Skip to content

Latest commit

 

History

History
86 lines (76 loc) · 2.45 KB

ldap-syncing-activedir.adoc

File metadata and controls

86 lines (76 loc) · 2.45 KB

Syncing groups using the Active Directory schema

In the Active Directory schema, both users (Jane and Jim) exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user. The following snippet of ldif defines the users and group for this schema:

LDAP entries that use Active Directory schema: active_directory.ldif
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=Jane,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jane
sn: Smith
displayName: Jane Smith
mail: [email protected]
memberOf: admins (1)

dn: cn=Jim,ou=users,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: testPerson
cn: Jim
sn: Adams
displayName: Jim Adams
mail: [email protected]
memberOf: admins

  1. The user’s group memberships are listed as attributes on the user, and the group does not exist as an entry on the server. The memberOf attribute does not have to be a literal attribute on the user; in some LDAP servers, it is created during search and returned to the client, but not committed to the database.

Prerequisites

  • Create the configuration file.

Procedure

  1. Run the sync with the active_directory_config.yaml file:

    $ oc adm groups sync --sync-config=active_directory_config.yaml --confirm

    {product-title} creates the following group record as a result of the above sync operation:

    {product-title} group created by using the active_directory_config.yaml file
    apiVersion: user.openshift.io/v1
kind: Group
metadata:
  annotations:
    openshift.io/ldap.sync-time: 2015-10-13T10:08:38-0400 (1)
    openshift.io/ldap.uid: admins (2)
    openshift.io/ldap.url: LDAP_SERVER_IP:389 (3)
  creationTimestamp:
  name: admins (4)
users: (5)
- [email protected]
- [email protected]

    1. The last time this {product-title} group was synchronized with the LDAP server, in ISO 6801 format.

    2. The unique identifier for the group on the LDAP server.

    3. The IP address and host of the LDAP server where this group’s record is stored.

    4. The name of the group as listed in the LDAP server.

    5. The users that are members of the group, named as specified by the sync file.