qczrzlK零S
loginAttribute: cn
loginAttribute: cn
qczrzl 公司内部确实是使用uid 进行登录的, 并且我这边接了apollo等都是这个配置
重启这个几个组件
ks-controller-manager
ks-apiserver
ks-installer
ks-console[非必须]
如果是本地部署的甚至可以直接重启服务器-不推荐
第一次登录会提示错误,多登陆几次,直到出现邮箱账号提示就说明openLDAP对接成功
/kapis/config.kubesphere.io/v1alpha2/configs/oauth
,可以看到 LDAPIdentityProvider 是否正确启用了hongming
2. 邮箱作为用户是不支持哦,确定用户信息时提示这个
请问最后如何解决该问题的,我也遇到同样的问题。感谢。 @StandardStudent
hongming 配置ldap后,认证可以 但是ks-apiserver liveness 403, 同时所有k8s 都在主和成员集群里, 重启k8s(单节点)后,kubesphere正常了,但是 ldap 认证不行, 我该怎么办?
/kapis/config.kubesphere.io/v1alpha2/configs/oauth 如下
{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {
},
“status”: “Failure”,
“message”: “Unauthorized: token not found in cache”,
“reason”: “Unauthorized”,
“code”: 401
}
hongming 你好,我这边ks的版本是:v3.4.0,如下配置了ldap:
authentication:
jwtSecret: ""
maximumClockSkew: 10s
multipleLogin: true
oauthOptions:
accessTokenInactivityTimeout: 30m
accessTokenMaxAge: 1h
identityProviders:
- mappingMethod: auto
name: LDAP
provider:
host: 192.168.1.1:389
loginAttribute: uid
mailAttribute: mail
managerDN: cn=xx,dc=xx,dc=com
managerPassword: xgdasssdf
userSearchBase: dc=xx,dc=com
type: LDAPIdentityProvider
然后请求/kapi得到如下:
{
"issuer": "kubesphere",
"identityProviders": [
{
"name": "LDAP",
"mappingMethod": "auto",
"disableLoginConfirmation": false,
"type": "LDAPIdentityProvider",
"provider": {
"host": "192.168.1.1:389",
"loginAttribute": "uid",
"mailAttribute": "mail",
"managerDN": "cn=xx,dc=xx,dc=com",
"userSearchBase": "dc=xx,dc=com"
}
}
],
"clients": [
{
"name": "kubesphere",
"redirectURIs": [
"\*"
]
}
],
"accessTokenMaxAge": 3600000000000,
"accessTokenInactivityTimeout": 1800000000000
}
结果是:console页面登录用户,一直提示账号密码错误,ks-apiserver无相关日志,console有如下日志:
<– POST /login 2023/10/13T10:38:04.310
{
code: 400,
error: ‘invalid_grant’,
error_description: ‘incorrect password’,
statusText: ‘Bad Request’
}
–> POST /login 200 3ms 81b 2023/10/13T10:38:04.313
想请教,我应该当如何才能正确接入ldap,感谢
同这个问题,回退到3.2.1版本可以解决,目前来看kubesphere是快凉了,问他们产品经理都不鸟人了,不维护就赶紧宣布吧,在这里恶心人!
wuzheng 临时解决办法
先确保ldap配置没问题,确认ldap配置无误
http://192.168.10.10:30880/kapis/config.kubesphere.io/v1alpha2/configs/oauth
将 apiserver降级,暂时没发现严重错误,基本可用
kubectl -n kubesphere-system set image deployment/ks-apiserver *=kubesphere/ks-apiserver:v3.3.2
RainFlying 实锤了哈哈哈,我也是,试了好几遍降级就没问题了
3.4.1更新说明上写着LDAP已经修复,但是我还是登录不上,点击登录的时候登录按钮闪烁一下,也没有任何提示和报错,搞不懂了
authentication:
jwtSecret: ''
maximumClockSkew: 10s
multipleLogin: true
oauthOptions:
accessTokenInactivityTimeout: 30m
accessTokenMaxAge: 1h
identityProviders:
- mappingMethod: auto
name: LDAP
provider:
host: '10.66.66.66:389'
loginAttribute: SamAccountName
mailAttribute: mail
managerDN: 'CN=ldap_auth,OU=LDAP_AUTH,OU=dom,DC=dom,DC=cn'
managerPassword: laP_fsoBSW2FFN_fpwnhFs.432g
userSearchBase: 'cn=dom,dc=dom,dc=cn'
type: LDAPIdentityProvider