同步ldap账户
hongmingK零SK壹S
zhejiez 看看这个 https://kubesphere.com.cn/docs/faq/access-control/cannot-login/, v3.0.0 对 kubesphere-system 下的 LDAP 和 jenkins 依赖比较重,这两个服务异常会影响用户状态同步
- hongmingK零SK壹S
for user in `kubectl get users -l \!iam.kubesphere.io/origin-uid,iam.kubesphere.io/identify-provider -o jsonpath="{.items[*].metadata.name}"`; do kubectl label user $user iam.kubesphere.io/origin-uid=$user; done
cat << EOF | kubectl apply -f -
apiVersion: iam.kubesphere.io/v1alpha2
kind: GlobalRoleBinding
metadata:
name: pre-registration
roleRef:
apiGroup: iam.kubesphere.io
kind: GlobalRole
name: pre-registration
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pre-registration
EOF7 天 后
@hongming 接入ad 有配置示例嘛,我这边配置了一下,不知道为什么没有生效,使用ad域账号登录显示用户或密码错误。
cm配置
oauthOptions:
accessTokenMaxAge: 1h
accessTokenInactivityTimeout: 30m
identityProviders:
- name: ad
type: AdIdentityProvider
mappingMethod: auto
provider:
host: ip:port
managerDN: cn=name,cn=Users,dc=xxx,dc=com
managerPassword: pass
userSearchBase: cn=Users,dc=xxx,dc=com
loginAttribute: sAMAccountName
mailAttribute: mail
ldap:
host: openldap.kubesphere-system.svc:389
managerDN: cn=admin,dc=kubesphere,dc=io
managerPassword: admin
userSearchBase: ou=Users,dc=kubesphere,dc=io
groupSearchBase: ou=Groups,dc=kubesphere,dc=io
groupSearchBase: ou=Groups,dc=bokesoft,dc=com重启过 ks-api-server, api-server日志
W0519 06:37:37.935290 1 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0519 06:37:38.003617 1 apiserver.go:300] Start cache objects
I0519 06:37:39.109514 1 apiserver.go:502] Finished caching objects
I0519 06:37:39.109813 1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.311471 1 jwt.go:51] signature is invalid
E0519 06:39:46.311491 1 token.go:57] signature is invalid
E0519 06:39:46.311497 1 handler.go:71] signature is invalid
E0519 06:39:46.314277 1 jwt.go:51] signature is invalid
E0519 06:39:46.314297 1 token.go:57] signature is invalid
E0519 06:39:46.314303 1 handler.go:71] signature is invalid
E0519 06:39:46.351868 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.351923 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 37ms
E0519 06:39:46.352029 1 jwt.go:51] signature is invalid
E0519 06:39:46.352043 1 token.go:57] signature is invalid
E0519 06:39:46.352048 1 handler.go:71] signature is invalid
E0519 06:39:46.352056 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352071 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.352089 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352108 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 40ms
E0519 06:44:03.629047 1 jwt.go:51] signature is invalid
E0519 06:44:03.629280 1 token.go:57] signature is invalid
E0519 06:44:03.629369 1 handler.go:71] signature is invalid
E0519 06:44:03.629442 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.629529 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.724538 1 jwt.go:51] signature is invalid
E0519 06:44:03.724970 1 token.go:57] signature is invalid
E0519 06:44:03.725232 1 handler.go:71] signature is invalid
E0519 06:44:03.725772 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.725930 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:44:03.730970 1 jwt.go:51] signature is invalid
E0519 06:44:03.731009 1 token.go:57] signature is invalid
E0519 06:44:03.731225 1 handler.go:71] signature is invalid
E0519 06:44:03.731258 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.731323 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.310275 1 jwt.go:51] signature is invalid
E0519 06:49:46.310315 1 token.go:57] signature is invalid
E0519 06:49:46.310323 1 handler.go:71] signature is invalid
E0519 06:49:46.310333 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.310356 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.311233 1 jwt.go:51] signature is invalid
E0519 06:49:46.311247 1 token.go:57] signature is invalid
E0519 06:49:46.311252 1 handler.go:71] signature is invalid
E0519 06:49:46.311260 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.311274 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
root@master1:~# kubectl -n kubesphere-system logs ks-apiserver-59dc6966c8-98rj4
