How to resolve the Openshift WebConsole Login Issue with AD Credentials.

By | May 6, 2020

If you are facing LDAP authentication issue in existing openshift cluster anytime or probably after deploying Self Signed/SSL certificate or after performing any of the major activity on the cluster, then you might need to check this article. 

If you face intermittent login issue using your LDAP credentials like for every 3 requests (Incase of 3 master), you are able to login to the cluster just once. 

This shows that out of 3 master only 1 master has proper LDAP configuration setup and there is something wrong with the other master resulting which request going to those 2 masters were not served properly. 

To resolve this issue, follow the below steps,

Login to all three masters and check the master-config.yaml file and Identity which node has an issue with LDAP Configurations

$ sudo su -
# vim /etc/origin/master/master-config.yaml

You may probably see that the LDAP Sections are missing in the master config. Add LDAP Configs to the YAML file as shown below.

oauthConfig:
   assetPublicURL: https://master.demodevopsage.com/console/
   grantConfig:
     method: auto
 ##Add LDAP Configs from here
 identityProviders:
 challenge: true
 login: true
 mappingMethod: claim
 name: htpasswd_auth
 provider:
   apiVersion: v1
   file: /etc/origin/master/htpasswd
   kind: HTPasswdPasswordIdentityProvider
 challenge: true
 login: true
 mappingMethod: claim
 name: AD
 provider:
   apiVersion: v1
   attributes:
     email:
     - mail
     id:
     - sAMAccountName
     name:
     - cn
     preferredUsername:
     - sAMAccountName
   bindDN: cn=XXXX AD,ou=XXX,dc=demodevops,dc=com
   bindPassword: XXXXXX
   ca: ''
   insecure: false
   kind: LDAPPasswordIdentityProvider
   url: ldap://ldapserver.demodevops.com:389/ou=XX,dc=demodevops,dc=com?sAMAccountName?sub?(objectClass=user) 

Once you updated the master-config.yaml file, you need to restart the master API and controller service, you can do so using the command below.

// For v3.6
 # systemctl restart atomic-openshift-master-api
 # systemctl restart atomic-openshift-master-controllers

// For v3.11
 $ sudo /usr/local/bin/master-restart api api
 $ sudo /usr/local/bin/master-restart controllers controllers

Now try connecting using your AD credentials and check whether It is working or not.

Leave a Reply

Your email address will not be published. Required fields are marked *