Overview

OpenShift Origin provides an authentication provider for use with Lightweight Directory Access Protocol (LDAP) setups, but it can only connect to a single LDAP server. This can be problematic if that LDAP server becomes unavailable. System Security Services Daemon (SSSD) can be used to solve the issue.

Originally designed to manage local and remote authentication to the host operating system, SSSD can now be configured to provide identity, authentication, and authorization services to web services like OpenShift Origin. SSSD provides advantages over the built-in LDAP provider, including the ability to connect to any number of failover LDAP servers, as well as the ability to cache authentication attempts in case it can no longer reach any of those servers.

The setup for this configuration is advanced and requires a separate authentication server (also called an authenticating proxy) for OpenShift Origin to communicate with. This topic describes how to do this setup on a dedicated physical or virtual machine (VM), but the concepts are also applicable to a setup in a container.

Prerequisites for Authenticating Proxy Setup

  1. Before starting setup, you need to know the following information about your LDAP server.

    • Whether the directory server is powered by FreeIPA, Active Directory, or another LDAP solution.

    • The Uniform Resource Identifier (URI) for the LDAP server (for example, ldap.example.com).

    • The location of the CA certificate for the LDAP server.

    • Whether the LDAP server corresponds to RFC 2307 or RFC2307bis for user groups.

  2. Prepare the VMs:

    • proxy.example.com: A VM to use as the authenticating proxy. This machine must have at least SSSD 1.12.0 available, which means a fairly recent operating system. This topic uses a Red Hat Enterprise Linux 7.2 server for its examples.

    • openshift.example.com: A VM to use to run OpenShift Origin.

These VMs can be configured to run on the same system, but for the examples used in this topic they are kept separate.

Phase 1: Certificate Generation

This phase generates certificate files that are valid for two years (or five years for the certification authority (CA) certificate). This can be altered with the --expire-days and --signer-expire-days options, but for security reasons, it is recommended to not make them greater than these values.

Perform this procedure on the first master host listed in the Ansible host inventory file, by default /etc/ansible/hosts.

  1. To ensure that communication between the authenticating proxy and OpenShift Origin is trustworthy, create a set of Transport Layer Security (TLS) certificates to use during the other phases of this setup. In the OpenShift Origin system, start by using the auto-generated certificates created as part of running:

    # openshift start \
        --public-master=https://openshift.example.com:8443 \
        --write-config=/etc/origin/

    Among other things, this generates a /etc/origin/master/ca.{cert|key}. Use this signing certificate to generate keys to use on the authenticating proxy.

    # mkdir -p /etc/origin/proxy/
    # oc adm ca create-server-cert \
        --cert='/etc/origin/proxy/proxy.example.com.crt' \
        --key='/etc/origin/proxy/proxy.example.com.key' \
        --hostnames=proxy.example.com \
        --signer-cert=/etc/origin/master/ca.crt \
        --signer-key='/etc/origin/master/ca.key' \
        --signer-serial='/etc/origin/master/ca.serial.txt'

    Ensure that any host names and interface IP addresses that need to access the proxy are listed. Otherwise, the HTTPS connection will fail.

  2. Create a new CA to sign this client certificate:

    # oc adm ca create-signer-cert \
      --cert='/etc/origin/proxy/proxyca.crt' \
      --key='/etc/origin/proxy/proxyca.key' \
      --name='openshift-proxy-signer@UNIQUESTRING' \ (1)
      --serial='/etc/origin/proxy/proxyca.serial.txt'
    1 Make UNIQUESTRING something unique.
  3. Generate the API client certificate that the authenticating proxy will use to prove its identity to OpenShift Origin.

    # oc adm create-api-client-config \
        --certificate-authority='/etc/origin/proxy/proxyca.crt' \
        --client-dir='/etc/origin/proxy' \
        --signer-cert='/etc/origin/proxy/proxyca.crt' \
        --signer-key='/etc/origin/proxy/proxyca.key' \
        --signer-serial='/etc/origin/proxy/proxyca.serial.txt' \
        --user='system:proxy'

    This prevents malicious users from impersonating the proxy and sending fake identities.

  4. Copy the certificate and key information to the appropriate file for future steps:

    # cat /etc/origin/proxy/system\:proxy.crt \
          /etc/origin/proxy/system\:proxy.key \
          > /etc/origin/proxy/authproxy.pem

Phase 2: Authenticating Proxy Setup

This section guides you through the steps to authenticate the proxy setup.

Step 1: Copy Certificates

From openshift.example.com, securely copy the necessary certificates to the proxy machine:

# scp /etc/origin/master/ca.crt \
      [email protected]:/etc/pki/CA/certs/

# scp /etc/origin/proxy/proxy.example.com.crt \
      /etc/origin/proxy/authproxy.pem \
      [email protected]:/etc/pki/tls/certs/

# scp /etc/origin/proxy/proxy.example.com.key \
      [email protected]:/etc/pki/tls/private/

Step 2: SSSD Configuration

  1. Install a new VM with an operating system that includes 1.12.0 or later so that you can use the mod_identity_lookup module. The examples in this topic use a Red Hat Enterprise Linux 7.2 Server.

  2. Install all of the necessary dependencies:

    # yum install -y sssd \
                     sssd-dbus \
                     realmd \
                     httpd \
                     mod_session \
                     mod_ssl \
                     mod_lookup_identity \
                     mod_authnz_pam

    This gives you the needed SSSD and the web server components.

  3. Edit the /etc/httpd/conf.modules.d/55-authnz_pam.conf file and remove the comment from the following:

    LoadModule authnz_pam_module modules/mod_authnz_pam.so
  4. Set up SSSD to authenticate this VM against the LDAP server. If the LDAP server is a FreeIPA or Active Directory environment, then realmd can be used to join this machine to the domain.

