This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.此内容没有您所选择的语言版本。
Chapter 12. Syncing Groups With LDAP
12.1. Overview
As an OpenShift Container Platform administrator, you can use groups to manage users, change their permissions, and enhance collaboration. Your organization may have already created user groups and stored them in an LDAP server. OpenShift Container Platform can sync those LDAP records with internal OpenShift Container Platform records, enabling you to manage your groups in one place. OpenShift Container Platform currently supports group sync with LDAP servers using three common schemas for defining group membership: RFC 2307, Active Directory, and augmented Active Directory.
					You must have cluster-admin privileges to sync groups.
				
12.2. Configuring LDAP Sync
Before you can run LDAP sync, you need a sync configuration file. This file contains LDAP client configuration details:
- Configuration for connecting to your LDAP server.
- Sync configuration options that are dependent on the schema used in your LDAP server.
A sync configuration file can also contain an administrator-defined list of name mappings that maps OpenShift Container Platform Group names to groups in your LDAP server.
12.2.1. LDAP Client Configuration
Example 12.1. LDAP Client Configuration
url: ldap://10.0.0.0:389 bindDN: cn=admin,dc=example,dc=com bindPassword: password insecure: false ca: my-ldap-ca-bundle.crt
url: ldap://10.0.0.0:389 
bindDN: cn=admin,dc=example,dc=com 
bindPassword: password 
insecure: false 
ca: my-ldap-ca-bundle.crt - 1
- The connection protocol, IP address of the LDAP server hosting your database, and the port to connect to, formatted asscheme://host:port.
- 2
- Optional distinguished name (DN) to use as the Bind DN. OpenShift Container Platform uses this if elevated privilege is required to retrieve entries for the sync operation.
- 3
- Optional password to use to bind. OpenShift Container Platform uses this if elevated privilege is necessary to retrieve entries for the sync operation. This value may also be provided in an environment variable, external file, or encrypted file.
- 4
- Whentrue, no TLS connection is made to the server. Whenfalse, secure LDAP (ldaps://) URLs connect using TLS, and insecure LDAP (ldap://) URLs are upgraded to TLS.
- 5
- The certificate bundle to use for validating server certificates for the configured URL. If empty, OpenShift Container Platform uses system-trusted roots. This only applies ifinsecureis set tofalse.
12.2.2. LDAP Query Definition
Sync configurations consist of LDAP query definitions for the entries that are required for synchronization. The specific definition of an LDAP query depends on the schema used to store membership information in the LDAP server.
Example 12.2. LDAP Query Definition
- 1
- The distinguished name (DN) of the branch of the directory where all searches will start from. It is required that you specify the top of your directory tree, but you can also specify a subtree in the directory.
- 2
- The scope of the search. Valid values arebase,one, orsub. If this is left undefined, then a scope ofsubis assumed. Descriptions of the scope options can be found in the table below.
- 3
- The behavior of the search with respect to aliases in the LDAP tree. Valid values arenever,search,base, oralways. If this is left undefined, then the default is toalwaysdereference aliases. Descriptions of the dereferencing behaviors can be found in the table below.
- 4
- The time limit allowed for the search by the client, in seconds. A value of 0 imposes no client-side limit.
- 5
- A valid LDAP search filter. If this is left undefined, then the default is(objectClass=*).
- 6
- The optional maximum size of response pages from the server, measured in LDAP entries. If set to 0, no size restrictions will be made on pages of responses. Setting paging sizes is necessary when queries return more entries than the client or server allow by default.
| LDAP Search Scope | Description | 
|---|---|
| 
									 | Only consider the object specified by the base DN given for the query. | 
| 
									 | Consider all of the objects on the same level in the tree as the base DN for the query. | 
| 
									 | Consider the entire subtree rooted at the base DN given for the query. | 
| Dereferencing Behavior | Description | 
|---|---|
| 
									 | Never dereference any aliases found in the LDAP tree. | 
| 
									 | Only dereference aliases found while searching. | 
| 
									 | Only dereference aliases while finding the base object. | 
| 
									 | Always dereference all aliases found in the LDAP tree. | 
12.2.3. User-Defined Name Mapping
A user-defined name mapping explicitly maps the names of OpenShift Container Platform Groups to unique identifiers that find groups on your LDAP server. The mapping uses normal YAML syntax. A user-defined mapping can contain an entry for every group in your LDAP server or only a subset of those groups. If there are groups on the LDAP server that do not have a user-defined name mapping, the default behavior during sync is to use the attribute specified as the Group’s name.
Example 12.3. User-Defined Name Mapping
groupUIDNameMapping: "cn=group1,ou=groups,dc=example,dc=com": firstgroup "cn=group2,ou=groups,dc=example,dc=com": secondgroup "cn=group3,ou=groups,dc=example,dc=com": thirdgroup
groupUIDNameMapping:
  "cn=group1,ou=groups,dc=example,dc=com": firstgroup
  "cn=group2,ou=groups,dc=example,dc=com": secondgroup
  "cn=group3,ou=groups,dc=example,dc=com": thirdgroup12.3. Running LDAP Sync
Once you have created a sync configuration file, then sync can begin. OpenShift Container Platform allows administrators to perform a number of different sync types with the same server.
					By default, all group synchronization or pruning operations are dry-run, so you must set the --confirm flag on the sync-groups command in order to make changes to OpenShift Container Platform Group records.
				
