Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
4.2. Creating Global Teams and Synchronizing with LDAP Groups
With the release of OpenShift Enterprise 2.1, you can create global teams and synchronize membership from an already existing source, such as an LDAP database. This enables you to have full control over global team membership. For example, if a global team is synchronized to an LDAP database, and a developer leaves your company, the privileges granted through the global team membership will be removed and you will be able to reassign or remove any of the individual's work across the platform.
Create global teams and synchronize membership with LDAP with the folowing procedure. However, a plain sync file can be created from any source to perform the same process if LDAP is not in use.
Note
This is a basic workflow. For more information, consult the
oo-admin-ctl-team command man pages for detailed descriptions of each command shown in the following instructions.
Procedure 4.1. To Synchronize a Global Team with LDAP Groups:
- Create an LDAP configuration file in the
/etc/openshift/directory. This file specifies how your instance will connect to the LDAP server and query for LDAP groups and group membership. - Create one or more global teams. If you are not using LDAP groups, then the
--maps-tooption can be specified as anything:oo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=com
# oo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=comoo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=comoo-admin-ctl-team -c create --name Team_Name --maps-to cn=all,ou=Groups,dc=example,dc=comCopy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, you can create a global team straight from LDAP groups using the--groupsoption. In this case, you must indicate your LDAP config file and the LDAP groups to create the global team from:oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2
# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c create --groups Group_Name1,Group_Name2Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example 4.1. Sample LDAP configuration File
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example 4.2. Sample Active Directory based LDAP configuration File
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Next, synchronize global team membership with LDAP:This step can be performed in a cron job in order to regularly synchronize OpenShift Enterprise with LDAP.
oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync --create-new-users --remove-old-users
# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync --create-new-users --remove-old-usersoo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync --create-new-users --remove-old-usersoo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync --create-new-users --remove-old-usersCopy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, use a sync file to synchronize global team membership with LDAP with the following command:This command creates a file you can modify to suit your requirements. The format is the entity to act upon, an action, then the user names.oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-users
# oo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-usersoo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-usersoo-admin-ctl-team --config-file /etc/openshift/File_Name.yml -c sync-to-file --out-file teams.sync --create-new-users --remove-old-usersCopy to Clipboard Copied! Toggle word wrap Toggle overflow The following example sync file adds users to an OpenShift Enterprise instance, then adds them as members to the team named "myteam".Example 4.3. Synchronizing Global Team Membership with a Sync File
USER|ADD|user1 ... USER|ADD|user100 MEMBER|ADD|myteam|user1,...,user100
USER|ADD|user1 ... USER|ADD|user100 MEMBER|ADD|myteam|user1,...,user100Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, create this file from any source and sync team members from the specified file with the following command:oo-admin-ctl-team -c sync-from-file --in-file teams.sync
# oo-admin-ctl-team -c sync-from-file --in-file teams.syncoo-admin-ctl-team -c sync-from-file --in-file teams.syncCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.2.1. Encrypting an LDAP Global Team Connection
링크 복사링크가 클립보드에 복사되었습니다!
When synchronizing a global team with LDAP groups, you can choose to encrypt all communication with the LDAP server by adding a parameter to the LDAP
.yml file. This encrypts any communication between the LDAP client and server and is only intended for instances where the LDAP server is a trusted source. simple_tls encryption establishes an SSL/TLS encryption with the LDAP server before any LDAP protocol data is exchanged, meaning that no validation of the LDAP server's SSL certificate is performed. Therefore, no errors are reported if the SSL certificate of the client is not trusted. If you have communication errors, see your LDAP server administrator.
To encrypt an LDAP and global team connection edit the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
/etc/openshift/File_Name.yml file and replace it with the following:
Note that the port must be changed from the initial example in Section 4.2, “Creating Global Teams and Synchronizing with LDAP Groups” to the above example for encryption to successfully occur. An LDAP server cannot support both plaintext and
simple_tls connections on the same port.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}