Retrieve ip to set up LDAP:
$ ip addressFrom output we need to get ip.
Let's install LDAP. For example we are using Ubuntu 18.04.
Update dependencies:
$ sudo apt updateInstall ldap:
$ sudo apt install slapd ldap-utilsDuring installation slapd will ask some information: admin password. We will set up 'admin' for test purpose.
Reconfigure admin server to use test admin dn(domain name), valid ip in the ldap server url, and port 389. Also LDAP port should be publicly exposed. We will use nano editor to edit configuration file:
$ sudo nano /etc/ldap/ldap.confNotice: for test pupose we used ldap server without certificates(
ldap://protocol). But in production you have to use protectedldaps://protocal with configured sertificates.
Reconfigure slapd to apply our changes:
$ sudo dpkg-reconfigure slapdIn the console ui application let's select options:
- Omit OpenLDAP server configuration:
No - DNS domain name:
example.com - Organization name:
che - Administrator password:
admin - Confirm password:
admin - Database backend to use:
MDB - Do you want the database to be removed when slapd purged:
No
Ok, let's enable memberOf ldap module. Because we want to limit user access by group for CRW.
Load module from file update-module.ldif:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldifLet's check that module really was loaded:
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL | grep -i moduleCommand output should contains:
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
Les't add memberOf module using file add-memberof-overlay.ldif:
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f add-memberof-overlay.ldifAnd don't forget to restart ldap service, otherwise memberOf overlay module could be not working:
$ sudo systemctl restart slapdApply test LDAP entities. There two groups and one user per group 'ldap-entities.ldif':
dn: ou=group,dc=example,dc=com
objectClass: organizationalUnit
ou: group
dn: ou=user,dc=example,dc=com
objectClass: organizationalUnit
ou: user
dn: uid=testuser,ou=user,dc=example,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: testuser
sn: Test user
uid: testuser
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: Test User
mail: test@test
userPassword:: e1NTSEF9VG10VHZuNWVYZGZIWFBxWVZpbzVTdW1ZaDVDZDk5d24=
dn: uid=dev,ou=user,dc=example,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: dev
sn: CRW dev
uid: dev
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: CRW dev
mail: [email protected]
userPassword:: e1NTSEF9R3hBdTd1THlZUG1HR2tKMGNQM0E5OXJKbHlVNHRpWGo=
dn: cn=crw,ou=group,dc=example,dc=com
objectClass: groupOfNames
cn: crw
member: uid=testuser,ou=user,dc=example,dc=com
dn: cn=crw-dev,ou=group,dc=example,dc=com
objectClass: groupOfNames
cn: crw-dev
member: uid=dev,ou=user,dc=example,dc=com
Apply entities:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f ldap-entities.ldifCheck entities:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=example,dc=com"We will use for Keycloak filter to allow access only users from crw group. First of all check it using cli tools:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=example,dc=com" memberof=cn=crw,ou=group,dc=example,dc=comInstall CRW. Disable Openshift oAuth. We can do that using Openshift ui or using terminal:
oc patch checluster/codeready-workspaces -n openshift-workspaces --type=merge -p '{"spec":{"auth":{"openShiftoAuth": false}}}'Create LDAP User Federation provider in CRW Keycloak.