RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Werner, Mark 
Hi, I have just gotten past the issue with the master not starting or 
restarting. It starts now. But I am trying to login with an AD account and 
receive Authentication Error Occurred. Not sure what the syntax should be. I 
try domain\username and username@domain.local <mailto:username@domain.local> , 
or just username.



Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 | mark.wer...@unisys.com 
<mailto:mark.wer...@unisys.com>

11720 Plaza America Drive, Reston, VA 20190



 <http://www.unisys.com/>



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is for use only by the intended recipient. If you received this 
in error, please contact the sender and delete the e-mail and its attachments 
from all devices.

 <http://www.linkedin.com/company/unisys><http://twitter.com/unisyscorp> 
<https://plus.google.com/+UnisysCorp/posts> 
<http://www.youtube.com/theunisyschannel> 
<http://www.facebook.com/unisyscorp>  <https://vimeo.com/unisys> 
<http://blogs.unisys.com/>



From: Rodrigo Bersa [mailto:rbe...@redhat.com]
Sent: Wednesday, July 12, 2017 3:00 PM
To: Javier Palacios <jpalac...@net4things.com>
Cc: Werner, Mark <mark.wer...@unisys.com>; users@lists.openshift.redhat.com
Subject: Re: OpenShift Origin Active Directory Authentication



Hi Mark,

I believe maybe the syntax is not right..

Could you try this?

oauthConfig:

  assetPublicURL:  <https://master.domain.local:8443/console/> 
https://master.domain.local:8443/console/

  grantConfig:

method: auto

  identityProviders:

  - challenge: true

login: true

mappingMethod: claim

name: Active_Directory

provider:

  apiVersion: v1

  kind: LDAPPasswordIdentityProvider

  attributes:

id:

- dn

email:

- mail

name:

- cn

preferredUsername:

- uid

  bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

  bindPassword: "password"

  insecure: true

  url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid

  masterPublicURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443

  masterURL:  <https://master.domain.local:8443> 
https://master.domain.local:8443



Best regards,




Rodrigo Bersa

Cloud Consultant, RHCVA, RHCE

 <https://www.redhat.com> Red Hat Brasil

 <mailto:rbe...@redhat.com> rbe...@redhat.comM:  <tel:+55-11-99557-5841> 
+55 11 99557-5841


 <http://www.redhat.com.br>

 <https://redhat.com/trusted> TRIED. TESTED. TRUSTED.







On Wed, Jul 12, 2017 at 2:15 PM, Javier Palacios <jpalac...@net4things.com 
<mailto:jpalac...@net4things.com> > wrote:


> I did try sAMAccountName at first and was getting the same results. Then I
> had read that variable was for older Windows machines so I tried uid as that
> was the other example I saw.

The relevant part of my master-config.yaml is below, and appart from using 
ldaps, I don't see any other difference. If the uid attribute is valid on your 
schema, the yours seems ok.

Javier Palacios

  identityProviders:
  - challenge: true
login: true
mappingMethod: claim
name: n4tdc1
provider:
  apiVersion: v1
  attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- sAMAccountName
  bindDN: CN=openshift,OU=N4T-USERS,dc=net4things,dc=local
  bindPassword: 
  ca: ad-ldap-ca.crt
  insecure: false
  kind: LDAPPasswordIdentityProvider
  url: 
ldaps://n4tdc1.net4things.local/dc=net4things,dc=local?sAMAccountName




___
users mailing list
users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/users





smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Rodrigo Bersa 
Hi Mark,

I believe maybe the syntax is not right..

Could you try this?

oauthConfig:

  assetPublicURL: https://master.domain.local:8443/console/

  grantConfig:

method: auto

  identityProviders:

  - challenge: true

login: true

mappingMethod: claim

name: Active_Directory

provider:

  apiVersion: v1

  kind: LDAPPasswordIdentityProvider

  attributes:

id:

- dn

email:

- mail

name:

- cn

preferredUsername:

- uid

  bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

  bindPassword: "password"

  insecure: true

  url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid

  masterPublicURL: https://master.domain.local:8443
  masterURL: https://master.domain.local:8443


Best regards,

Rodrigo Bersa

Cloud Consultant, RHCVA, RHCE

Red Hat Brasil 

rbe...@redhat.comM: +55 11 99557-5841 <+55-11-99557-5841>
 [image: Red Hat] 
TRIED. TESTED. TRUSTED. 