To sync all groups from the LDAP server with OpenShift Container Platform:
oc adm groups sync --sync-config=config.yaml --confirm
$ oc adm groups sync --sync-config=config.yaml --confirmTo sync all Groups already in OpenShift Container Platform that correspond to groups in the LDAP server specified in the configuration file:
oc adm groups sync --type=openshift --sync-config=config.yaml --confirm
$ oc adm groups sync --type=openshift --sync-config=config.yaml --confirmTo sync a subset of LDAP groups with OpenShift Container Platform, you can use whitelist files, blacklist files, or both:
Any combination of blacklist files, whitelist files, or whitelist literals will work; whitelist literals can be included directly in the command itself. This applies to groups found on LDAP servers, as well as Groups already present in OpenShift Container Platform. Your files must contain one unique group identifier per line.
12.4. Running a Group Pruning Job
An administrator can also choose to remove groups from OpenShift Container Platform records if the records on the LDAP server that created them are no longer present. The prune job will accept the same sync configuration file and white- or black-lists as used for the sync job.
For example, if groups had previously been synchronized from LDAP using some config.yaml file, and some of those groups no longer existed on the LDAP server, the following command would determine which Groups in OpenShift Container Platform corresponded to the deleted groups in LDAP and then remove them from OpenShift Container Platform:
oc adm groups prune --sync-config=config.yaml --confirm
$ oc adm groups prune --sync-config=config.yaml --confirm12.5. Sync Examples
				This section contains examples for the RFC 2307, Active Directory, and augmented Active Directory schemas. All of the following examples synchronize a group named admins that has two members: Jane and Jim. Each example explains:
			
- How the group and users are added to the LDAP server.
- What the LDAP sync configuration file looks like.
- What the resulting Group record in OpenShift Container Platform will be after synchronization.
These examples assume that all users are direct members of their respective groups. Specifically, no groups have other groups as members. See Nested Membership Sync Example for information on how to sync nested groups.
12.5.1. RFC 2307
					In the RFC 2307 schema, both users (Jane and Jim) and groups exist on the LDAP server as first-class entries, and group membership is stored in attributes on the group. The following snippet of ldif defines the users and group for this schema:
				
