使用教程 KubeSphere-3.x
同步ldap账户

hongmingK零SK壹S
2021年5月10日
发布 #5 2021年5月10日星期一 08点18分

zhejiez 你可以预先创建账户，在KS中你只能对已经通过外部LDAP帐号密码登录过的用户进行管理

zhejiez
2021年5月10日
发布 #6 2021年5月10日星期一 08点26分

hongming identity provider name 这个怎么获取，我刚才随便写的，会把我ldap的用户密码覆盖

hongmingK零SK壹S
2021年5月10日
发布 #7 2021年5月10日星期一 08点34分

@zhejiez 这里就是 identity provider name，只有批量创建需要这么操作。你通过新的LDAP帐号登录，会自动关联创建 KS 帐号

hongmingK零SK壹S
2021年5月10日
发布 #9 2021年5月10日星期一 09点34分

zhejiez 你的环境是3.0 还是 3.1 ？参照这个文档进行配置 https://kubesphere.com.cn/docs/access-control-and-account-management/configuring-authentication/#ldap-authentication，需要重启 ks-apiserver

zhejiez
2021年5月11日
发布 #10 2021年5月11日星期二 01点13分

hongming 3.0,我试下这个

zhejiez
2021年5月11日
发布 #11 2021年5月11日星期二 01点48分

hongming 我按照文档里配ks-controller-manager启动不起来，api与ks-controller-manager要两个配置文件吗

hongmingK零SK壹S
2021年5月11日
发布 #12 2021年5月11日星期二 02点08分

zhejiez 注意配置文件缩进，无法启动肯定会有报错

zhejiez
2021年5月11日
发布 #13 2021年5月11日星期二 02点58分

hongming

这个报错

hongmingK零SK壹S
2021年5月11日
发布 #14 2021年5月11日星期二 03点19分
已编辑

zhejiez 把这些配置再恢复一下 https://github.com/kubesphere/ks-installer/blob/v3.0.0/roles/ks-core/config/templates/kubesphere-config.yaml.j2#L16-L21，不能删了，这个是内置 LDAP 的配置

zhejiez
2021年5月11日
发布 #15 2021年5月11日星期二 05点49分

hongming 这的配置跟文档的配置不一样，并且配置这个不能ldap的用户登录不了，我到底用哪个

hongmingK零SK壹S
2021年5月11日
发布 #16 2021年5月11日星期二 05点54分

identityProviders 这个 section 才是配置外部LDAP认证

但是你不要移除这段配置 https://github.com/kubesphere/ks-installer/blob/v3.0.0/roles/ks-core/config/templates/kubesphere-config.yaml.j2#L16-L21

这个是KS内置LDAP的配置

zhejiez
2021年5月11日
发布 #17 2021年5月11日星期二 06点27分

hongming
我没有移除，我就安装文档粘贴过来的

hongmingK零SK壹S
2021年5月11日
发布 #18 2021年5月11日星期二 06点31分
已编辑

zhejiez 注意看，应该有两个配置，文档里也写的很清楚，你只需要增加 identityProviders 里的配置，最外层还有个 LDAP 连接配置被删了

zhejiez
2021年5月11日
发布 #19 2021年5月11日星期二 07点30分

hongming 哦哦，得配置两次啊

zhejiez
2021年5月12日
发布 #20 2021年5月12日星期三 01点15分

hongming 我登录第一次的时候能进去，第二次再登录的话会提示Internal error occurred: account is not active，我在ks里看这账户状态等待中

hongmingK零SK壹S
2021年5月12日
发布 #21 2021年5月12日星期三 01点44分

zhejiez 看看这个 https://kubesphere.com.cn/docs/faq/access-control/cannot-login/， v3.0.0 对 kubesphere-system 下的 LDAP 和 jenkins 依赖比较重，这两个服务异常会影响用户状态同步

zhejiez
2021年5月12日
发布 #22 2021年5月12日星期三 04点01分

hongming 我尝试升级ks了，可是又有新的问题

hongmingK零SK壹S
2021年5月12日
发布 #23 2021年5月12日星期三 04点23分

for user in `kubectl get users -l \!iam.kubesphere.io/origin-uid,iam.kubesphere.io/identify-provider -o jsonpath="{.items[*].metadata.name}"`; do kubectl label user $user iam.kubesphere.io/origin-uid=$user; done
cat << EOF | kubectl apply -f -
apiVersion: iam.kubesphere.io/v1alpha2
kind: GlobalRoleBinding
metadata:
  name: pre-registration
roleRef:
  apiGroup: iam.kubesphere.io
  kind: GlobalRole
  name: pre-registration
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: pre-registration
EOF