On Wed, Jul 12, 2017 at 2:15 PM, Javier Palacios 
wrote:

>
> > I did try sAMAccountName at first and was getting the same results. Then
> I
> > had read that variable was for older Windows machines so I tried uid as
> that
> > was the other example I saw.
>
> The relevant part of my master-config.yaml is below, and appart from using
> ldaps, I don't see any other difference. If the uid attribute is valid on
> your schema, the yours seems ok.
>
> Javier Palacios
>
>   identityProviders:
>   - challenge: true
> login: true
> mappingMethod: claim
> name: n4tdc1
> provider:
>   apiVersion: v1
>   attributes:
> email:
> - mail
> id:
> - dn
> name:
> - cn
> preferredUsername:
> - sAMAccountName
>   bindDN: CN=openshift,OU=N4T-USERS,dc=net4things,dc=local
>   bindPassword: 
>   ca: ad-ldap-ca.crt
>   insecure: false
>   kind: LDAPPasswordIdentityProvider
>   url: ldaps://n4tdc1.net4things.local/dc=net4things,dc=local?
> sAMAccountName
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Javier Palacios 

> I did try sAMAccountName at first and was getting the same results. Then I
> had read that variable was for older Windows machines so I tried uid as that
> was the other example I saw.

The relevant part of my master-config.yaml is below, and appart from using 
ldaps, I don't see any other difference. If the uid attribute is valid on your 
schema, the yours seems ok.

Javier Palacios

  identityProviders:
  - challenge: true
login: true
mappingMethod: claim
name: n4tdc1
provider:
  apiVersion: v1
  attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- sAMAccountName
  bindDN: CN=openshift,OU=N4T-USERS,dc=net4things,dc=local
  bindPassword: 
  ca: ad-ldap-ca.crt
  insecure: false
  kind: LDAPPasswordIdentityProvider
  url: ldaps://n4tdc1.net4things.local/dc=net4things,dc=local?sAMAccountName



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Werner, Mark 
I did try sAMAccountName at first and was getting the same results. Then I
had read that variable was for older Windows machines so I tried uid as that
was the other example I saw. 

One thing I didn't change was:
  preferredUsername:
- uid

Would I have to change this to:
  preferredUsername:
- sAMAccountName

And also use:
url: ldap://dc.domain.local:389/ou=users,dc=domain,dc=local?sAMAccountName



oauthConfig:
  assetPublicURL: https://master.domain.local:8443/console/
  grantConfig:
method: auto
  identityProviders:
  - name: Active_Directory
challenge: true
login: true
mappingMethod: claim
provider:
  apiVersion: v1
  kind: LDAPPasswordIdentityProvider
  attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
  bindDN: "cn=openshift,ou=users,dc=domain,dc=local"
  bindPassword: "password"
  insecure: true
  url: ldap://dc.domain.local:389/ou=users,dc=domain,dc=local?uid


Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services
Unisys | Mobile Phone 586.214.9017 | mark.wer...@unisys.com 
11720 Plaza America Drive, Reston, VA 20190



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is for use only by the intended recipient. If you received this
in error, please contact the sender and delete the e-mail and its
attachments from all devices.
   

-Original Message-
From: Javier Palacios [mailto:jpalac...@net4things.com] 
Sent: Wednesday, July 12, 2017 10:48 AM
To: Werner, Mark <mark.wer...@unisys.com>; users@lists.openshift.redhat.com
Subject: RE: OpenShift Origin Active Directory Authentication


I cannot tell for the oauthConfig, but  for the identity provider you have

> preferredUsername:
> - uid

and I'm not sure that attribute exist. It doesn't in the mine at least, and
I'm using sAMAccountName, which is on the default AD schema.
Although I don't see how that could prevent master service to start.

Mine works, but it has ldap authentication since the beginning, as I used
the openshift_master_identity_providers ansible variable.

Javier Palacios



smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Javier Palacios 

I cannot tell for the oauthConfig, but  for the identity provider you have

> preferredUsername:
> - uid

and I'm not sure that attribute exist. It doesn't in the mine at least, and I'm 
using sAMAccountName, which is on the default AD schema.
Although I don't see how that could prevent master service to start.