Example 12.4. LDAP Entries Using RFC 2307 Schema: rfc2307.ldif
To sync this group, you must first create the configuration file. The RFC 2307 schema requires you to provide an LDAP query definition for both user and group entries, as well as the attributes with which to represent them in the internal OpenShift Container Platform records.
For clarity, the Group you create in OpenShift Container Platform should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of a Group by their e-mail, and use the name of the group as the common name. The following configuration file creates these relationships:
If using user-defined name mappings, your configuration file will differ.
Example 12.5. LDAP Sync Configuration Using RFC 2307 Schema: rfc2307_config.yaml
- 1
- The IP address and host of the LDAP server where this group’s record is stored.
- 2
- Whentrue, no TLS connection is made to the server. Whenfalse, secure LDAP (ldaps://) URLs connect using TLS, and insecure LDAP (ldap://) URLs are upgraded to TLS.
- 3
- The attribute that uniquely identifies a group on the LDAP server. You cannot specifygroupsQueryfilters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
- 4
- The attribute to use as the name of the Group.
- 5
- The attribute on the group that stores the membership information.
- 6
- The attribute that uniquely identifies a user on the LDAP server. You cannot specifyusersQueryfilters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
- 7
- The attribute to use as the name of the user in the OpenShift Container Platform Group record.
To run sync with the rfc2307_config.yaml file:
oc adm groups sync --sync-config=rfc2307_config.yaml --confirm
$ oc adm groups sync --sync-config=rfc2307_config.yaml --confirmOpenShift Container Platform creates the following Group record as a result of the above sync operation:
Example 12.6. OpenShift Container Platform Group Created Using rfc2307_config.yaml
- 1
- The last time this Group was synchronized with the LDAP server, in ISO 6801 format.
- 2
- The unique identifier for the group on the LDAP server.
- 3
- The IP address and host of the LDAP server where this Group’s record is stored.
- 4
- The name of the Group as specified by the sync file.
- 5
- The users that are members of the Group, named as specified by the sync file.
12.5.1.1. RFC2307 with User-Defined Name Mappings
When syncing groups with user-defined name mappings, the configuration file changes to contain these mappings as shown below.
Example 12.7. LDAP Sync Configuration Using RFC 2307 Schema With User-Defined Name Mappings: rfc2307_config_user_defined.yaml
- 1
- The user-defined name mapping.
- 2
- The unique identifier attribute that is used for the keys in the user-defined name mapping. You cannot specifygroupsQueryfilters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
- 3
- The attribute to name OpenShift Container Platform Groups with if their unique identifier is not in the user-defined name mapping.
- 4
- The attribute that uniquely identifies a user on the LDAP server. You cannot specifyusersQueryfilters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
To run sync with the rfc2307_config_user_defined.yaml file:
oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirm
$ oc adm groups sync --sync-config=rfc2307_config_user_defined.yaml --confirmOpenShift Container Platform creates the following Group record as a result of the above sync operation:
Example 12.8. OpenShift Container Platform Group Created Using rfc2307_config_user_defined.yaml
- 1
- The name of the Group as specified by the user-defined name mapping.
12.5.2. RFC 2307 with User-Defined Error Tolerances
By default, if the groups being synced contain members whose entries are outside of the scope defined in the member query, the group sync fails with an error:
Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with dn="<user-dn>" would search outside of the base dn specified (dn="<base-dn>")".
Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with dn="<user-dn>" would search outside of the base dn specified (dn="<base-dn>")".
					This often indicates a mis-configured baseDN in the usersQuery field. However, in cases where the baseDN intentionally does not contain some of the members of the group, setting tolerateMemberOutOfScopeErrors: true allows the group sync to continue. Out of scope members will be ignored.
				
Similarly, when the group sync process fails to locate a member for a group, it fails outright with errors:
Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" refers to a non-existent entry". Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" and filter "<filter>" did not return any results".
Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" refers to a non-existent entry".
Error determining LDAP group membership for "<group>": membership lookup for user "<user>" in group "<group>" failed because of "search for entry with base dn="<user-dn>" and filter "<filter>" did not return any results".
					This often indicates a mis-configured usersQuery field. However, in cases where the group contains member entries that are known to be missing, setting tolerateMemberNotFoundErrors: true allows the group sync to continue. Problematic members will be ignored.
				
Enabling error tolerances for the LDAP group sync causes the sync process to ignore problematic member entries. If the LDAP group sync is not configured correctly, this could result in synced OpenShift Container Platform groups missing members.
Example 12.9. LDAP Entries Using RFC 2307 Schema With Problematic Group Membership: rfc2307_problematic_users.ldif
In order to tolerate the errors in the above example, the following additions to your sync configuration file must be made:
Example 12.10. LDAP Sync Configuration Using RFC 2307 Schema Tolerating Errors: rfc2307_config_tolerating.yaml
- 2
- Whentrue, the sync job tolerates groups for which some members were not found, and members whose LDAP entries are not found are ignored. The default behavior for the sync job is to fail if a member of a group is not found.
- 3
- Whentrue, the sync job tolerates groups for which some members are outside the user scope given in theusersQuerybase DN, and members outside the member query scope are ignored. The default behavior for the sync job is to fail if a member of a group is out of scope.
- 1
- The attribute that uniquely identifies a user on the LDAP server. You cannot specifyusersQueryfilters when using DN for userUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
To run sync with the rfc2307_config_tolerating.yaml file:
oc adm groups sync --sync-config=rfc2307_config_tolerating.yaml --confirm
$ oc adm groups sync --sync-config=rfc2307_config_tolerating.yaml --confirmOpenShift Container Platform creates the following group record as a result of the above sync operation:
Example 12.11. OpenShift Container Platform Group Created Using rfc2307_config.yaml
- 1
- The users that are members of the group, as specified by the sync file. Members for which lookup encountered tolerated errors are absent.
12.5.3. Active Directory
					In the Active Directory schema, both users (Jane and Jim) exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user. The following snippet of ldif defines the users and group for this schema:
				
