search

redhat-cop / group-sync-operator

Synchronizes groups from external providers into OpenShift
Apache License 2.0
110 stars 60 forks source link

ldap syncs only group names, not members #305

Closed ikke-t closed 6 months ago

ikke-t commented 6 months ago

Hi,

now that I got group sync going for LDAP, I'm only half there. For some reason it doesn't pull the group members:

oc get groups            
NAME           USERS
aap_admins     
admins         
ai_vol         
arrow          
arrowops       
developers     
devikone       
editors        
enfo           
gitlabusers    
ipausers       
nfs-users      
odh-admins     
odh-users      
partners       
rhops          
trust admins

So each group shows empty. Now compare this to another cluster with LDAP sync setup following the ocp docs against the same IdM LDAP server:

 oc get groups
NAME           USERS
aap_admins     ikke, mbang, jboivie, jwesterl, mglantz, jwennerb, codell, pgustafs, tsohlber, teli, mbengtss, sunathan, cbucur, jstrahle, sara, rschaert
admins         admin, ikke, mbang, jboivie, jwesterl, mglantz, jwennerb, codell, pgustafs, tsohlber, teli, mbengtss, sunathan, cbucur, jstrahle, sara
ai_vol         sara, teli, mmurakam, cbucur
arrow          teli, jlambert, eripley, tkane, adallas, dparker
arrowops       teli
developers     mmurakam, sara, teli, ikke, mikaheim, cbucur, jlambert, tkane, eripley, dparker, adallas, tpalenius, asalonen, jalare
devikone       asalonen, jalare, tpalenius
editors        tsohlber
enfo           mikaheim
gitlabusers    codell, pgustafs, ikke, teli, earvonen, tsohlber
ipausers       ikke, mbang, jboivie, jwesterl, mglantz, jwennerb, earvonen, codell, pgustafs, tsohlber, mmurakam, teli, sara, suvmitra, mbengtss, apelline, luferrar, elajoie, rschaert, sunathan, mikaheim, cbucur, eripley, tkane, adallas, jlambert, dparker, jstrahle, asalonen, tpalenius, jalare, ncarboni
nfs-users      jwesterl
odh-admins     mmurakam, sara, teli, ikke, cbucur
odh-users
partners       sara, teli, jlambert, adallas, eripley, tkane, dparker, mikaheim
rhods-admins
rhops          ikke, mbang, jboivie, jwesterl, mglantz, jwennerb, codell, pgustafs, earvonen, tsohlber, teli, suvmitra, mmurakam, mbengtss, luferrar, elajoie, apelline, rschaert, sunathan, cbucur, jstrahle, sara
trust admins   admin

So some last step to pull the group members is missing from the operator.

ikke-t commented 6 months ago

For comparison, I don't see difference in config from my helm:

╰─➤ oc get -o yaml cm ldap-group-syncer
apiVersion: v1
data:
  sync.yaml: |
    kind: LDAPSyncConfig
    apiVersion: v1
    url: 'ldaps://rh-idm-01.cool.lab'
    insecure: false
    bindDN: 'uid=aap_ldap,cn=sysaccounts,cn=etc,dc=cool,dc=lab'
    bindPassword:
      file: "/etc/secrets/bindPassword"
    ca: /etc/ldap-ca/ca.crt
    rfc2307:
        groupsQuery:
            baseDN: 'cn=groups,cn=accounts,dc=cool,dc=lab'
            scope: sub
            derefAliases: never
            pageSize: 0
            filter: (objectClass=ipausergroup)
        groupUIDAttribute: dn
        groupNameAttributes: [ cn ]
        groupMembershipAttributes: [ member ]
        usersQuery:
            baseDN: 'cn=users,cn=accounts,dc=cool,dc=lab'
            # filter: (objectClass=inetOrgPerson)
            scope: sub
            derefAliases: never
            pageSize: 0
        userUIDAttribute: dn
        userNameAttributes: [ uid ]
        tolerateMemberNotFoundErrors: false
        tolerateMemberOutOfScopeErrors: false
kind: ConfigMap

comparing to the one I have in group sync operator:

- op: add
  path: /spec/providers
  value:
    - ldap:
        credentialsSecret:
          name: ldap-secret
          namespace: openshift-config
        caSecret:
          name: ca-config-map
          namespace: openshift-config
          kind: ConfigMap
          key: ca.crt
        insecure: false
        rfc2307:
          groupMembershipAttributes:
            - member
          groupNameAttributes:
            - cn
          groupUIDAttribute: dn
          groupsQuery:
            baseDN: 'cn=groups,cn=accounts,dc=cool,dc=lab'
            derefAliases: never
            filter: (objectClass=ipausergroup)
            scope: sub
          tolerateMemberNotFoundErrors: true
          tolerateMemberOutOfScopeErrors: true
          userUIDAttribute: dn
          userNameAttributes:
            - uid
          usersQuery:
            baseDN: 'cn=users,cn=accounts,dc=cool,dc=lab'
            derefAliases: never
            scope: sub
        url: ldaps://rh-idm-01.cool.lab
      name: ldap
ikke-t commented 6 months ago

thanks for Andrew finding my error. I had forgotten to use the right secret. I created group-sync secret in group-sync-operator namespace, but forgot to change the GroupSync object to point to that instead of the openshift-config namespace ldap-secret, which is having different fields (bindPassword instead of password)