Red Hat IdM as an LDAP Identity Provider in OpenShift Container Platform 4

For my OpenShift Demo, I want to use a Red Hat IdM server as the identity provider. It took a little trial and error to get the mechanism to work right.

Following the docs didn’t quite work. When I try to log in, I get:

I1114 20:20:28.598896  122974 helpers.go:198] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: unexpected response: 500",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "unexpected response: 500"
      }
    ]
  },
  "code": 500
}]

How do I debug? The basics steps are:

oc project  openshift-authentication
oc get pods
oc log $(podname)

For example:

[ayoung@ayoungP40 ocp4.2]$ oc project openshift-authentication
Already on project "openshift-authentication" on server "https://api.demo.redhatfsi.com:6443".
[ayoung@ayoungP40 ocp4.2]$ oc get pods
NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-5bf5fcf955-dl6h8   1/1     Running   0          17m
oauth-openshift-5bf5fcf955-mfcs5   1/1     Running   0          17m
[ayoung@ayoungP40 ocp4.2]$ oc log oauth-openshift-5bf5fcf955-dl6h8
log is DEPRECATED and will be removed in a future version. Use logs instead.
Copying system trust bundle
I1115 23:06:20.525713       1 secure_serving.go:65] Forcing use of http/1.1 only
I1115 23:06:20.526427       1 secure_serving.go:127] Serving securely on 0.0.0.0:6443

I had two different pods, so sometimes I got nothing, and would have to pull the log from the other pod. However I did see the following errors


Error authenticating login “ayoung” with provider “ldapidp”: LDAP Result Code 200 “Network Error”: dial tcp:

This one was tricky. The error was that my IdM server was in the same domain as the OpenShift cluster. I Started with idm.demo.redhatfsi.com as the IdM server. Since the local DNS was trying to resolve that, and failing, I could not connect to it. I ended up creating a new IdM server: idm.infra.redhatfsi.com. With that, I was able to resolve this issue and carry on

Error authenticating “ayoung” with provider “ldapidp”: LDAP Result Code 200 “Network Error”: TLS handshake failed (x509: certificate signed by unknown authority)

This was due to me forgetting to update the config map with the new certificate.

Error authenticating “ayoung” with provider “ldapidp”: multiple entries found matching “ayoung” I

This had to due with the BaseDN I was using to search. There is a “compat” tree in a FreeIPA server. If you search at a top level BaseDN, you get two records per user. One starts like this:

# ayoung, users, compat, infra.redhatfsi.com
dn: uid=ayoung,cn=users,cn=compat,dc=infra,dc=redhatfsi,dc=com

To get the more limited set of users, I change to the equivalent of the following LDAP search:

ldapsearch -x -H ldap://idm.infra.redhatfsi.com -L -b ‘cn=accounts,dc=infra,dc=redhatfsi,dc=com’ ‘uid=ayoung’

Here is the ldap.yaml file I used to finally configure the system. Note that I created a non-admin user named “Open Shift” to do the queries.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: ldapidp 
    mappingMethod: claim 
    type: LDAP
    ldap:
      attributes:
        id: 
        - dn 
        email: 
        - mail
        name: 
        - cn
        preferredUsername: 
        - uid
      bindDN: "uid=openshift,cn=users,cn=accounts,dc=infra,dc=redhatfsi,dc=com" 
      bindPassword: 
        name: ldap-secret
      ca: 
        name: ca-config-map
      insecure: false 
      url: "ldap://idm.infra.redhatfsi.com./cn=accounts,dc=infra,dc=redhatfsi,dc=com?uid"

3 thoughts on “Red Hat IdM as an LDAP Identity Provider in OpenShift Container Platform 4

  1. Hello!
    Really nice post! I’m trying to setup a similar environment and I can’t do TLS.
    Insecure works fine, but when I try TLS I can see an error in logs “http: TLS handshake error from 10.131.0.1:42742: remote error: tls: bad certificate”
    So, I understand there is some issue with a certificate but I don’t understand what exactly is wrong. It’s not clear for me what exactly cert should I use to import as a config map. I tried just ca.crt from Idm server (/etc/ipa/), I tried download it from web UI in pem format, I tried bundle (ca + Idm server cert). Nothing works. May be you can share you experience at this particular point?
    Thanks!

  2. I have to admit I have not worked through it yet. Please expand on what you mean by “Insecure works fine, but when I try TLS I can see an error in logs.” Which service are you talking too?

    BTW my blog is a horrible place to come looking for troubleshooting advice.

  3. I meant that if I configure ldap Identity provider as insecure (set “insecure: true” and specify url as “ldap://…” ) it works fine. I
    Bit, I just did more efforts and I think I’ve made it work with TLS too, though I still have the error about bad certificate, it can be a bug according to the following link: https://bugzilla.redhat.com/show_bug.cgi?id=1702429

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.