Building an OpenShift LDAP URL from FreeIPA

If you want to use LDAP authentication with OpenShift, you need to build an LDAP URL from the information you do have. Here are the steps.

I’ve installed a Red Hat IdM server. If I ssh in to the server, I can use kinit to authenticate, and use the ipa command line to query. I created a user named openshift that will be used to perform the operations from the OpenShift instance. Let’s use that as a starting point. The user-show command does not show the LDAP info by default, but if you add the –all flag, you do get it:

$ ipa user-show openshift  --all | grep dn:
  dn: uid=openshift,cn=users,cn=accounts,dc=redhatfsi,dc=com

The users are all stored in the same tree. So we can remove the uid entry from the start of that line to get the base DN. We can use curl to test:

curl  ldaps://$HOSTNAME/cn=users,cn=compat,dc=redhatfsi,dc=com

This is the output produced:

DN: cn=users,cn=compat,dc=redhatfsi,dc=com
	objectClass: extensibleObject
	cn: users

Note that this can be done as an anonymous user. I have not had to authenticate to the IdM server. However, it idoes not list the users. To get some values back, we need to tell the query how deep to go in the tree. Use the scope one for idm, as the user tree is flat.

$ curl  ldaps://,cn=compat,dc=redhatfsi,dc=com?uid
DN: cn=users,cn=compat,dc=redhatfsi,dc=com
[ayoung@idm ~]$ curl  ldaps://,cn=compat,dc=redhatfsi,dc=com?uid?one
DN: uid=openshift,cn=users,cn=compat,dc=redhatfsi,dc=com
	uid: openshift
DN: uid=ayoung,cn=users,cn=compat,dc=redhatfsi,dc=com
	uid: ayoung
DN: uid=admin,cn=users,cn=compat,dc=redhatfsi,dc=com
	uid: admin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.