Mine works, but it has ldap authentication since the beginning, as I used the 
openshift_master_identity_providers ansible variable.

Javier Palacios


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Werner, Mark 
73 reflector.go:188] pkg/kubelet/config/apiserver.go:44: Failed to

Jul 12 10:17:04 master.domain.local origin-node[14773]: E0712 10:17:04.464708   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

Jul 12 10:17:04 master.domain.local origin-node[14773]: E0712 10:17:04.467208   
14773 reflector.go:188] pkg/kubelet/kubelet.go:386: Failed to list *ap

Jul 12 10:17:04 master.domain.local origin-node[14773]: E0712 10:17:04.467307   
14773 reflector.go:188] github.com/openshift/origin/pkg/cmd/server/kub

Jul 12 10:17:04 master.domain.local origin-node[14773]: E0712 10:17:04.469897   
14773 reflector.go:188] pkg/kubelet/kubelet.go:378: Failed to list *ap

Jul 12 10:17:04 master.domain.local origin-node[14773]: E0712 10:17:04.470005   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

Jul 12 10:17:05 master.domain.local origin-node[14773]: I0712 10:17:05.285778   
14773 conversion.go:134] failed to handle multiple devices for contain

Jul 12 10:17:05 master.domain.local origin-node[14773]: I0712 10:17:05.285815   
14773 conversion.go:134] failed to handle multiple devices for contain

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.464870   
14773 reflector.go:188] github.com/openshift/origin/pkg/cmd/server/kub

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.465001   
14773 reflector.go:188] pkg/kubelet/config/apiserver.go:44: Failed to

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.467033   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.469282   
14773 reflector.go:188] github.com/openshift/origin/pkg/cmd/server/kub

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.469888   
14773 reflector.go:188] pkg/kubelet/kubelet.go:386: Failed to list *ap

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.471984   
14773 reflector.go:188] pkg/kubelet/kubelet.go:378: Failed to list *ap

Jul 12 10:17:05 master.domain.local origin-node[14773]: E0712 10:17:05.472081   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.467151   
14773 reflector.go:188] pkg/kubelet/config/apiserver.go:44: Failed to

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.467177   
14773 reflector.go:188] github.com/openshift/origin/pkg/cmd/server/kub

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.468688   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.470937   
14773 reflector.go:188] github.com/openshift/origin/pkg/cmd/server/kub

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.472454   
14773 reflector.go:188] pkg/kubelet/kubelet.go:386: Failed to list *ap

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.473711   
14773 reflector.go:188] pkg/kubelet/kubelet.go:378: Failed to list *ap

Jul 12 10:17:06 master.domain.local origin-node[14773]: E0712 10:17:06.473723   
14773 reflector.go:188] github.com/openshift/origin/pkg/sdn/plugin/com

 

 

Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 |  <mailto:mark.wer...@unisys.com> 
mark.wer...@unisys.com 

11720 Plaza America Drive, Reston, VA 20190

 

 <http://www.unisys.com/> 

 

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is for use only by the intended recipient. If you received this in 
error, please contact the sender and delete the e-mail and its attachments from 
all devices.

 <http://www.linkedin.com/company/unisys><http://twitter.com/unisyscorp>   
<https://plus.google.com/+UnisysCorp/posts>  
<http://www.youtube.com/theunisyschannel>  <http://www.facebook.com/unisyscorp> 
 <https://vimeo.com/unisys>  <http://blogs.unisys.com/> 

 

From: Jon Stanley [mailto:jonstan...@gmail.com] 
Sent: Wednesday, July 12, 2017 10:08 AM
To: Werner, Mark <mark.wer...@unisys.com>
Cc: users@lists.openshift.redhat.com
Subject: Re: OpenShift Origin Active Directory Authentication

 

 

  bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

  bindPassword: "password"

  insecure: true

  url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid

 

 

 

In addition to Clayton's question of the exact messages, this configuration 
looks bad - I'm not sure if it's a problem in your redaction of the 
configuration, or if it's real - 'cn=openshift,cn=users,dc=domain,dc=local' has 
2 CN's in it -  should be 'cn=openshift,ou=users,dc=domain,dc=local' 



smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Werner, Mark 
I do believe in one attempt I did change the cn=users to ou=users and had the 
same issue. But I can give a try just to make certain.



