同步ldap账户

zhejiez · 2021年5月12日

hongming 我尝试升级ks了，可是又有新的问题

hongming · 2021年5月12日

for user in `kubectl get users -l \!iam.kubesphere.io/origin-uid,iam.kubesphere.io/identify-provider -o jsonpath="{.items[*].metadata.name}"`; do kubectl label user $user iam.kubesphere.io/origin-uid=$user; done
cat << EOF | kubectl apply -f -
apiVersion: iam.kubesphere.io/v1alpha2
kind: GlobalRoleBinding
metadata:
  name: pre-registration
roleRef:
  apiGroup: iam.kubesphere.io
  kind: GlobalRole
  name: pre-registration
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: pre-registration
EOF

kubesphere/kubesphere#3850

zhejiez · 2021年5月12日

hongming 这个每有一个用户都要做一次吗，没办法自动关联吗

SxunS · 2021年5月19日

@hongming 接入ad 有配置示例嘛，我这边配置了一下，不知道为什么没有生效，使用ad域账号登录显示用户或密码错误。
cm配置

      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
          - name: ad
            type: AdIdentityProvider
            mappingMethod: auto
            provider:
              host: ip:port
              managerDN: cn=name,cn=Users,dc=xxx,dc=com
              managerPassword: pass
              userSearchBase: cn=Users,dc=xxx,dc=com
              loginAttribute: sAMAccountName
              mailAttribute: mail
    ldap:
      host: openldap.kubesphere-system.svc:389
      managerDN: cn=admin,dc=kubesphere,dc=io
      managerPassword: admin
      userSearchBase: ou=Users,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=bokesoft,dc=com