Example 12.12. LDAP Entries Using Active Directory Schema: active_directory.ldif
- 1
- The user’s group memberships are listed as attributes on the user, and the group does not exist as an entry on the server. ThememberOfattribute does not have to be a literal attribute on the user; in some LDAP servers, it is created during search and returned to the client, but not committed to the database.
To sync this group, you must first create the configuration file. The Active Directory schema requires you to provide an LDAP query definition for user entries, as well as the attributes to represent them with in the internal OpenShift Container Platform Group records.
For clarity, the Group you create in OpenShift Container Platform should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of a Group by their e-mail, but define the name of the Group by the name of the group on the LDAP server. The following configuration file creates these relationships:
Example 12.13. LDAP Sync Configuration Using Active Directory Schema: active_directory_config.yaml
To run sync with the active_directory_config.yaml file:
oc adm groups sync --sync-config=active_directory_config.yaml --confirm
$ oc adm groups sync --sync-config=active_directory_config.yaml --confirmOpenShift Container Platform creates the following Group record as a result of the above sync operation:
Example 12.14. OpenShift Container Platform Group Created Using active_directory_config.yaml
- 1
- The last time this Group was synchronized with the LDAP server, in ISO 6801 format.
- 2
- The unique identifier for the group on the LDAP server.
- 3
- The IP address and host of the LDAP server where this Group’s record is stored.
- 4
- The name of the group as listed in the LDAP server.
- 5
- The users that are members of the Group, named as specified by the sync file.
12.5.4. Augmented Active Directory
					In the augmented Active Directory schema, both users (Jane and Jim) and groups exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user. The following snippet of ldif defines the users and group for this schema:
				
Example 12.15. LDAP Entries Using Augmented Active Directory Schema: augmented_active_directory.ldif
To sync this group, you must first create the configuration file. The augmented Active Directory schema requires you to provide an LDAP query definition for both user entries and group entries, as well as the attributes with which to represent them in the internal OpenShift Container Platform Group records.
For clarity, the Group you create in OpenShift Container Platform should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of a Group by their e-mail, and use the name of the Group as the common name. The following configuration file creates these relationships.
Example 12.16. LDAP Sync Configuration Using Augmented Active Directory Schema: augmented_active_directory_config.yaml
- 1
- The attribute that uniquely identifies a group on the LDAP server. You cannot specifygroupsQueryfilters when using DN for groupUIDAttribute. For fine-grained filtering, use the whitelist / blacklist method.
- 2
- The attribute to use as the name of the Group.
- 3
- The attribute to use as the name of the user in the OpenShift Container Platform Group record.
- 4
- The attribute on the user that stores the membership information.
To run sync with the augmented_active_directory_config.yaml file:
oc adm groups sync --sync-config=augmented_active_directory_config.yaml --confirm
$ oc adm groups sync --sync-config=augmented_active_directory_config.yaml --confirmOpenShift Container Platform creates the following Group record as a result of the above sync operation:
Example 12.17. OpenShift Group Created Using augmented_active_directory_config.yaml
- 1
- The last time this Group was synchronized with the LDAP server, in ISO 6801 format.
- 2
- The unique identifier for the group on the LDAP server.
- 3
- The IP address and host of the LDAP server where this Group’s record is stored.
- 4
- The name of the Group as specified by the sync file.
- 5
- The users that are members of the Group, named as specified by the sync file.
12.6. Nested Membership Sync Example
				Groups in OpenShift Container Platform do not nest. The LDAP server must flatten group membership before the data can be consumed. Microsoft’s Active Directory Server supports this feature via the LDAP_MATCHING_RULE_IN_CHAIN rule, which has the OID 1.2.840.113556.1.4.1941. Furthermore, only explicitly whitelisted groups can be synced when using this matching rule.
			
