LDAP Flashcards
Steps to configure LDAP as IdP
1) Create a secret with the IdM admin user password
2) Create a cm containing the IdM CA’s root certificate
3) Extract oauth cluster and add identity provider
Create a secret with LDAP admin user password
oc create secret generic ldap-secret \
–from-literal=bindPassword=${LDAP_ADMIN_PASSWORD} \
-n openshift-config
Create a cm containing the IdM CA’s root certificate
oc create configmap ca-config-map –from-file=
ca.crt=<(curl http://idm.ocp-${GUID}.example.com/ipa/config/ca.crt)
-n openshift-config
Oauth cluster CR for LDAP
Add cluster admin role to admin user
oc adm policy add-cluster-role-to-user cluster-admin admin
Steps to check when troubleshooting LDAP
1) Authentication Operator Logs.
2) Oauth Pods status.
3) LDAP server logs.
OCP CA crt URL
http://idm.ocp4.example.com/ipa/config/ca.crt
How do you sync LDAP groups with OCP
1) Create LDAPSyncConfig CR and run it manually or using a CronJob.
2) Assign cluster admin role to admin group
Example LDAPSyncConfig
How do you validate LDAPSyncConfig
oc adm groups sync –sync-config tmp/ldap-sync.yml
steps to create a CronJob to perform a periodic LDAP group sync
1) Store LDAP bind password in an OCP Secret so the CronJob can access the password in a secure way.
2) Store LDAPSyncConfig and the IdM cert in a ConfigMap so the CronJob can use them.
3) Create cron job
Store LDAP bind password in an OCP Secret so the CronJob can access the password in a secure way
oc create secret generic ldap-secret \
–from-literal bindPassword=r3dh4t
Store LDAPSyncConfig and the IdM cert in a ConfigMap so the CronJob can use them.
oc create configmap ldap-config –from-file \
ldap-group-sync.yaml=tmp/ldap-sync-config-cronjob.yml,ca.crt=tmp/ca.crt
Cron job for LDAP Sync
Inspect the CronJob execution
watch oc get cronjobs,jobs,pods
