Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
Deployment Guide—Red Hat OpenShift Container Platform 4.2
Introduction Configuring switches Setting up the CSAH Node Deploying OpenShift 4.2
Introduction
Creating a bootstrap node
Creating master (etcd-*) nodes
Bootstrap steps
Validating and approving Certificate Signing Requests
Validating the cluster operators
OpenShift web console
Creating worker nodes
Authenticating platform users
Assigning a cluster admin role to the AD user
Image registry storage recommendations
Configuring Unity NFS volume for the image registry
Adding Worker Nodes Deploying Applications Provisioning Storage Monitoring References

Authenticating platform users

Authenticating platform users

  • OpenShift supports different authentication methods based on the authentication provider. For more information, see the Red Hat document Understanding authentication.

    Note: This deployment guide explains how to configure identity providers for htpasswd and Active Directory, but only one method is needed.

    Htpasswd authentication

    Unless otherwise directed, run the following commands in CSAH node as user core.

    To set up the prerequisites for user authentication using OpenShift cluster:

    1. Create a htpasswd file on the CSAH node by running the following command:

    cd /home/core/<install directory>/

    htpasswd -c -B -b htpasswd dellemc1 Password1

    htpasswd -b htpasswd mike Password2

    htpasswd -b htpasswd umesh Password3

    htpasswd -b htpasswd john Password4

    htpasswd -b htpasswd user1 Password5

    1. Create a secret (containing a username and passwords) for htpasswd using the htpasswd file you created in the preceding step:

    oc create secret generic htpass-secret --from-file=htpasswd=/home/core/openshift/htpasswd -n openshift-config

    1. Create a custom resource (CR). Save the following contents in a file:

    apiVersion: config.openshift.io/v1

    kind: OAuth

    metadata:

      name: cluster

    spec:

      identityProviders:

      - name: htpasswd

        mappingMethod: claim

        type: HTPasswd

        htpasswd:

          fileData:

            name: htpass-secret

    1. Apply the CR by running the following command:

    oc apply -f <file name>

    1. Log in as a user created with htpasswd:

    oc login -u <username>

    Authentication required for https://api.ocp.example.com:6443 (openshift)

    Username: <username>

    Password: <password>

    Login successful.

    You don't have any projects. You can try to create a new project, by running    oc new-project <projectname>

    Windows Active Directory authentication

    The prerequisites for user authentication using Windows Active Directory (AD) are:

    • OpenShift Cluster
    • AD
    • Sample users created in AD

    Note: Unless otherwise directed, run the commands in the CSAH node as user core.

    Perform the following steps to integrate OpenShift and AD for user authentication:

    1. Create a secret containing a password that can connect to AD—typically, an admin password—and search the tree by running the following command:
    1. oc create secret generic <secret-name> –from-literal=bindPassword=<password> -n openshift-config                 secret/<secret-name> created

    If you are not using certificates for authentication, skip to Step 5.

    1. Obtain the certificate used by AD. The certificate is displayed at the end of the output from:

         --BEGIN CERTIFICATE---- to ---------END CERTIFICATE--

    1. Copy the lines from BEGIN CERTIFICATE to END CERTIFICATE to a new file:

    openssl s_client -connect <AD ip>:<SSL Port> 2>/dev/null | openssl x509 -text

    For reference, ad.cert is provided as the name of the new file.

    1. Create a ConfigMap referencing the AD certificate file path by running the following command:
    2. oc create configmap <config-map-name> --from-file=ca.crt=<path to file ad.cert> -n openshift-config

    For reference, ca-config-map is provided as the name of the configmap.

    1. To create a CR for that AD identity provider, use the following sample CR and replace all the values that are specified in <>:

    apiVersion: config.openshift.io/v1

    kind: OAuth

    metadata:

        name: cluster

    spec:

       identityProviders:

       - name: <ip address of active directory>

         mappingMethod: claim

         type: LDAP

    ldap:

      attributes:

         id:

          - dn

        email:

          - mail

        name:

        - cn

        preferredUsername:

        - sAMAccountName

      bindDN: <provide the bindDN of the user who can query root dn referenced in url>

      bindPassword:

         name: <provide the secret name for the user specified in bindDN>

      ca:

        name: <provide the name of the configmap created>

      insecure: false

      url: "ldap://<AD FQDN>/<root dn>?sAMAccountName"

    If you are skipping Steps 2 to 4, delete ca, name and set insecure to true. Ensure that the AD FQDN entry is added to the DNS config in the CSAH node, and then save the file.

    1. Apply the CR by running the following command:

    oc apply -f <CR file name>

    1. Log in to the cluster as a user from AD. Enter the user password when prompted:

    oc login -u <username>

    Authentication required for https://api.ocp.example.com:6443 (openshift)

    Username: <username>

    Password: <password>

    Login successful.

    You don't have any projects. You can try to create a new project, by running

           oc new-project <projectname>