				This section has an example for the augmented Active Directory schema, which synchronizes a group named admins that has one user Jane and one group otheradmins as members. The otheradmins group has one user member: Jim. This example explains:
			
- How the group and users are added to the LDAP server.
- What the LDAP sync configuration file looks like.
- What the resulting Group record in OpenShift Container Platform will be after synchronization.
				In the augmented Active Directory schema, both users (Jane and Jim) and groups exist in the LDAP server as first-class entries, and group membership is stored in attributes on the user or the group. The following snippet of ldif defines the users and groups for this schema:
			
LDAP Entries Using Augmented Active Directory Schema With Nested Members: augmented_active_directory_nested.ldif
To sync nested groups with Active Directory, you must provide an LDAP query definition for both user entries and group entries, as well as the attributes with which to represent them in the internal OpenShift Container Platform Group records. Furthermore, certain changes are required in this configuration:
- 
						The oc adm groups synccommand must explicitly whitelist groups.
- 
						The user’s groupMembershipAttributesmust include"memberOf:1.2.840.113556.1.4.1941:"to comply with theLDAP_MATCHING_RULE_IN_CHAINrule.
- 
						The groupUIDAttributemust be set todn.
- The - groupsQuery:- 
								Must not set filter.
- 
								Must set a valid derefAliases.
- 
								Should not set baseDNas that value is ignored.
- 
								Should not set scopeas that value is ignored.
 
- 
								Must not set 
For clarity, the Group you create in OpenShift Container Platform should use attributes other than the distinguished name whenever possible for user- or administrator-facing fields. For example, identify the users of a Group by their e-mail, and use the name of the Group as the common name. The following configuration file creates these relationships:
LDAP Sync Configuration Using Augmented Active Directory Schema With Nested Members: augmented_active_directory_config_nested.yaml
- 1
- groupsQueryfilters cannot be specified. The- groupsQuerybase DN and scope values are ignored.- groupsQuerymust set a valid- derefAliases.
- 2
- The attribute that uniquely identifies a group on the LDAP server. It must be set todn.
- 3
- The attribute to use as the name of the Group.
- 4
- The attribute to use as the name of the user in the OpenShift Container Platform Group record.mailorsAMAccountNameare preferred choices in most installations.
- 5
- The attribute on the user that stores the membership information. Note the use ofLDAP_MATCHING_RULE_IN_CHAIN.
To run sync with the augmented_active_directory_config_nested.yaml file:
oc adm groups sync \
    'cn=admins,ou=groups,dc=example,dc=com' \
    --sync-config=augmented_active_directory_config_nested.yaml \
    --confirm
$ oc adm groups sync \
    'cn=admins,ou=groups,dc=example,dc=com' \
    --sync-config=augmented_active_directory_config_nested.yaml \
    --confirm
					You must explicitly whitelist the cn=admins,ou=groups,dc=example,dc=com group.
				
OpenShift Container Platform creates the following Group record as a result of the above sync operation:
OpenShift Group Created Using augmented_active_directory_config_nested.yaml
- 1
- The last time this Group was synchronized with the LDAP server, in ISO 6801 format.
- 2
- The unique identifier for the group on the LDAP server.
- 3
- The IP address and host of the LDAP server where this Group’s record is stored.
- 4
- The name of the Group as specified by the sync file.
- 5
- The users that are members of the Group, named as specified by the sync file. Note that members of nested groups are included since the group membership was flattened by the Microsoft Active Directory Server.
12.7. LDAP Sync Configuration Specification
				The object specification for the configuration file is below. Note that the different schema objects have different fields. For example, v1.ActiveDirectoryConfig has no groupsQuery field whereas v1.RFC2307Config and v1.AugmentedActiveDirectoryConfig both do.
			
					There is no support for binary attributes. All attribute data coming from the LDAP server must be in the format of a UTF-8 encoded string. For example, never use a binary attribute, such as objectGUID, as an ID attribute. You must use string attributes, such as sAMAccountName or userPrincipalName, instead.
				