kubesphere/kubesphere#3850

zhejiez
2021年5月12日
发布 #24 2021年5月12日星期三 04点55分

hongming 这个每有一个用户都要做一次吗，没办法自动关联吗

7 天后

SxunS
2021年5月19日
发布 #25 2021年5月19日星期三 07点01分

@hongming 接入ad 有配置示例嘛，我这边配置了一下，不知道为什么没有生效，使用ad域账号登录显示用户或密码错误。
cm配置

      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
          - name: ad
            type: AdIdentityProvider
            mappingMethod: auto
            provider:
              host: ip:port
              managerDN: cn=name,cn=Users,dc=xxx,dc=com
              managerPassword: pass
              userSearchBase: cn=Users,dc=xxx,dc=com
              loginAttribute: sAMAccountName
              mailAttribute: mail
    ldap:
      host: openldap.kubesphere-system.svc:389
      managerDN: cn=admin,dc=kubesphere,dc=io
      managerPassword: admin
      userSearchBase: ou=Users,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=bokesoft,dc=com

重启过 ks-api-server, api-server日志

W0519 06:37:37.935290       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:38.003617       1 apiserver.go:300] Start cache objects
I0519 06:37:39.109514       1 apiserver.go:502] Finished caching objects
I0519 06:37:39.109813       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.311471       1 jwt.go:51] signature is invalid
E0519 06:39:46.311491       1 token.go:57] signature is invalid
E0519 06:39:46.311497       1 handler.go:71] signature is invalid
E0519 06:39:46.314277       1 jwt.go:51] signature is invalid
E0519 06:39:46.314297       1 token.go:57] signature is invalid
E0519 06:39:46.314303       1 handler.go:71] signature is invalid
E0519 06:39:46.351868       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.351923       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 37ms
E0519 06:39:46.352029       1 jwt.go:51] signature is invalid
E0519 06:39:46.352043       1 token.go:57] signature is invalid
E0519 06:39:46.352048       1 handler.go:71] signature is invalid
E0519 06:39:46.352056       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352071       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.352089       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352108       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 40ms
E0519 06:44:03.629047       1 jwt.go:51] signature is invalid
E0519 06:44:03.629280       1 token.go:57] signature is invalid
E0519 06:44:03.629369       1 handler.go:71] signature is invalid
E0519 06:44:03.629442       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.629529       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.724538       1 jwt.go:51] signature is invalid
E0519 06:44:03.724970       1 token.go:57] signature is invalid
E0519 06:44:03.725232       1 handler.go:71] signature is invalid
E0519 06:44:03.725772       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.725930       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:44:03.730970       1 jwt.go:51] signature is invalid
E0519 06:44:03.731009       1 token.go:57] signature is invalid
E0519 06:44:03.731225       1 handler.go:71] signature is invalid
E0519 06:44:03.731258       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.731323       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.310275       1 jwt.go:51] signature is invalid
E0519 06:49:46.310315       1 token.go:57] signature is invalid
E0519 06:49:46.310323       1 handler.go:71] signature is invalid
E0519 06:49:46.310333       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.310356       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.311233       1 jwt.go:51] signature is invalid
E0519 06:49:46.311247       1 token.go:57] signature is invalid
E0519 06:49:46.311252       1 handler.go:71] signature is invalid
E0519 06:49:46.311260       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.311274       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
root@master1:~# kubectl -n kubesphere-system logs ks-apiserver-59dc6966c8-98rj4
W0519 06:37:40.601489       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:40.728353       1 apiserver.go:300] Start cache objects
I0519 06:37:41.611614       1 apiserver.go:502] Finished caching objects
I0519 06:37:41.611734       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.303669       1 jwt.go:51] signature is invalid
E0519 06:39:46.303699       1 token.go:57] signature is invalid
E0519 06:39:46.303717       1 handler.go:71] signature is invalid
E0519 06:39:46.303738       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.303774       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.305394       1 jwt.go:51] signature is invalid
E0519 06:39:46.306060       1 token.go:57] signature is invalid
E0519 06:39:46.306151       1 handler.go:71] signature is invalid
E0519 06:39:46.306174       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.306240       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.319326       1 jwt.go:51] signature is invalid
E0519 06:39:46.319352       1 token.go:57] signature is invalid
E0519 06:39:46.319360       1 handler.go:71] signature is invalid
E0519 06:39:46.319392       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.319413       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:41:16.343753       1 handler.go:275] incorrect password
I0519 06:41:16.356374       1 apiserver.go:539] 10.233.98.209 - "POST /oauth/token HTTP/1.1" 401 32 42ms
E0519 06:41:19.683981       1 jwt.go:51] signature is invalid
E0519 06:41:19.684006       1 token.go:57] signature is invalid
E0519 06:41:19.684015       1 handler.go:71] signature is invalid
E0519 06:41:19.684026       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:41:19.684046       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.620513       1 jwt.go:51] signature is invalid
E0519 06:44:03.620545       1 token.go:57] signature is invalid
E0519 06:44:03.620559       1 handler.go:71] signature is invalid
E0519 06:44:03.620573       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.620992       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726607       1 jwt.go:51] signature is invalid
E0519 06:44:03.726625       1 token.go:57] signature is invalid
E0519 06:44:03.726631       1 handler.go:71] signature is invalid
E0519 06:44:03.726639       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726655       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726822       1 jwt.go:51] signature is invalid
E0519 06:44:03.726827       1 token.go:57] signature is invalid
E0519 06:44:03.726830       1 handler.go:71] signature is invalid
E0519 06:44:03.726835       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726844       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.303055       1 jwt.go:51] signature is invalid
E0519 06:49:46.303086       1 token.go:57] signature is invalid
E0519 06:49:46.303115       1 handler.go:71] signature is invalid
E0519 06:49:46.303904       1 jwt.go:51] signature is invalid
E0519 06:49:46.303959       1 token.go:57] signature is invalid
E0519 06:49:46.303981       1 handler.go:71] signature is invalid
E0519 06:49:46.304036       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304076       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.304309       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304367       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:49:46.304940       1 jwt.go:51] signature is invalid
E0519 06:49:46.304958       1 token.go:57] signature is invalid
E0519 06:49:46.304967       1 handler.go:71] signature is invalid
E0519 06:49:46.304976       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.305000       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.374383       1 jwt.go:51] signature is invalid
E0519 06:49:46.374411       1 token.go:57] signature is invalid
E0519 06:49:46.374420       1 handler.go:71] signature is invalid
E0519 06:49:46.374431       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.374455       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:58:34.288911       1 handler.go:275] incorrect password
I0519 06:58:34.298788       1 apiserver.go:539] 10.233.97.214 - "POST /oauth/token HTTP/1.1" 401 32 9ms