    # realm join ldap.example.com

    For more advanced case, see the System-Level Authentication Guide

    If you want to use SSSD to manage failover situations for LDAP, this can be configured by adding additional entries in /etc/sssd/sssd.conf on the ldap_uri line. Systems enrolled with FreeIPA can automatically handle failover using DNS SRV records.

  5. Restart SSSD to ensure that all of the changes are applied properly:

    $ systemctl restart sssd.service
  6. Test that the user information can be retrieved properly:

    $ getent passwd <username>
    username:*:12345:12345:Example User:/home/username:/usr/bin/bash
  7. Attempt to log into the VM as an LDAP user and confirm that the authentication is properly set up. This can be done via the local console or a remote service such as SSH.

If you do not want LDAP users to be able to log into this machine, it is recommended to modify /etc/pam.d/system-auth and /etc/pam.d/password-auth to remove the lines containing pam_sss.so.

Step 3: Apache Configuration

You need to set up Apache to communicate with SSSD. Create a PAM stack file for use with Apache. To do so:

  1. Create the /etc/pam.d/openshift file and add the following contents:

    auth required pam_sss.so
    account required pam_sss.so

    This configuration enables PAM (the pluggable authentication module) to use pam_sss.so to determine authentication and access control when an authentication request is issued for the openshift stack.

  2. Configure the Apache httpd.conf. The steps in this section focus on setting up the challenge authentication, which is useful for logging in with oc login and similar automated tools.

    Configuring Form-Based Authentication explains how to set up a graphical login using SSSD as well, but it requires the rest of this setup as a prerequisite.

  3. Create the new file openshift-proxy.conf in /etc/httpd/conf.d (substituting the correct host names where indicated):

    LoadModule request_module modules/mod_request.so
    LoadModule lookup_identity_module modules/mod_lookup_identity.so
    # Nothing needs to be served over HTTP.  This virtual host simply redirects to
    # HTTPS.
    <VirtualHost *:80>
      DocumentRoot /var/www/html
      RewriteEngine              On
      RewriteRule     ^(.*)$     https://%{HTTP_HOST}$1 [R,L]
    </VirtualHost>
    
    <VirtualHost *:443>
      # This needs to match the certificates you generated.  See the CN and X509v3
      # Subject Alternative Name in the output of:
      # openssl x509 -text -in /etc/pki/tls/certs/proxy.example.com.crt
      ServerName proxy.example.com
    
      DocumentRoot /var/www/html
      SSLEngine on
      SSLCertificateFile /etc/pki/tls/certs/proxy.example.com.crt
      SSLCertificateKeyFile /etc/pki/tls/private/proxy.example.com.key
      SSLCACertificateFile /etc/pki/CA/certs/ca.crt
    
      # Send logs to a specific location to make them easier to find
      ErrorLog logs/proxy_error_log
      TransferLog logs/proxy_access_log
      LogLevel warn
      SSLProxyEngine on
      SSLProxyCACertificateFile /etc/pki/CA/certs/ca.crt
      # It's critical to enforce client certificates on the Master.  Otherwise
      # requests could spoof the X-Remote-User header by accessing the Master's
      # /oauth/authorize endpoint directly.
      SSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.pem
    
      # Send all requests to the console
      RewriteEngine              On
      RewriteRule     ^/console(.*)$     https://%{HTTP_HOST}:8443/console$1 [R,L]
    
      # In order to using the challenging-proxy an X-Csrf-Token must be present.
      RewriteCond %{REQUEST_URI} ^/challenging-proxy
      RewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]
      RewriteRule ^.* - [F,L]
    
      <Location /challenging-proxy/oauth/authorize>
        # Insert your backend server name/ip here.
        ProxyPass https://openshift.example.com:8443/oauth/authorize
        AuthType Basic
        AuthBasicProvider PAM
        AuthPAMService openshift
        Require valid-user
      </Location>
    
      <ProxyMatch /oauth/authorize>
        AuthName openshift
        RequestHeader set X-Remote-User %{REMOTE_USER}s env=REMOTE_USER
      </ProxyMatch>
    </VirtualHost>
    
    RequestHeader unset X-Remote-User

    Configuring Form-Based Authentication explains how to add the login-proxy block to support form authentication.

  4. Set a boolean to tell SELinux that it is acceptable for Apache to contact the PAM subsystem:

    # setsebool -P allow_httpd_mod_auth_pam on
  5. Start up Apache:

    # systemctl start httpd.service

Phase 3: OpenShift Origin Configuration

This section describes how to set up an OpenShift Origin server from scratch in an "all in one" configuration. Master and Node Configuration provides more information on alternate configurations.

Modify the default configuration to use the new identity provider just created. To do so:

  1. Modify the /etc/origin/master/master-config.yaml file.

  2. Scan through it and locate the identityProviders section and replace it with:

      identityProviders:
      - name: any_provider_name
        challenge: true
        login: false
        mappingMethod: claim
        provider:
          apiVersion: v1
          kind: RequestHeaderIdentityProvider
          challengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?${query}"
          clientCA: /etc/origin/proxy/proxyca.crt
          headers:
          - X-Remote-User

    Configuring Form-Based Authentication explains how to add the login URL to support web logins.

    Configuring Extended LDAP Attributes explains how to add the email and full-name attributes. Note that the full-name attributes are only stored to the database on the first login.

  3. Start OpenShift Origin with the updated configuration:

    # openshift start \
        --public-master=https://openshift.example.com:8443 \
        --master-config=/etc/origin/master/master-config.yaml \
        --node-config=/etc/origin/node-node1.example.com/node-config.yaml
  4. Test logins:

    oc login https://openshift.example.com:8443

    It should now be possible to log in with only valid LDAP credentials.