Thanks,



Mark Werner | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 |  <mailto:mark.wer...@unisys.com> 
mark.wer...@unisys.com

11720 Plaza America Drive, Reston, VA 20190



 <http://www.unisys.com/>



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is for use only by the intended recipient. If you received this 
in error, please contact the sender and delete the e-mail and its attachments 
from all devices.

 <http://www.linkedin.com/company/unisys><http://twitter.com/unisyscorp> 
<https://plus.google.com/+UnisysCorp/posts> 
<http://www.youtube.com/theunisyschannel> 
<http://www.facebook.com/unisyscorp>  <https://vimeo.com/unisys> 
<http://blogs.unisys.com/>



From: Jon Stanley [mailto:jonstan...@gmail.com]
Sent: Wednesday, July 12, 2017 10:08 AM
To: Werner, Mark <mark.wer...@unisys.com>
Cc: users@lists.openshift.redhat.com
Subject: Re: OpenShift Origin Active Directory Authentication





  bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

  bindPassword: "password"

  insecure: true

  url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid







In addition to Clayton's question of the exact messages, this configuration 
looks bad - I'm not sure if it's a problem in your redaction of the 
configuration, or if it's real - 'cn=openshift,cn=users,dc=domain,dc=local' 
has 2 CN's in it -  should be 'cn=openshift,ou=users,dc=domain,dc=local'



smime.p7s
Description: S/MIME cryptographic signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Jon Stanley 
>
>
>   bindDN: "cn=openshift,cn=users,dc=domain,dc=local"
>
>   bindPassword: "password"
>
>   insecure: true
>
>   url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid
>
>
>
>
In addition to Clayton's question of the exact messages, this configuration
looks bad - I'm not sure if it's a problem in your redaction of the
configuration, or if it's real - 'cn=openshift,cn=users,dc=domain,dc=local'
has 2 CN's in it -  should be 'cn=openshift,ou=users,dc=domain,dc=local'
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin Active Directory Authentication

2017-07-12 Thread Clayton Coleman 
When you restart, what log messages are printed in origin-master?

On Jul 11, 2017, at 10:19 PM, Werner, Mark  wrote:

I am really struggling to get Active Directory authentication to work.

The oauthConfig section of the master-config.yaml file starts out like this
and all is fine.

oauthConfig:

  assetPublicURL: https://master.domain.local:8443/console/

  grantConfig:

method: auto

  identityProviders:

  - challenge: true

login: true

mappingMethod: claim

name: allow_all

provider:

  apiVersion: v1

  kind: AllowAllPasswordIdentityProvider

  masterCA: ca-bundle.crt

  masterPublicURL: https://master.domain.local:8443

  masterURL: https://master.domain.local:8443

Then I attempt to modify the oauthConfig section of the master-config.yaml
file to look like this.

oauthConfig:

  assetPublicURL: https://master.domain.local:8443/console/

  grantConfig:

method: auto

  identityProviders:

  - name: Active_Directory

challenge: true

login: true

mappingMethod: claim

provider:

  apiVersion: v1

  kind: LDAPPasswordIdentityProvider

  attributes:

id:

- dn

email:

- mail

name:

- cn

preferredUsername:

- uid

  bindDN: "cn=openshift,cn=users,dc=domain,dc=local"

  bindPassword: "password"

  insecure: true

  url: ldap://dc.domain.local:389/cn=users,dc=domain,dc=local?uid

  assetPublicURL: https://master.domain.local:8443/console/

  masterPublicURL: https://master.domain.local:8443

  masterURL: https://master.domain.local:8443

Then I try to restart the origin-master service and it fails to restart,
and won't start again, not even on reboot. If I revert back to the old
master-config.yaml file everything works fine again, and origin-master
service starts with no problem.

The user "openshift" has been created in Active Directory with the correct
password.

I have even tried using url:
ldaps://dc.domain.local:686/cn=users,dc=domain,dc=local?uid

That doesn't work either. I cannot seem to figure out what I am doing wrong
and what the origin-master service does not like about the modified
master-config.yaml file that keeps it from starting.





*Mark Werner* | Senior Systems Engineer | Cloud & Infrastructure Services

Unisys | Mobile Phone 586.214.9017 | mark.wer...@unisys.com

11720 Plaza America Drive, Reston, VA 20190



 



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all devices.

   
 



 



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users