# openshift start \ --public-master=https://openshift.example.com:8443 \ --write-config=/etc/origin/
OpenShift Container Platform provides an authentication provider for use with Lightweight Directory Access Protocol (LDAP) setups, but it can only connect to a single LDAP server. This can be problematic if that LDAP server becomes unavailable. System Security Services Daemon (SSSD) can be used to solve the issue.
Originally designed to manage local and remote authentication to the host operating system, SSSD can now be configured to provide identity, authentication, and authorization services to web services like OpenShift Container Platform. SSSD provides advantages over the built-in LDAP provider, including the ability to connect to any number of failover LDAP servers, as well as the ability to cache authentication attempts in case it can no longer reach any of those servers.
The setup for this configuration is advanced and requires a separate authentication server (also called an authenticating proxy) for OpenShift Container Platform to communicate with. This topic describes how to do this setup on a dedicated physical or virtual machine (VM), but the concepts are also applicable to a setup in a container.
Before starting setup, you need to know the following information about your LDAP server.
Whether the directory server is powered by FreeIPA, Active Directory, or another LDAP solution.
The Uniform Resource Identifier (URI) for the LDAP server (for example, ldap.example.com).
The location of the CA certificate for the LDAP server.
Whether the LDAP server corresponds to RFC 2307 or RFC2307bis for user groups.
Prepare the VMs:
proxy.example.com: A VM to use as the authenticating proxy. This machine must have at least SSSD 1.12.0 available, which means a fairly recent operating system. This topic uses a Red Hat Enterprise Linux 7.2 server for its examples.
openshift.example.com: A VM to use to run OpenShift Container Platform.
These VMs can be configured to run on the same system, but for the examples used in this topic they are kept separate. |
This phase generates certificate files that are valid for two years (or five
years for the certification authority (CA) certificate). This can be altered
with the |
Perform this procedure on the first master host listed in the Ansible host inventory file, by default /etc/ansible/hosts.
To ensure that communication between the authenticating proxy and OpenShift Container Platform is trustworthy, create a set of Transport Layer Security (TLS) certificates to use during the other phases of this setup. In the OpenShift Container Platform system, start by using the auto-generated certificates created as part of running:
# openshift start \ --public-master=https://openshift.example.com:8443 \ --write-config=/etc/origin/
Among other things, this generates a /etc/origin/master/ca.{cert|key}. Use this signing certificate to generate keys to use on the authenticating proxy.
# mkdir -p /etc/origin/proxy/ # oc adm ca create-server-cert \ --cert='/etc/origin/proxy/proxy.example.com.crt' \ --key='/etc/origin/proxy/proxy.example.com.key' \ --hostnames=proxy.example.com \ --signer-cert=/etc/origin/master/ca.crt \ --signer-key='/etc/origin/master/ca.key' \ --signer-serial='/etc/origin/master/ca.serial.txt'
Ensure that any host names and interface IP addresses that need to access the proxy are listed. Otherwise, the HTTPS connection will fail. |
Create a new CA to sign this client certificate:
# oc adm ca create-signer-cert \ --cert='/etc/origin/proxy/proxyca.crt' \ --key='/etc/origin/proxy/proxyca.key' \ --name='openshift-proxy-signer@UNIQUESTRING' \ (1) --serial='/etc/origin/proxy/proxyca.serial.txt'
1 | Make UNIQUESTRING something unique. |
Generate the API client certificate that the authenticating proxy will use to prove its identity to OpenShift Container Platform.
# oc adm create-api-client-config \ --certificate-authority='/etc/origin/proxy/proxyca.crt' \ --client-dir='/etc/origin/proxy' \ --signer-cert='/etc/origin/proxy/proxyca.crt' \ --signer-key='/etc/origin/proxy/proxyca.key' \ --signer-serial='/etc/origin/proxy/proxyca.serial.txt' \ --user='system:proxy'
This prevents malicious users from impersonating the proxy and sending fake identities.
Copy the certificate and key information to the appropriate file for future steps:
# cat /etc/origin/proxy/system\:proxy.crt \ /etc/origin/proxy/system\:proxy.key \ > /etc/origin/proxy/authproxy.pem
This section guides you through the steps to authenticate the proxy setup.
From openshift.example.com, securely copy the necessary certificates to the proxy machine:
# scp /etc/origin/master/ca.crt \ root@proxy.example.com:/etc/pki/CA/certs/ # scp /etc/origin/proxy/proxy.example.com.crt \ /etc/origin/proxy/authproxy.pem \ root@proxy.example.com:/etc/pki/tls/certs/ # scp /etc/origin/proxy/proxy.example.com.key \ root@proxy.example.com:/etc/pki/tls/private/
Install a new VM with an operating system that includes 1.12.0 or later so that you can use the mod_identity_lookup module. The examples in this topic use a Red Hat Enterprise Linux 7.2 Server.
Install all of the necessary dependencies:
# yum install -y sssd \ sssd-dbus \ realmd \ httpd \ mod_session \ mod_ssl \ mod_lookup_identity \ mod_authnz_pam
This gives you the needed SSSD and the web server components.
