If you are facing LDAP authentication issue in existing openshift cluster anytime or probably after deploying Self Signed/SSL certificate or after performing any of the major activity on the cluster, then you might need to check this article.
If you face intermittent login issue using your LDAP credentials like for every 3 requests (Incase of 3 master), you are able to login to the cluster just once.
This shows that out of 3 master only 1 master has proper LDAP configuration setup and there is something wrong with the other master resulting which request going to those 2 masters were not served properly.
To resolve this issue, follow the below steps,
Login to all three masters and check the master-config.yaml file and Identity which node has an issue with LDAP Configurations
$ sudo su - # vim /etc/origin/master/master-config.yaml
You may probably see that the LDAP Sections are missing in the master config. Add LDAP Configs to the YAML file as shown below.
oauthConfig: assetPublicURL: https://master.demodevopsage.com/console/ grantConfig: method: auto ##Add LDAP Configs from here identityProviders: challenge: true login: true mappingMethod: claim name: htpasswd_auth provider: apiVersion: v1 file: /etc/origin/master/htpasswd kind: HTPasswdPasswordIdentityProvider challenge: true login: true mappingMethod: claim name: AD provider: apiVersion: v1 attributes: email: - mail id: - sAMAccountName name: - cn preferredUsername: - sAMAccountName bindDN: cn=XXXX AD,ou=XXX,dc=demodevops,dc=com bindPassword: XXXXXX ca: '' insecure: false kind: LDAPPasswordIdentityProvider url: ldap://ldapserver.demodevops.com:389/ou=XX,dc=demodevops,dc=com?sAMAccountName?sub?(objectClass=user)
Once you updated the master-config.yaml file, you need to restart the master API and controller service, you can do so using the command below.
// For v3.6 # systemctl restart atomic-openshift-master-api # systemctl restart atomic-openshift-master-controllers // For v3.11 $ sudo /usr/local/bin/master-restart api api $ sudo /usr/local/bin/master-restart controllers controllers
Now try connecting using your AD credentials and check whether It is working or not.