Merge pull request #1390 from okamototk/activedirectory

Add Active Directory and kubelogin integration sample.
2019-02-03 11:09:33 +01:00 · 2019-02-03 11:09:33 +01:00 · b6f4740a15
commit b6f4740a15
parent b5826e66f0 337bbe5f09
3 changed files with 224 additions and 1 deletions
--- a/Documentation/connectors/kubelogin-activedirectory.md
+++ b/Documentation/connectors/kubelogin-activedirectory.md
@ -0,0 +1,129 @@
 # Integration kubelogin and Active Directory
 ## Overview
 kubelogin is helper tool for kubernetes and oidc integration.
 It makes easy to login Open ID Provider.
 This document describes how dex work with kubelogin and Active Directory.
 examples/config-ad-kubelogin.yaml is sample configuration to integrate Active Directory and kubelogin.
 ## Precondition
 1. Active Directory
 You should have Active Directory or LDAP has Active Directory compatible schema such as samba ad.
 You may have user objects and group objects in AD. Please ensure TLS is enabled.
 2. Install kubelogin
 Download kubelogin from https://github.com/int128/kubelogin/releases.
 Install it to your terminal.
 ## Getting started
 ### Generate certificate and private key
 Create OpenSSL conf req.conf as follow:
 ```
 [req]
 req_extensions = v3_req
 distinguished_name = req_distinguished_name
 [req_distinguished_name]
 [ v3_req ]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = dex.example.com
 ```
 Please replace dex.example.com to your favorite hostname.
 Generate certificate and private key by following command.
 ```console
 $ openssl req -new -x509 -sha256 -days 3650 -newkey rsa:4096 -extensions v3_req -out openid-ca.pem -keyout openid-key.pem -config req.cnf -subj "/CN=kube-ca" -nodes
 $ ls openid*
 openid-ca.pem openid-key.pem
 ```
 ### Modify dex config
 Modify following host, bindDN and bindPW in examples/config-ad-kubelogin.yaml.
 ```yaml
 connectors:
 - type: ldap
  name: OpenLDAP
  id: ldap
  config:
    host: ldap.example.com:636
    # No TLS for this setup.
    insecureNoSSL: false
    insecureSkipVerify: true
    # This would normally be a read-only user.
    bindDN: cn=Administrator,cn=users,dc=example,dc=com
    bindPW: admin0!
 ```
 ### Run dex
 ```
 $ bin/dex serve examples/config-ad-kubelogin.yaml
 ```
 ### Configure kubernetes with oidc
 Copy openid-ca.pem to /etc/ssl/certs/openid-ca.pem on master node.
 Use the following flags to point your API server(s) at dex. `dex.example.com` should be replaced by whatever DNS name or IP address dex is running under.
 ```
 --oidc-issuer-url=https://dex.example.com:32000/dex
 --oidc-client-id=kubernetes
 --oidc-ca-file=/etc/ssl/certs/openid-ca.pem
 --oidc-username-claim=email
 --oidc-groups-claim=groups
 ```
 Then restart API server(s).
 See https://kubernetes.io/docs/reference/access-authn-authz/authentication/ for more detail.
 ### kubelogin
 Create context for dex authentication:
 ```console
 $ kubectl config set-context oidc-ctx --cluster=cluster.local --user=test
 $ kubectl config set-credentials test \
  --auth-provider=oidc \
  --auth-provider-arg=idp-issuer-url=https://dex.example.com:32000/dex \
  --auth-provider-arg=client-id=kubernetes \
  --auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \
  --auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 openid-ca.pem) \
  --auth-provider-arg=extra-scopes="offline_access openid profile email group"
 $ kubectl config use-context oidc-ctx
 ```
 Please confirm idp-issuer-url, client-id, client-secret and idp-certificate-authority-data value is same as config-ad-kubelogin.yaml's value.
 Then run kubelogin:
 ```console
 $ kubelogin
 ```
 Access http://localhost:8000 by web browser and login with your AD account (eg. test@example.com) and password.
 After login and grant, you have following token in ~/.kube/config:
 ```
        id-token: eyJhbGciOiJSUzICuU4dCcilDDWlw2lfr8mg...
        refresh-token: ChlxY2EzeGhKEB4492EzecdKJOElECK...
 ```
--- a/Documentation/connectors/ldap.md
+++ b/Documentation/connectors/ldap.md
@ -253,7 +253,6 @@ groupSearch:
 The following configuration will allow the LDAP connector to search a FreeIPA directory using an LDAP filter.
 ```yaml
 connectors:
 - type: ldap
  id: ldap
@ -284,3 +283,40 @@ connectors:
 If the search finds an entry, it will attempt to use the provided password to bind as that user entry.
 [openldap]: https://www.openldap.org/
 ## Example: Searching a Active Directory server with groups
 The following configuration will allow the LDAP connector to search a Active Directory using an LDAP filter.
 ```yaml
 connectors:
 - type: ldap
  name: ActiveDirectory
  id: ad
  config:
    host: ad.example.com:636
    insecureNoSSL: false
    insecureSkipVerify: true
    bindDN: cn=Administrator,cn=users,dc=example,dc=com
    bindPW: admin0!
    usernamePrompt: Email Address
    userSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=person)"
      username: userPrincipalName
      idAttr: DN
      emailAttr: userPrincipalName
      nameAttr: cn
    groupSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=group)"
      userAttr: DN
      groupAttr: member
      nameAttr: cn
 ```
--- a/examples/config-ad-kubelogin.yaml
+++ b/examples/config-ad-kubelogin.yaml
@ -0,0 +1,58 @@
 # Active Directory and kubelogin Integration sample
 issuer: https://dex.example.com:32000/dex
 storage:
  type: sqlite3
  config:
    file: examples/dex.db
 web:
  https: 0.0.0.0:32000
  tlsCert: openid-ca.pem
  tlsKey: openid-key.pem
 connectors:
 - type: ldap
  name: OpenLDAP
  id: ldap
  config:
    host: localhost:636
    # No TLS for this setup.
    insecureNoSSL: false
    insecureSkipVerify: true
    # This would normally be a read-only user.
    bindDN: cn=Administrator,cn=users,dc=example,dc=com
    bindPW: admin0!
    usernamePrompt: Email Address
    userSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=person)"
      username: userPrincipalName
      # "DN" (case sensitive) is a special attribute name. It indicates that
      # this value should be taken from the entity's DN not an attribute on
      # the entity.
      idAttr: DN
      emailAttr: userPrincipalName
      nameAttr: cn
    groupSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=group)"
      # A user is a member of a group when their DN matches
      # the value of a "member" attribute on the group entity.
      userAttr: DN
      groupAttr: member
      # The group name should be the "cn" value.
      nameAttr: cn
 staticClients:
 - id: kubernetes
  redirectURIs:
  - 'http://localhost:8000'
  name: 'Kubernetes'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0