'OpenShift pod certificate installation

I have an OpenShift PHP pod running an application and I need to authenticate a user account against an Active Directory server. The LDAP bind is failing with a certificate error

LDAP Error (authenticateUser), Cannot bind to LDAP : error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate) - ldap_bind failed

It was suggested I need to install the AD servers certificate into the pod. The certificate has now been copied into the Git repository. I thought I may be able to use a Life Cycle Hook to install the certificate into /etc/openldap/certs/

rollingParams:
  post:
    execNewPod:
      command:
        - /bin/sh
        - '-c'
        - >-
          /usr/bin/cp
          /opt/app-root/src/certificates/certificate.pem
          /etc/openldap/certs/
      containerName: application
    failurePolicy: Ignore

However there is a permissions error - I assume that the deployment is not running as root so the directory is not accessible.

/usr/bin/cp: cannot create regular file '/etc/openldap/certs/certificate.pem': Permission denied

Is it possible to copy this certificate using the DeploymentConfig or is there a better way to do this?

active-directoryldapopenshift


Solution 1:[1]

I managed to resolve this. You need to add the ldap.conf and the certificate to ConfigMaps.

 oc create configmap configmap_name --from-file=filenam=path and filename

Then you need to mount the ConfigMaps:

  volumeMounts:
        - mountPath: /etc/openldap/ldap.conf
          name: openldap-ad-config-volume
          subPath: ldap.conf
        - mountPath: /etc/openldap/certs/certificate.pem
          name: ad-certificate-volume
          subPath: certificate.pem

  volumes:
    - configMap:
        defaultMode: 292
        name: openldap-ad-config
      name: openldap-ad-config-volume
    - configMap:
        defaultMode: 292
        name: ad-certificate
      name: ad-certificate-volume

Property subPath is used so that the rest of the contents of the directory are not excluded as mounting normally mounts the whole of the directory. Property defaultMode is used otherwise the files will be world read/write.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 ouflak

Related Questions

List users from specific groups

.NET Core 6 Windows auth and Active Directory group based permissions

Reading the SECURITY_ENABLED flag of Group in Active Directory

How can I pull Mail Contact groups for each contact with powershell?

Tomcat Manager - Active Directory Authentication

Java: Connect to Active Directory via serverless binding?

What is a more modern .NET library to use with Active Directory than System.DirectoryServices.AccountManagement?

Search Outlook Global Address List Asynchronously

Unable to retrieve cross domain users with get-adgroupmember -recursive

How to Bind asynchronously with LdapConnection

When generating a unique username in Active Directory, numbers do not increment correctly

Powershell Creating Password Expiration Report

Show "Microsoft Active Directory" information table in WordPress

Do we need Active Directory Domain Controller to run any PowerShell commands?

How do I solve error with Active Directory Search using user name