mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
67 lines
2.5 KiB
Plaintext
67 lines
2.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/ldap-syncing.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="ldap-syncing-config-rfc2307_{context}"]
|
|
= About the RFC 2307 configuration file
|
|
|
|
The RFC 2307 schema requires you to provide an LDAP query definition for both user
|
|
and group entries, as well as the attributes with which to represent them in the
|
|
internal {product-title} records.
|
|
|
|
For clarity, the group you create in {product-title} should use attributes other
|
|
than the distinguished name whenever possible for user- or administrator-facing
|
|
fields. For example, identify the users of an {product-title} group by their e-mail, and use the
|
|
name of the group as the common name. The following configuration file creates
|
|
these relationships:
|
|
|
|
[NOTE]
|
|
====
|
|
If using user-defined name mappings, your configuration file will differ.
|
|
====
|
|
|
|
.LDAP sync configuration that uses RFC 2307 schema: `rfc2307_config.yaml`
|
|
[source,yaml]
|
|
----
|
|
kind: LDAPSyncConfig
|
|
apiVersion: v1
|
|
url: ldap://LDAP_SERVICE_IP:389 <1>
|
|
insecure: false <2>
|
|
bindDN: cn=admin,dc=example,dc=com
|
|
bindPassword:
|
|
file: "/etc/secrets/bindPassword"
|
|
rfc2307:
|
|
groupsQuery:
|
|
baseDN: "ou=groups,dc=example,dc=com"
|
|
scope: sub
|
|
derefAliases: never
|
|
pageSize: 0
|
|
groupUIDAttribute: dn <3>
|
|
groupNameAttributes: [ cn ] <4>
|
|
groupMembershipAttributes: [ member ] <5>
|
|
usersQuery:
|
|
baseDN: "ou=users,dc=example,dc=com"
|
|
scope: sub
|
|
derefAliases: never
|
|
pageSize: 0
|
|
userUIDAttribute: dn <6>
|
|
userNameAttributes: [ mail ] <7>
|
|
tolerateMemberNotFoundErrors: false
|
|
tolerateMemberOutOfScopeErrors: false
|
|
----
|
|
<1> The IP address and host of the LDAP server where this group's record is
|
|
stored.
|
|
<2> When `false`, secure
|
|
LDAP (`ldaps://`) URLs connect using TLS, and insecure LDAP (`ldap://`) URLs are
|
|
upgraded to TLS. When `true`, no TLS connection is made to the server and you cannot use `ldaps://` URL schemes.
|
|
<3> The attribute that uniquely identifies a group on the LDAP server.
|
|
You cannot specify `groupsQuery` filters when using DN for `groupUIDAttribute`.
|
|
For fine-grained filtering, use the whitelist / blacklist method.
|
|
<4> The attribute to use as the name of the group.
|
|
<5> The attribute on the group that stores the membership information.
|
|
<6> The attribute that uniquely identifies a user on the LDAP server. You
|
|
cannot specify `usersQuery` filters when using DN for userUIDAttribute. For
|
|
fine-grained filtering, use the whitelist / blacklist method.
|
|
<7> The attribute to use as the name of the user in the {product-title} group record.
|