAP group sync, but oadm groups sync is invoked with openshift ex sync-groups, but unless you upgrade to at least December 9th (d2c5199), you won't have oadm groups prune. I'd suggest you use the latest version you can.

[lypht]

Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?

[stevekuznetsov]

I'm not certain about that, @sdodson could you please chime in?

[sdodson]

Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?

The playbooks, unless you specify that you want a containerized install, rely on RPMs for installation and those are only built for tagged releases. If you like you can add containerized=true and give that a shot but it's definitely a less tested path at this point.

https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINERIZED_INSTALLATION.md documents containerized installation.

[lypht]

openshift ex sync-groups works. Thanks again!

[stevekuznetsov]

@lypht glad to hear! Feel free to send other feedback or thoughts to me on GitHub or to our mailing list.

[pweil-]

nested groups doc https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example

@stevekuznetsov close or send this @enj's way?

[stevekuznetsov]

@enj you are very welcome

[aneagoe]

I'm not really sure where a RFE would fit, but it's highly related to this topic.
There doesn't seem to be a way to define multiple ldap URLs and the proposed way to handle redundancy is far from ideal (https://docs.openshift.com/container-platform/3.6/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.html) since it requires configuration of additional infrastructure (two additional servers, httpd as proxy, integration of said servers with ldap and clustering to move a virtual IP between). Ideally, one should just be able to specify the additional URLs in the config and have openshift failover if the first one fails. Can this be integrated into this TODO list or where should I submit such request?

[enj]

@aneagoe I added it as a TODO item at the top, but you are welcome to submit an RFE to https://bugzilla.redhat.com. Any changes to LDAP are low priority and are unlikely to be addressed at this time.

[rjhowe]

@aneagoe This was already proposed and denied keeping with the proposed way outlined in the doc link you provided. Bug/RFE 1459046

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[stevekuznetsov]

RIP 🌹

[enj]

/unassign

@stlaz @sttts @mfojtik