Edit the /etc/httpd/conf.modules.d/55-authnz_pam.conf file and remove the comment from the following:
LoadModule authnz_pam_module modules/mod_authnz_pam.so
Set up SSSD to authenticate this VM against the LDAP server. If the LDAP server is a FreeIPA or Active Directory environment, then realmd can be used to join this machine to the domain.
# realm join ldap.example.com
For more advanced case, see the System-Level Authentication Guide
If you want to use SSSD to manage failover situations for LDAP, this can be configured by adding additional entries in /etc/sssd/sssd.conf on the ldap_uri line. Systems enrolled with FreeIPA can automatically handle failover using DNS SRV records.
Restart SSSD to ensure that all of the changes are applied properly:
$ systemctl restart sssd.service
Test that the user information can be retrieved properly:
$ getent passwd <username> username:*:12345:12345:Example User:/home/username:/usr/bin/bash
Attempt to log into the VM as an LDAP user and confirm that the authentication is properly set up. This can be done via the local console or a remote service such as SSH.
If you do not want LDAP users to be able to log into this machine, it is recommended to modify /etc/pam.d/system-auth and /etc/pam.d/password-auth to remove the lines containing pam_sss.so. |
You need to set up Apache to communicate with SSSD. Create a PAM stack file for use with Apache. To do so:
Create the /etc/pam.d/openshift file and add the following contents:
auth required pam_sss.so account required pam_sss.so
This configuration enables PAM (the pluggable authentication module) to use pam_sss.so to determine authentication and access control when an authentication request is issued for the openshift stack.
Configure the Apache httpd.conf. The steps in this section focus on
setting up the challenge authentication, which is useful for logging in with oc
login
and similar automated tools.
Configuring Form-Based Authentication explains how to set up a graphical login using SSSD as well, but it requires the rest of this setup as a prerequisite. |
Create the new file openshift-proxy.conf in /etc/httpd/conf.d (substituting the correct host names where indicated):
LoadModule request_module modules/mod_request.so LoadModule lookup_identity_module modules/mod_lookup_identity.so # Nothing needs to be served over HTTP. This virtual host simply redirects to # HTTPS. <VirtualHost *:80> DocumentRoot /var/www/html RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] </VirtualHost> <VirtualHost *:443> # This needs to match the certificates you generated. See the CN and X509v3 # Subject Alternative Name in the output of: # openssl x509 -text -in /etc/pki/tls/certs/proxy.example.com.crt ServerName proxy.example.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/pki/tls/certs/proxy.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/proxy.example.com.key SSLCACertificateFile /etc/pki/CA/certs/ca.crt # Send logs to a specific location to make them easier to find ErrorLog logs/proxy_error_log TransferLog logs/proxy_access_log LogLevel warn SSLProxyEngine on SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt # It's critical to enforce client certificates on the Master. Otherwise # requests could spoof the X-Remote-User header by accessing the Master's # /oauth/authorize endpoint directly. SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem # Send all requests to the console RewriteEngine On RewriteRule ^/console(.*)$ https://%{HTTP_HOST}:8443/console$1 [R,L] # In order to using the challenging-proxy an X-Csrf-Token must be present. RewriteCond %{REQUEST_URI} ^/challenging-proxy RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC] RewriteRule ^.* - [F,L] <Location /challenging-proxy/oauth/authorize> # Insert your backend server name/ip here. ProxyPass https://openshift.example.com:8443/oauth/authorize AuthType Basic AuthBasicProvider PAM AuthPAMService openshift Require valid-user </Location> <ProxyMatch /oauth/authorize> AuthName openshift RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER </ProxyMatch> </VirtualHost> RequestHeader unset X-Remote-User
Configuring Form-Based Authentication explains how to add the login-proxy block to support form authentication. |
Set a boolean to tell SELinux that it is acceptable for Apache to contact the PAM subsystem:
# setsebool -P allow_httpd_mod_auth_pam on
Start up Apache:
# systemctl start httpd.service
This section describes how to set up an OpenShift Container Platform server from scratch in an "all in one" configuration. Master and Node Configuration provides more information on alternate configurations.
Modify the default configuration to use the new identity provider just created. To do so:
Modify the /etc/origin/master/master-config.yaml file.
Scan through it and locate the identityProviders section and replace it with:
identityProviders: - name: any_provider_name challenge: true login: false mappingMethod: claim provider: apiVersion: v1 kind: RequestHeaderIdentityProvider challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}" clientCA: /etc/origin/proxy/proxyca.crt headers: - X-Remote-User
Configuring Form-Based Authentication explains how to add the login URL to support web logins. Configuring Extended LDAP Attributes explains how to add the email and full-name attributes. Note that the full-name attributes are only stored to the database on the first login. |
Start OpenShift Container Platform with the updated configuration:
# openshift start \ --public-master=https://openshift.example.com:8443 \ --master-config=/etc/origin/master/master-config.yaml \ --node-config=/etc/origin/node-node1.example.com/node-config.yaml
Test logins:
oc login https://openshift.example.com:8443
It should now be possible to log in with only valid LDAP credentials.