For my OpenShift Demo, I want to use a Red Hat IdM server as the identity provider. It took a little trial and error to get the mechanism to work right.

Following the docs didn’t quite work. When I try to log in, I get:

I1114 20:20:28.598896  122974 helpers.go:198] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: unexpected response: 500",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "unexpected response: 500"
      }
    ]
  },
  "code": 500
}]

How do I debug? The basics steps are:

oc project  openshift-authentication
oc get pods
oc log $(podname)

For example:

[ayoung@ayoungP40 ocp4.2]$ oc project openshift-authentication
Already on project "openshift-authentication" on server "https://api.demo.redhatfsi.com:6443".
[ayoung@ayoungP40 ocp4.2]$ oc get pods
NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-5bf5fcf955-dl6h8   1/1     Running   0          17m
oauth-openshift-5bf5fcf955-mfcs5   1/1     Running   0          17m
[ayoung@ayoungP40 ocp4.2]$ oc log oauth-openshift-5bf5fcf955-dl6h8
log is DEPRECATED and will be removed in a future version. Use logs instead.
Copying system trust bundle
I1115 23:06:20.525713       1 secure_serving.go:65] Forcing use of http/1.1 only
I1115 23:06:20.526427       1 secure_serving.go:127] Serving securely on 0.0.0.0:6443

I had two different pods, so sometimes I got nothing, and would have to pull the log from the other pod. However I did see the following errors

Error authenticating login “ayoung” with provider “ldapidp”: LDAP Result Code 200 “Network Error”: dial tcp:

This one was tricky. The error was that my IdM server was in the same domain as the OpenShift cluster. I Started with idm.demo.redhatfsi.com as the IdM server. Since the local DNS was trying to resolve that, and failing, I could not connect to it. I ended up creating a new IdM server: idm.infra.redhatfsi.com. With that, I was able to resolve this issue and carry on

Error authenticating “ayoung” with provider “ldapidp”: LDAP Result Code 200 “Network Error”: TLS handshake failed (x509: certificate signed by unknown authority)

This was due to me forgetting to update the config map with the new certificate.

Error authenticating “ayoung” with provider “ldapidp”: multiple entries found matching “ayoung” I

This had to due with the BaseDN I was using to search. There is a “compat” tree in a FreeIPA server. If you search at a top level BaseDN, you get two records per user. One starts like this:

# ayoung, users, compat, infra.redhatfsi.com
dn: uid=ayoung,cn=users,cn=compat,dc=infra,dc=redhatfsi,dc=com

To get the more limited set of users, I change to the equivalent of the following LDAP search:

ldapsearch -x -H ldap://idm.infra.redhatfsi.com -L -b ‘cn=accounts,dc=infra,dc=redhatfsi,dc=com’ ‘uid=ayoung’

Here is the ldap.yaml file I used to finally configure the system. Note that I created a non-admin user named “Open Shift” to do the queries.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: ldapidp 
    mappingMethod: claim 
    type: LDAP
    ldap:
      attributes:
        id: 
        - dn 
        email: 
        - mail
        name: 
        - cn
        preferredUsername: 
        - uid
      bindDN: "uid=openshift,cn=users,cn=accounts,dc=infra,dc=redhatfsi,dc=com" 
      bindPassword: 
        name: ldap-secret
      ca: 
        name: ca-config-map
      insecure: false 
      url: "ldap://idm.infra.redhatfsi.com./cn=accounts,dc=infra,dc=redhatfsi,dc=com?uid"