使用原来ks系统的账号密码可以正常登录。
我应该如何接入 AD 域账号呢？当前环境 3.0， 3.1 都有。

同步ldap账户

hongming

zhejiez 你可以预先创建账户，在KS中你只能对已经通过外部LDAP帐号密码登录过的用户进行管理

zhejiez

hongming identity provider name 这个怎么获取，我刚才随便写的，会把我ldap的用户密码覆盖

hongming

@zhejiez 这里就是 identity provider name，只有批量创建需要这么操作。你通过新的LDAP帐号登录，会自动关联创建 KS 帐号

hongming

zhejiez 你的环境是3.0 还是 3.1 ？参照这个文档进行配置 https://kubesphere.com.cn/docs/access-control-and-account-management/configuring-authentication/#ldap-authentication，需要重启 ks-apiserver

zhejiez

hongming 3.0,我试下这个

zhejiez

hongming 我按照文档里配ks-controller-manager启动不起来，api与ks-controller-manager要两个配置文件吗

hongming

zhejiez 注意配置文件缩进，无法启动肯定会有报错

zhejiez

hongming

这个报错

hongming

zhejiez 把这些配置再恢复一下 https://github.com/kubesphere/ks-installer/blob/v3.0.0/roles/ks-core/config/templates/kubesphere-config.yaml.j2#L16-L21，不能删了，这个是内置 LDAP 的配置

zhejiez

hongming 这的配置跟文档的配置不一样，并且配置这个不能ldap的用户登录不了，我到底用哪个

hongming

identityProviders 这个 section 才是配置外部LDAP认证

但是你不要移除这段配置 https://github.com/kubesphere/ks-installer/blob/v3.0.0/roles/ks-core/config/templates/kubesphere-config.yaml.j2#L16-L21

