Overview

This topic builds upon Setting up SSSD for LDAP Failover and describes how to set up form-based authentication for signing into the OpenShift Container Platform web console.

Prepare a Login Page

The OpenShift Container Platform upstream repositories have a template for forms. Copy that to your authenticating proxy on proxy.example.com:

# curl -o /var/www/html/login.html \
    https://raw.githubusercontent.com/openshift/openshift-extras/master/misc/form_auth/login.html

Modify this .html file to change the logo icon and "Welcome" content for your environment.

Install Another Apache Module

To intercept form-based authentication, install an Apache module:

 # yum -y install mod_intercept_form_submit

Apache Configuration

  1. Modify /etc/httpd/conf.modules.d/55-intercept_form_submit.conf and uncomment the LoadModule line.

  2. Add a new section to your openshift-proxy.conf file inside the <VirtualHost *:443> block.

     <Location /login-proxy/oauth/authorize>
      # Insert your backend server name/ip here.
      ProxyPass https://openshift.example.com:8443/oauth/authorize
    
      InterceptFormPAMService openshift
      InterceptFormLogin httpd_username
      InterceptFormPassword httpd_password
    
      RewriteCond %{REQUEST_METHOD} GET
      RewriteRule ^.*$ /login.html [L]
    </Location>

    This tells Apache to listen for POST requests on the /login-proxy/oauth/authorize and to pass the user name and password over to the openshift PAM service.

  3. Restart the service and move back over to the OpenShift Container Platform configuration.

OpenShift Container Platform Configuration

  1. In the master-config.yaml file, update the identityProviders section:

    identityProviders:
    - name: any_provider_name
      challenge: true
      login: true (1)
      mappingMethod: claim
      provider:
        apiVersion: v1
        kind: RequestHeaderIdentityProvider
        challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}"
        loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}" (2)
        clientCA: /etc/origin/master/proxy/proxyca.crt
        headers:
        - X-Remote-User
    1 Note that login is set to true, not false.
    2 Newly added line.
  2. Restart OpenShift Container Platform with the updated configuration.

    You should be able to browse to https://openshift.example.com:8443 and use your LDAP credentials to sign in via the login form.