Skip to content

Instantly share code, notes, and snippets.

@canit00

canit00/ldap-groups-sync.yaml

Forked from danielkucera/ldap-groups-sync.yaml
Created July 13, 2020 13:48
Show Gist options
  • Save canit00/0a77224a0bd750d3535cc59b751b83e6 to your computer and use it in GitHub Desktop.
Save canit00/0a77224a0bd750d3535cc59b751b83e6 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @danielkucera danielkucera revised this gist Feb 20, 2020. No changes.
  2. @danielkucera danielkucera revised this gist Feb 20, 2020. No changes.
  3. @danielkucera danielkucera created this gist Feb 20, 2020.
    131 changes: 131 additions & 0 deletions ldap-groups-sync.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,131 @@
    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: ldap-group-syncer
    namespace: openshift-authentication
    labels:
    app: cronjob-ldap-group-sync
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: ldap-group-syncer
    labels:
    app: cronjob-ldap-group-sync
    rules:
    - apiGroups:
    - ''
    - user.openshift.io
    resources:
    - groups
    verbs:
    - get
    - list
    - create
    - update
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: ldap-group-syncer
    labels:
    app: cronjob-ldap-group-sync
    subjects:
    - kind: ServiceAccount
    name: ldap-group-syncer
    namespace: openshift-authentication
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ldap-group-syncer
    ---
    kind: ConfigMap
    apiVersion: v1
    metadata:
    name: ldap-group-syncer
    namespace: openshift-authentication
    labels:
    app: cronjob-ldap-group-sync
    data:
    ldap-group-sync.yaml: |
    kind: LDAPSyncConfig
    apiVersion: v1
    url: ldaps://<YOUR_LDAP_SERVER>/
    insecure: false
    bindDN: cn=<EDIT_THIS_DN>,dc=example,dc=com
    bindPassword:
    file: "/etc/secrets/bindPassword"
    ca: /etc/ldap-ca/ca.crt
    rfc2307:
    groupsQuery:
    baseDN: "ou=<EDIT_THIS_DN>,dc=example,dc=com"
    scope: sub
    filter: "(objectClass=groupOfMembers)"
    derefAliases: never
    pageSize: 0
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ member ]
    usersQuery:
    baseDN: "ou=<EDIT_THIS_DN>,dc=example,dc=com"
    scope: sub
    derefAliases: never
    pageSize: 0
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false
    ---
    kind: CronJob
    apiVersion: batch/v1beta1
    metadata:
    name: ldap-group-syncer
    namespace: openshift-authentication
    labels:
    app: cronjob-ldap-group-sync
    spec:
    schedule: "*/10 * * * *"
    concurrencyPolicy: Forbid
    successfulJobsHistoryLimit: 5
    failedJobsHistoryLimit: 5
    jobTemplate:
    metadata:
    labels:
    app: cronjob-ldap-group-sync
    spec:
    backoffLimit: 0
    template:
    metadata:
    labels:
    app: cronjob-ldap-group-sync
    spec:
    containers:
    - name: ldap-group-sync
    image: "openshift/origin-cli:latest"
    command:
    - "/bin/bash"
    - "-c"
    - oc adm groups sync --sync-config=/etc/config/ldap-group-sync.yaml --confirm
    volumeMounts:
    - mountPath: "/etc/config"
    name: "ldap-sync-volume"
    - mountPath: "/etc/secrets"
    name: "ldap-bind-password"
    - mountPath: "/etc/ldap-ca"
    name: "ldap-ca"
    volumes:
    - name: "ldap-sync-volume"
    configMap:
    name: "ldap-group-syncer"
    - name: "ldap-bind-password"
    secret:
    secretName: "v4-0-config-user-idp-0-bind-password"
    - name: "ldap-ca"
    configMap:
    name: "v4-0-config-user-idp-0-ca"
    restartPolicy: "Never"
    terminationGracePeriodSeconds: 30
    activeDeadlineSeconds: 500
    dnsPolicy: "ClusterFirst"
    serviceAccountName: "ldap-group-syncer"
    serviceAccount: "ldap-group-syncer"