这个是KS内置LDAP的配置

zhejiez

hongming
我没有移除，我就安装文档粘贴过来的

hongming

zhejiez 注意看，应该有两个配置，文档里也写的很清楚，你只需要增加 identityProviders 里的配置，最外层还有个 LDAP 连接配置被删了

zhejiez

hongming 哦哦，得配置两次啊

zhejiez

hongming 我登录第一次的时候能进去，第二次再登录的话会提示Internal error occurred: account is not active，我在ks里看这账户状态等待中

hongming

zhejiez 看看这个 https://kubesphere.com.cn/docs/faq/access-control/cannot-login/， v3.0.0 对 kubesphere-system 下的 LDAP 和 jenkins 依赖比较重，这两个服务异常会影响用户状态同步

zhejiez

hongming 我尝试升级ks了，可是又有新的问题

hongming

for user in `kubectl get users -l \!iam.kubesphere.io/origin-uid,iam.kubesphere.io/identify-provider -o jsonpath="{.items[*].metadata.name}"`; do kubectl label user $user iam.kubesphere.io/origin-uid=$user; done
cat << EOF | kubectl apply -f -
apiVersion: iam.kubesphere.io/v1alpha2
kind: GlobalRoleBinding
metadata:
  name: pre-registration
roleRef:
  apiGroup: iam.kubesphere.io
  kind: GlobalRole
  name: pre-registration
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: pre-registration
EOF

kubesphere/kubesphere#3850

zhejiez

hongming 这个每有一个用户都要做一次吗，没办法自动关联吗

SxunS

@hongming 接入ad 有配置示例嘛，我这边配置了一下，不知道为什么没有生效，使用ad域账号登录显示用户或密码错误。
cm配置

      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
          - name: ad
            type: AdIdentityProvider
            mappingMethod: auto
            provider:
              host: ip:port
              managerDN: cn=name,cn=Users,dc=xxx,dc=com
              managerPassword: pass
              userSearchBase: cn=Users,dc=xxx,dc=com
              loginAttribute: sAMAccountName
              mailAttribute: mail
    ldap:
      host: openldap.kubesphere-system.svc:389
      managerDN: cn=admin,dc=kubesphere,dc=io
      managerPassword: admin
      userSearchBase: ou=Users,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=bokesoft,dc=com

