I have an account called "admin" configured in FreeIPA. So it is the password for that admin account that I was using. You could change the password in FreeIPA.
@@DevOpsKey1 What error is being reported by the oauth pods when you try to log in? ``` ❯ oc get po -n openshift-authentication NAME READY STATUS RESTARTS AGE oauth-openshift-75ffccf47b-ld54f 1/1 Running 0 39d oauth-openshift-75ffccf47b-pkdtz 1/1 Running 0 39d oauth-openshift-75ffccf47b-zv54m 1/1 Running 0 39d ``` Check the logs from those pods while you try to log in and see what error is being reported. Not sure what you mean by "have configured the ldap server out of cluster". But if you check those logs, it should tell you what the error is. If you need more detailed output, you can enable debug logs with the following command: ``` oc patch authentication.operator.openshift.io cluster --type=merge -p '{"spec":{"logLevel":"Debug"}}' ``` Then check the logs again: ``` for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod; done ``` Try grepping for the username, or any errors: ``` for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod | egrep -i 'error|fail'; done ``` If I grep for my username for example and try to login with the wrong password, then I can see the following error: ``` ❯ for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod | egrep -i 'shep'; done I0417 02:43:59.626721 1 basicauth.go:50] Login with provider "kube:admin" failed for login "shep" I0417 02:44:14.672267 1 ldap.go:131] searching for (&(objectClass=*)(uid=shep)) I0417 02:44:14.675316 1 ldap.go:148] found dn="uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net" for (&(objectClass=*)(uid=shep)) I0417 02:44:14.680701 1 ldap.go:152] error binding password for "uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net": LDAP Result Code 49 "Invalid Credentials": I0417 02:44:14.680838 1 basicauth.go:50] Login with provider "bne-home.net" failed for login "shep" ```
![Gucci Mane & Sexyy Red - You Don't Love Me [Official Music Video]](http://i.ytimg.com/vi/j7IBqyFKT4c/mqdefault.jpg)
Thank you for the explanation, Can these users be stored in the database on external server? how would that work?
The users would be created and stored on the FreeIPA server in this case.
Ok, thank you for the clarification, we utilise Active Directory.
what is useful purpose for unsecured old protocol? For static containers is fit GSS , for dynamic is OpenID
Very helpful!
Thanks, glad you found it useful.
which password you used for ldap admin in openshift ui?
I have an account called "admin" configured in FreeIPA. So it is the password for that admin account that I was using. You could change the password in FreeIPA.
@@triplewho1448 but i have configured the ldap server out of cluster but not connecting with OpenShift giving auth error on login page of OpenShift?
@@DevOpsKey1 What error is being reported by the oauth pods when you try to log in?
```
❯ oc get po -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-75ffccf47b-ld54f 1/1 Running 0 39d
oauth-openshift-75ffccf47b-pkdtz 1/1 Running 0 39d
oauth-openshift-75ffccf47b-zv54m 1/1 Running 0 39d
```
Check the logs from those pods while you try to log in and see what error is being reported.
Not sure what you mean by "have configured the ldap server out of cluster". But if you check those logs, it should tell you what the error is.
If you need more detailed output, you can enable debug logs with the following command:
```
oc patch authentication.operator.openshift.io cluster --type=merge -p '{"spec":{"logLevel":"Debug"}}'
```
Then check the logs again:
```
for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod; done
```
Try grepping for the username, or any errors:
```
for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod | egrep -i 'error|fail'; done
```
If I grep for my username for example and try to login with the wrong password, then I can see the following error:
```
❯ for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod | egrep -i 'shep'; done
I0417 02:43:59.626721 1 basicauth.go:50] Login with provider "kube:admin" failed for login "shep"
I0417 02:44:14.672267 1 ldap.go:131] searching for (&(objectClass=*)(uid=shep))
I0417 02:44:14.675316 1 ldap.go:148] found dn="uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net" for (&(objectClass=*)(uid=shep))
I0417 02:44:14.680701 1 ldap.go:152] error binding password for "uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net": LDAP Result Code 49 "Invalid Credentials":
I0417 02:44:14.680838 1 basicauth.go:50] Login with provider "bne-home.net" failed for login "shep"
```
Here's a successful login after the failure for example:
```
❯ for pod in $(oc get pods -o=jsonpath='{.items[*].metadata.name}' -n openshift-authentication); do oc -n openshift-authentication logs $pod | egrep -i 'shep'; done
I0417 02:43:59.626721 1 basicauth.go:50] Login with provider "kube:admin" failed for login "shep"
I0417 02:44:14.672267 1 ldap.go:131] searching for (&(objectClass=*)(uid=shep))
I0417 02:44:14.675316 1 ldap.go:148] found dn="uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net" for (&(objectClass=*)(uid=shep))
I0417 02:44:14.680701 1 ldap.go:152] error binding password for "uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net": LDAP Result Code 49 "Invalid Credentials":
I0417 02:44:14.680838 1 basicauth.go:50] Login with provider "bne-home.net" failed for login "shep"
I0417 02:45:24.852682 1 basicauth.go:50] Login with provider "kube:admin" failed for login "shep"
I0417 02:45:39.864577 1 ldap.go:131] searching for (&(objectClass=*)(uid=shep))
I0417 02:45:39.868505 1 ldap.go:148] found dn="uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net" for (&(objectClass=*)(uid=shep))
I0417 02:45:39.927710 1 ldap.go:152] error binding password for "uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net": LDAP Result Code 49 "Invalid Credentials":
I0417 02:45:39.927887 1 basicauth.go:50] Login with provider "bne-home.net" failed for login "shep"
I0417 02:45:53.547098 1 basicauth.go:50] Login with provider "kube:admin" failed for login "shep"
I0417 02:46:08.555920 1 ldap.go:131] searching for (&(objectClass=*)(uid=shep))
I0417 02:46:08.558953 1 ldap.go:148] found dn="uid=shep,cn=users,cn=accounts,dc=bne-home,dc=net" for (&(objectClass=*)(uid=shep))
I0417 02:46:08.697038 1 basicauth.go:53] Login with provider "bne-home.net" succeeded for login "shep": &groupmapper.UserInfoGroupsWrapper{userInfo:(*user.DefaultInfo)(0xc000401b00), additionalGroups:sets.String{}}
```
@@BrendanShephard please make a vedio on ldap integration with openshift.