https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
p
Be careful with auth provider docs, i've already experienced they can be out of date.
👍 1
h
Thanks @powerful-librarian-10572 ..Can you clarify this ..Rancher needs a service account that has read-only access to all of the domains that will be able to login, so that we can determine what groups a user is a member of when they make a request with an API key.
what they meant service account to all domain ..How to do that ?
p
By default iirc, openldap doesn't restrict the read scope of an user but i could be wrong
h
if you don't mind can you see this @powerful-librarian-10572 .. In ldap auth provider hostname --> ************ port ***** --->given based on my ldap setup .. service account distinguished name place --> i have created dn: uid=rancher-service-account,ou=rancher,dc=tech*******,dc=com via ldap ..which i entered .. service account password: ***** user seacrh base ou=rancher,dc=tech*******,dc=com Under Test and enable authentication place username and password which i need to give ??
i have created local principal name same as the sa distinguished name ..I given both place same password too.Actually i am not aware it's neccessary or not ? But i given this in test and enable authentication place ..Got authentication failed issue ..
p
I'm sorry i'm struggling to follow you
For the test and enable auth, you need to give your ldap user that will be linked to the local rancher admin (which is a rather unusual way of working)
👍 1
h
Rancher needs a service account that has read-only access to all of the domains that will be able to login, so that we can determine what groups a user is a member of when they make a request with an API key. can you clarify above statement @powerful-librarian-10572
p
You need a permanent service account (with minimal privieges) to access the openldap data
h
[root@db2-primary sa]# cat sa-full-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: fluentd-service-account roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rancher-service-account subjects: - kind: ServiceAccount name: rancher-service-account namespace: rancher --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rancher-service-account namespace: rancher rules: - apiGroups: ["*"] resources: - clusters - namespaces verbs: - get - watch - list --- apiVersion: v1 kind: ServiceAccount metadata: name: rancher-service-account namespace: rancher secrets: - name: rancher-sa-secret
p
No no a service account in the ldap
Not a kubes account
h
service account in ldap mean dn: uid=rancher-service-account,ou=rancher,dc=te******,dc=in
p
Yes sir
h
okay bro thanks for clearing my confusion
Hi @powerful-librarian-10572 i connected ldap with rancher and able to login through the ldap provider service account user .But using that how can i allow other ldap users ..
p
By default, now anyone can login with ldap (try in private window)
h
But i can't able to login via other ldap users..
p
Do you have a log?
h
In rancher pod there is no relevant logs
19 Views
Open in Slack
PreviousNext
Powered by