重启过 ks-api-server, api-server日志

W0519 06:37:37.935290       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:38.003617       1 apiserver.go:300] Start cache objects
I0519 06:37:39.109514       1 apiserver.go:502] Finished caching objects
I0519 06:37:39.109813       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.311471       1 jwt.go:51] signature is invalid
E0519 06:39:46.311491       1 token.go:57] signature is invalid
E0519 06:39:46.311497       1 handler.go:71] signature is invalid
E0519 06:39:46.314277       1 jwt.go:51] signature is invalid
E0519 06:39:46.314297       1 token.go:57] signature is invalid
E0519 06:39:46.314303       1 handler.go:71] signature is invalid
E0519 06:39:46.351868       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.351923       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 37ms
E0519 06:39:46.352029       1 jwt.go:51] signature is invalid
E0519 06:39:46.352043       1 token.go:57] signature is invalid
E0519 06:39:46.352048       1 handler.go:71] signature is invalid
E0519 06:39:46.352056       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352071       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.352089       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352108       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 40ms
E0519 06:44:03.629047       1 jwt.go:51] signature is invalid
E0519 06:44:03.629280       1 token.go:57] signature is invalid
E0519 06:44:03.629369       1 handler.go:71] signature is invalid
E0519 06:44:03.629442       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.629529       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.724538       1 jwt.go:51] signature is invalid
E0519 06:44:03.724970       1 token.go:57] signature is invalid
E0519 06:44:03.725232       1 handler.go:71] signature is invalid
E0519 06:44:03.725772       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.725930       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:44:03.730970       1 jwt.go:51] signature is invalid
E0519 06:44:03.731009       1 token.go:57] signature is invalid
E0519 06:44:03.731225       1 handler.go:71] signature is invalid
E0519 06:44:03.731258       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.731323       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.310275       1 jwt.go:51] signature is invalid
E0519 06:49:46.310315       1 token.go:57] signature is invalid
E0519 06:49:46.310323       1 handler.go:71] signature is invalid
E0519 06:49:46.310333       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.310356       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.311233       1 jwt.go:51] signature is invalid
E0519 06:49:46.311247       1 token.go:57] signature is invalid
E0519 06:49:46.311252       1 handler.go:71] signature is invalid
E0519 06:49:46.311260       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.311274       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
root@master1:~# kubectl -n kubesphere-system logs ks-apiserver-59dc6966c8-98rj4
W0519 06:37:40.601489       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:40.728353       1 apiserver.go:300] Start cache objects
I0519 06:37:41.611614       1 apiserver.go:502] Finished caching objects
I0519 06:37:41.611734       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.303669       1 jwt.go:51] signature is invalid
E0519 06:39:46.303699       1 token.go:57] signature is invalid
E0519 06:39:46.303717       1 handler.go:71] signature is invalid
E0519 06:39:46.303738       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.303774       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.305394       1 jwt.go:51] signature is invalid
E0519 06:39:46.306060       1 token.go:57] signature is invalid
E0519 06:39:46.306151       1 handler.go:71] signature is invalid
E0519 06:39:46.306174       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.306240       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.319326       1 jwt.go:51] signature is invalid
E0519 06:39:46.319352       1 token.go:57] signature is invalid
E0519 06:39:46.319360       1 handler.go:71] signature is invalid
E0519 06:39:46.319392       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.319413       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:41:16.343753       1 handler.go:275] incorrect password
I0519 06:41:16.356374       1 apiserver.go:539] 10.233.98.209 - "POST /oauth/token HTTP/1.1" 401 32 42ms
E0519 06:41:19.683981       1 jwt.go:51] signature is invalid
E0519 06:41:19.684006       1 token.go:57] signature is invalid
E0519 06:41:19.684015       1 handler.go:71] signature is invalid
E0519 06:41:19.684026       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:41:19.684046       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.620513       1 jwt.go:51] signature is invalid
E0519 06:44:03.620545       1 token.go:57] signature is invalid
E0519 06:44:03.620559       1 handler.go:71] signature is invalid
E0519 06:44:03.620573       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.620992       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726607       1 jwt.go:51] signature is invalid
E0519 06:44:03.726625       1 token.go:57] signature is invalid
E0519 06:44:03.726631       1 handler.go:71] signature is invalid
E0519 06:44:03.726639       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726655       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726822       1 jwt.go:51] signature is invalid
E0519 06:44:03.726827       1 token.go:57] signature is invalid
E0519 06:44:03.726830       1 handler.go:71] signature is invalid
E0519 06:44:03.726835       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726844       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.303055       1 jwt.go:51] signature is invalid
E0519 06:49:46.303086       1 token.go:57] signature is invalid
E0519 06:49:46.303115       1 handler.go:71] signature is invalid
E0519 06:49:46.303904       1 jwt.go:51] signature is invalid
E0519 06:49:46.303959       1 token.go:57] signature is invalid
E0519 06:49:46.303981       1 handler.go:71] signature is invalid
E0519 06:49:46.304036       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304076       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.304309       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304367       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:49:46.304940       1 jwt.go:51] signature is invalid
E0519 06:49:46.304958       1 token.go:57] signature is invalid
E0519 06:49:46.304967       1 handler.go:71] signature is invalid
E0519 06:49:46.304976       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.305000       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.374383       1 jwt.go:51] signature is invalid
E0519 06:49:46.374411       1 token.go:57] signature is invalid
E0519 06:49:46.374420       1 handler.go:71] signature is invalid
E0519 06:49:46.374431       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.374455       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:58:34.288911       1 handler.go:275] incorrect password
I0519 06:58:34.298788       1 apiserver.go:539] 10.233.97.214 - "POST /oauth/token HTTP/1.1" 401 32 9ms

使用原来ks系统的账号密码可以正常登录。
我应该如何接入 AD 域账号呢？当前环境 3.0， 3.1 都有。

hongming

SxunS https://kubesphere.com.cn/docs/access-control-and-account-management/configuring-authentication/#ldap-authentication

AdIdentityProvider -> LDAPIdentityProvider

下一页 »