12.7.1. v1.LDAPSyncConfig
					LDAPSyncConfig holds the necessary configuration options to define an LDAP group sync.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | String value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#types-kinds | string | 
| 
									 | Defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#resources | string | 
| 
									 | 
									Host is the scheme, host and port of the LDAP server to connect to:  | string | 
| 
									 | Optional DN to bind to the LDAP server with. | string | 
| 
									 | Optional password to bind with during the search phase. | |
| 
									 | 
									If  | boolean | 
| 
									 | Optional trusted certificate authority bundle to use when making requests to the server. If empty, the default system roots are used. | string | 
| 
									 | Optional direct mapping of LDAP group UIDs to OpenShift Container Platform Group names. | object | 
| 
									 | Holds the configuration for extracting data from an LDAP server set up in a fashion similar to RFC2307: first-class group and user entries, with group membership determined by a multi-valued attribute on the group entry listing its members. | |
| 
									 | Holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory: first-class user entries, with group membership determined by a multi-valued attribute on members listing groups they are a member of. | |
| 
									 | Holds the configuration for extracting data from an LDAP server set up in a fashion similar to that used in Active Directory as described above, with one addition: first-class group entries exist and are used to hold metadata but not group membership. | 
12.7.2. v1.StringSource
					StringSource allows specifying a string inline, or externally via environment variable or file. When it contains only a string value, it marshals to a simple JSON string.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | 
									Specifies the cleartext value, or an encrypted value if  | string | 
| 
									 | 
									Specifies an environment variable containing the cleartext value, or an encrypted value if the  | string | 
| 
									 | 
									References a file containing the cleartext value, or an encrypted value if a  | string | 
| 
									 | References a file containing the key to use to decrypt the value. | string | 
12.7.3. v1.LDAPQuery
					LDAPQuery holds the options necessary to build an LDAP query.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | DN of the branch of the directory where all searches should start from. | string | 
| 
									 | 
									The (optional) scope of the search. Can be  | string | 
| 
									 | 
									The (optional) behavior of the search with regards to alisases. Can be  | string | 
| 
									 | 
									Holds the limit of time in seconds that any request to the server can remain outstanding before the wait for a response is given up. If this is  | integer | 
| 
									 | A valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN. | string | 
| 
									 | 
									Maximum preferred page size, measured in LDAP entries. A page size of  | integer | 
12.7.4. v1.RFC2307Config
					RFC2307Config holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the RFC2307 schema.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | Holds the template for an LDAP query that returns group entries. | |
| 
									 | 
									Defines which attribute on an LDAP group entry will be interpreted as its unique identifier. ( | string | 
| 
									 | Defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift Container Platform group. | string array | 
| 
									 | 
									Defines which attributes on an LDAP group entry will be interpreted as its members. The values contained in those attributes must be queryable by your  | string array | 
| 
									 | Holds the template for an LDAP query that returns user entries. | |
| 
									 | 
									Defines which attribute on an LDAP user entry will be interpreted as its unique identifier. It must correspond to values that will be found from the  | string | 
| 
									 | 
									Defines which attributes on an LDAP user entry will be used, in order, as its OpenShift Container Platform user name. The first attribute with a non-empty value is used. This should match your  | string array | 
| 
									 | 
									Determines the behavior of the LDAP sync job when missing user entries are encountered. If  | boolean | 
| 
									 | 
									Determines the behavior of the LDAP sync job when out-of-scope user entries are encountered. If  | boolean | 
12.7.5. v1.ActiveDirectoryConfig
					ActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the Active Directory schema.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | Holds the template for an LDAP query that returns user entries. | |
| 
									 | 
									Defines which attributes on an LDAP user entry will be interpreted as its OpenShift Container Platform user name. The attribute to use as the name of the user in the OpenShift Container Platform Group record.  | string array | 
| 
									 | Defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of. | string array | 
12.7.6. v1.AugmentedActiveDirectoryConfig
					AugmentedActiveDirectoryConfig holds the necessary configuration options to define how an LDAP group sync interacts with an LDAP server using the augmented Active Directory schema.
				
| Name | Description | Schema | 
|---|---|---|
| 
									 | Holds the template for an LDAP query that returns user entries. | |
| 
									 | 
									Defines which attributes on an LDAP user entry will be interpreted as its OpenShift Container Platform user name. The attribute to use as the name of the user in the OpenShift Container Platform Group record.  | string array | 
| 
									 | Defines which attributes on an LDAP user entry will be interpreted as the groups it is a member of. | string array | 
| 
									 | Holds the template for an LDAP query that returns group entries. | |
| 
									 | 
									Defines which attribute on an LDAP group entry will be interpreted as its unique identifier. ( | string | 
| 
									 | Defines which attributes on an LDAP group entry will be interpreted as its name to use for an OpenShift Container Platform group. | string array |