search

openshift / origin

Conformance test suite for OpenShift
http://www.openshift.org
Apache License 2.0
8.49k stars 4.7k forks source link

LDAP Sync TODO list #4851

Open stevekuznetsov opened 9 years ago

stevekuznetsov commented 9 years ago

Dev-cut:

Post dev-cut:

deads2k commented 9 years ago

@stevekuznetsov Schema1 works with an exposed config. Once you get enough tests done for it, we can claim the trello card.

deads2k commented 9 years ago

"install openldap client" - https://github.com/openshift/vagrant-openshift/pull/336

deads2k commented 9 years ago

Need union group name mappings to allow user-defined if present and attributes otherwise.

Also, we need to make a label of the hostname on groups we sync. Its not perfect, but its better than nothing.

We also need to add a custom --label flag to add custom labels.

stevekuznetsov commented 9 years ago

We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).

deads2k commented 9 years ago

We need to find a way to mutate the host to be a label, previously there was the issue of formatting (labels can't have colons? I can't remember).

Yeah, we couldn't do host:port, but we need some kind of selector. We'll do host by default (which should work) and we'll leave custom labels for people doing crazy things.

lypht commented 8 years ago

Happy New Year, all! Is there a branch that is in sync with the Openshift Origin documentation? Running oadm groups sync --type=openshift --sync-config=foo.yml as per these instructions throws unknown command: sync and unknown flag: --type errors respectively. We have validated that the command fails on both a libvirt bin/cluster development build and a GCE BYO stack, both built from openshift/openshift-ansible.

stevekuznetsov commented 8 years ago

@lypht Current Origin HEAD is in sync with the documentation, and the last changes for this command were made in commit https://github.com/stevekuznetsov/origin/commit/6eb1b3652c461588c9eed5ea3e9d74e994d722a7, merged fifteen days ago. Perhaps the build is picking up an older version? Does openshift ex sync-groups work in place of oadm groups sync?

lypht commented 8 years ago

Thanks, Steve. It looks like what is being deployed through Ansible is from December 2nd. Should I build from origin source to get these commits?

stevekuznetsov commented 8 years ago

The version from December 2nd should have LDAP group sync, but oadm groups sync is invoked with openshift ex sync-groups, but unless you upgrade to at least December 9th (https://github.com/openshift/origin/commit/d2c519988d829b2df749d9a4b022d0e0dd01326c), you won't have oadm groups prune. I'd suggest you use the latest version you can.

lypht commented 8 years ago

Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?

stevekuznetsov commented 8 years ago

I'm not certain about that, @sdodson could you please chime in?

sdodson commented 8 years ago

Thanks again. If I run the upgrade playbook from BYO, will it pull the latest stable, or is this only for versioning if not on 1.1?

The playbooks, unless you specify that you want a containerized install, rely on RPMs for installation and those are only built for tagged releases. If you like you can add containerized=true and give that a shot but it's definitely a less tested path at this point.

https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINERIZED_INSTALLATION.md documents containerized installation.

lypht commented 8 years ago

openshift ex sync-groups works. Thanks again!

stevekuznetsov commented 8 years ago

@lypht glad to hear! Feel free to send other feedback or thoughts to me on GitHub or to our mailing list.

pweil- commented 7 years ago

nested groups doc https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example

@stevekuznetsov close or send this @enj's way?

stevekuznetsov commented 7 years ago

@enj you are very welcome

aneagoe commented 7 years ago

I'm not really sure where a RFE would fit, but it's highly related to this topic. There doesn't seem to be a way to define multiple ldap URLs and the proposed way to handle redundancy is far from ideal (https://docs.openshift.com/container-platform/3.6/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.html) since it requires configuration of additional infrastructure (two additional servers, httpd as proxy, integration of said servers with ldap and clustering to move a virtual IP between). Ideally, one should just be able to specify the additional URLs in the config and have openshift failover if the first one fails. Can this be integrated into this TODO list or where should I submit such request?

enj commented 7 years ago

@aneagoe I added it as a TODO item at the top, but you are welcome to submit an RFE to https://bugzilla.redhat.com. Any changes to LDAP are low priority and are unlikely to be addressed at this time.

rjhowe commented 7 years ago

@aneagoe This was already proposed and denied keeping with the proposed way outlined in the doc link you provided. Bug/RFE 1459046

openshift-bot commented 6 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 6 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

stevekuznetsov commented 6 years ago

RIP :rose:

enj commented 5 years ago

/unassign

@stlaz @sttts @mfojtik