[domain/example.com] ... ldap_user_extra_attrs = mail
This topic builds upon Setting up SSSD for LDAP Failover and Configuring Form-Based Authentication and focuses on configuring extended Lightweight Directory Access Protocol (LDAP) attributes.
SSSD 1.12.0 or later. This is available on Red Hat Enterprise Linux 7.0 and later.
mod_lookup_identity 0.9.4 or later.
The required version is not yet available on any version of Red Hat Enterprise Linux. However, compatible packages (RPMs) are available from upstream until they arrive in Red Hat Enterprise Linux.
You need to ask System Security Services Daemon (SSSD) to look up attributes in LDAP that it normally does not care about for simple system-login use-cases. In the case of OpenShift Origin, there is only one such attribute: email. So, you need to:
Modify the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf on the authenticating proxy and add this attribute:
[domain/example.com] ... ldap_user_extra_attrs = mail
Tell SSSD that it is acceptable for this attribute to be retrieved by Apache. Add the following two lines to the [ifp] section of /etc/sssd/sssd.conf:
[ifp] user_attributes = +mail allowed_uids = apache, root
Restart SSSD:
# systemctl restart sssd.service
Test this configuration.
Now that SSSD is set up and successfully serving extended attributes, configure the web server to ask for them and to insert them in the correct places.
Enable the module to be loaded by Apache. To do so, modify /etc/httpd/conf.modules.d/55-lookup_identity.conf and uncomment the line:
LoadModule lookup_identity_module modules/mod_lookup_identity.so
Set an SELinux boolean so that SElinux allows Apache to connect to SSSD over D-BUS:
# setsebool -P httpd_dbus_sssd on
Edit /etc/httpd/conf.d/openshift-proxy.conf and add the following lines inside the <ProxyMatch /oauth/authorize> section:
<ProxyMatch /oauth/authorize>
AuthName openshift
LookupOutput Headers (1)
LookupUserAttr mail X-Remote-User-Email (1)
LookupUserGECOS X-Remote-User-Display-Name (1)
RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER
</ProxyMatch>
| 1 | Added line. |
Restart Apache to pick up the changes:
# systemctl restart httpd.service
Tell OpenShift Origin where to find these new attributes during login. To do so:
Edit the /etc/origin/master/master-config.yaml file and add the following lines to the identityProviders section:
identityProviders:
- name: sssd
challenge: true
login: true
mappingMethod: claim
provider:
apiVersion: v1
kind: RequestHeaderIdentityProvider
challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}"
loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}"
clientCA: /home/example/workspace/openshift/configs/openshift.example.com/proxy/proxyca.crt
headers:
- X-Remote-User
emailHeaders: (1)
- X-Remote-User-Email (1)
nameHeaders: (1)
- X-Remote-User-Display-Name (1)
| 1 | Added line. |
Launch OpenShift Origin with this updated configuration and log in to the web as a new user.
You should see their full name appear in the upper-right of the
screen. You can also verify with oc get identities -o yaml that both email
addresses and full names are available.