W0519 06:37:40.601489 1 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0519 06:37:40.728353 1 apiserver.go:300] Start cache objects
I0519 06:37:41.611614 1 apiserver.go:502] Finished caching objects
I0519 06:37:41.611734 1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.303669 1 jwt.go:51] signature is invalid
E0519 06:39:46.303699 1 token.go:57] signature is invalid
E0519 06:39:46.303717 1 handler.go:71] signature is invalid
E0519 06:39:46.303738 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.303774 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.305394 1 jwt.go:51] signature is invalid
E0519 06:39:46.306060 1 token.go:57] signature is invalid
E0519 06:39:46.306151 1 handler.go:71] signature is invalid
E0519 06:39:46.306174 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.306240 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.319326 1 jwt.go:51] signature is invalid
E0519 06:39:46.319352 1 token.go:57] signature is invalid
E0519 06:39:46.319360 1 handler.go:71] signature is invalid
E0519 06:39:46.319392 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.319413 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:41:16.343753 1 handler.go:275] incorrect password
I0519 06:41:16.356374 1 apiserver.go:539] 10.233.98.209 - "POST /oauth/token HTTP/1.1" 401 32 42ms
E0519 06:41:19.683981 1 jwt.go:51] signature is invalid
E0519 06:41:19.684006 1 token.go:57] signature is invalid
E0519 06:41:19.684015 1 handler.go:71] signature is invalid
E0519 06:41:19.684026 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:41:19.684046 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.620513 1 jwt.go:51] signature is invalid
E0519 06:44:03.620545 1 token.go:57] signature is invalid
E0519 06:44:03.620559 1 handler.go:71] signature is invalid
E0519 06:44:03.620573 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.620992 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726607 1 jwt.go:51] signature is invalid
E0519 06:44:03.726625 1 token.go:57] signature is invalid
E0519 06:44:03.726631 1 handler.go:71] signature is invalid
E0519 06:44:03.726639 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726655 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726822 1 jwt.go:51] signature is invalid
E0519 06:44:03.726827 1 token.go:57] signature is invalid
E0519 06:44:03.726830 1 handler.go:71] signature is invalid
E0519 06:44:03.726835 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726844 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.303055 1 jwt.go:51] signature is invalid
E0519 06:49:46.303086 1 token.go:57] signature is invalid
E0519 06:49:46.303115 1 handler.go:71] signature is invalid
E0519 06:49:46.303904 1 jwt.go:51] signature is invalid
E0519 06:49:46.303959 1 token.go:57] signature is invalid
E0519 06:49:46.303981 1 handler.go:71] signature is invalid
E0519 06:49:46.304036 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304076 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.304309 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304367 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:49:46.304940 1 jwt.go:51] signature is invalid
E0519 06:49:46.304958 1 token.go:57] signature is invalid
E0519 06:49:46.304967 1 handler.go:71] signature is invalid
E0519 06:49:46.304976 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.305000 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.374383 1 jwt.go:51] signature is invalid
E0519 06:49:46.374411 1 token.go:57] signature is invalid
E0519 06:49:46.374420 1 handler.go:71] signature is invalid
E0519 06:49:46.374431 1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.374455 1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:58:34.288911 1 handler.go:275] incorrect password
I0519 06:58:34.298788 1 apiserver.go:539] 10.233.97.214 - "POST /oauth/token HTTP/1.1" 401 32 9ms
使用原来ks系统的账号密码可以正常登录。
我应该如何接入 AD 域账号呢? 当前环境 3.0, 3.1 都有。
- hongmingK零SK壹S
SxunS https://kubesphere.com.cn/docs/access-control-and-account-management/configuring-authentication/#ldap-authentication
AdIdentityProvider -> LDAPIdentityProvider
1 年 后
从LDAP 中的uid 包含特殊字符时,用户无法同步过来,这个怎么处理?uid 是邮箱格式