重启过 ks-api-server, api-server日志

W0519 06:37:37.935290       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:38.003617       1 apiserver.go:300] Start cache objects
I0519 06:37:39.109514       1 apiserver.go:502] Finished caching objects
I0519 06:37:39.109813       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.311471       1 jwt.go:51] signature is invalid
E0519 06:39:46.311491       1 token.go:57] signature is invalid
E0519 06:39:46.311497       1 handler.go:71] signature is invalid
E0519 06:39:46.314277       1 jwt.go:51] signature is invalid
E0519 06:39:46.314297       1 token.go:57] signature is invalid
E0519 06:39:46.314303       1 handler.go:71] signature is invalid
E0519 06:39:46.351868       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.351923       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 37ms
E0519 06:39:46.352029       1 jwt.go:51] signature is invalid
E0519 06:39:46.352043       1 token.go:57] signature is invalid
E0519 06:39:46.352048       1 handler.go:71] signature is invalid
E0519 06:39:46.352056       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352071       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.352089       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.352108       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 40ms
E0519 06:44:03.629047       1 jwt.go:51] signature is invalid
E0519 06:44:03.629280       1 token.go:57] signature is invalid
E0519 06:44:03.629369       1 handler.go:71] signature is invalid
E0519 06:44:03.629442       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.629529       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.724538       1 jwt.go:51] signature is invalid
E0519 06:44:03.724970       1 token.go:57] signature is invalid
E0519 06:44:03.725232       1 handler.go:71] signature is invalid
E0519 06:44:03.725772       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.725930       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:44:03.730970       1 jwt.go:51] signature is invalid
E0519 06:44:03.731009       1 token.go:57] signature is invalid
E0519 06:44:03.731225       1 handler.go:71] signature is invalid
E0519 06:44:03.731258       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.731323       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.310275       1 jwt.go:51] signature is invalid
E0519 06:49:46.310315       1 token.go:57] signature is invalid
E0519 06:49:46.310323       1 handler.go:71] signature is invalid
E0519 06:49:46.310333       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.310356       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.311233       1 jwt.go:51] signature is invalid
E0519 06:49:46.311247       1 token.go:57] signature is invalid
E0519 06:49:46.311252       1 handler.go:71] signature is invalid
E0519 06:49:46.311260       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.311274       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
root@master1:~# kubectl -n kubesphere-system logs ks-apiserver-59dc6966c8-98rj4
W0519 06:37:40.601489       1 client_config.go:543] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0519 06:37:40.728353       1 apiserver.go:300] Start cache objects
I0519 06:37:41.611614       1 apiserver.go:502] Finished caching objects
I0519 06:37:41.611734       1 apiserver.go:232] Start listening on :9090
E0519 06:39:46.303669       1 jwt.go:51] signature is invalid
E0519 06:39:46.303699       1 token.go:57] signature is invalid
E0519 06:39:46.303717       1 handler.go:71] signature is invalid
E0519 06:39:46.303738       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.303774       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.305394       1 jwt.go:51] signature is invalid
E0519 06:39:46.306060       1 token.go:57] signature is invalid
E0519 06:39:46.306151       1 handler.go:71] signature is invalid
E0519 06:39:46.306174       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.306240       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:39:46.319326       1 jwt.go:51] signature is invalid
E0519 06:39:46.319352       1 token.go:57] signature is invalid
E0519 06:39:46.319360       1 handler.go:71] signature is invalid
E0519 06:39:46.319392       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:39:46.319413       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:41:16.343753       1 handler.go:275] incorrect password
I0519 06:41:16.356374       1 apiserver.go:539] 10.233.98.209 - "POST /oauth/token HTTP/1.1" 401 32 42ms
E0519 06:41:19.683981       1 jwt.go:51] signature is invalid
E0519 06:41:19.684006       1 token.go:57] signature is invalid
E0519 06:41:19.684015       1 handler.go:71] signature is invalid
E0519 06:41:19.684026       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:41:19.684046       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.620513       1 jwt.go:51] signature is invalid
E0519 06:44:03.620545       1 token.go:57] signature is invalid
E0519 06:44:03.620559       1 handler.go:71] signature is invalid
E0519 06:44:03.620573       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.620992       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726607       1 jwt.go:51] signature is invalid
E0519 06:44:03.726625       1 token.go:57] signature is invalid
E0519 06:44:03.726631       1 handler.go:71] signature is invalid
E0519 06:44:03.726639       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726655       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:44:03.726822       1 jwt.go:51] signature is invalid
E0519 06:44:03.726827       1 token.go:57] signature is invalid
E0519 06:44:03.726830       1 handler.go:71] signature is invalid
E0519 06:44:03.726835       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:44:03.726844       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.303055       1 jwt.go:51] signature is invalid
E0519 06:49:46.303086       1 token.go:57] signature is invalid
E0519 06:49:46.303115       1 handler.go:71] signature is invalid
E0519 06:49:46.303904       1 jwt.go:51] signature is invalid
E0519 06:49:46.303959       1 token.go:57] signature is invalid
E0519 06:49:46.303981       1 handler.go:71] signature is invalid
E0519 06:49:46.304036       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304076       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.304309       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.304367       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 1ms
E0519 06:49:46.304940       1 jwt.go:51] signature is invalid
E0519 06:49:46.304958       1 token.go:57] signature is invalid
E0519 06:49:46.304967       1 handler.go:71] signature is invalid
E0519 06:49:46.304976       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.305000       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:49:46.374383       1 jwt.go:51] signature is invalid
E0519 06:49:46.374411       1 token.go:57] signature is invalid
E0519 06:49:46.374420       1 handler.go:71] signature is invalid
E0519 06:49:46.374431       1 utils.go:32] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:72 signature is invalid
I0519 06:49:46.374455       1 apiserver.go:539] 10.233.97.208 - "POST /oauth/authenticate HTTP/1.1" 500 21 0ms
E0519 06:58:34.288911       1 handler.go:275] incorrect password
I0519 06:58:34.298788       1 apiserver.go:539] 10.233.97.214 - "POST /oauth/token HTTP/1.1" 401 32 9ms

使用原来ks系统的账号密码可以正常登录。
我应该如何接入 AD 域账号呢？当前环境 3.0， 3.1 都有。

hongming · 2021年5月19日

SxunS https://kubesphere.com.cn/docs/access-control-and-account-management/configuring-authentication/#ldap-authentication

AdIdentityProvider -> LDAPIdentityProvider

gzymomo · 2022年4月20日

从LDAP 中的uid 包含特殊字符时，用户无法同步过来，这个怎么处理？uid 是邮箱格式

hongming · 2022年4月20日

gzymomo 需要确认关联的 KubeSphere 账户满足格式要求，如果原账户系统中的用户名包含特殊字符，你可以在界面上重新编辑

gzymomo · 2022年4月20日

hongming 在界面修改不起作用，我的配置是这样

我的猜测是创建User 的时候有个lable: iam.kubesphere.io/origin-uid:

这边用了原始的uid ，但是我这边的uid 格式是邮箱格式，导致创建资源出错

hongming · 2022年4月20日

gzymomo 是这个问题，uid 里包含了特殊字符不能放到 label 里，可以提个 issue

同步ldap账户

zhejiez

hongmingK零SK壹S

zhejiez

SxunS

hongmingK零SK壹S

gzymomo

hongmingK零SK壹S

gzymomo

hongmingK零SK壹S