Ldap-Group-Sync LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority

[IlonkaO]

oc version 3.11.104

I try to realize the group sync via an openshift cronjob. But everytime I get the error inside the container: LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority

The used CA is the right one... I also tried inside the container the oc adm groups sync command with additional flag --certificate-authority, but it didn't work.

Any ideas

Regards
Ilonka

[itwasonlyabug]

Hi, I don't know if this is still an issue for you or if you figured it out, but have you tried verifying your settings with ldapsearch?

ldapsearch uses the OS' certificate trust-store, so if you have added your certificate to it it will work, meaning you could leave the CA portion of the ldap sync script empty.

Simple ldapsearch request to get all users from a group:

ldapsearch -H ldaps://yourdc.domain.com:<port> -x -D [email protected] -s sub -b "dc=domain,dc=com" "(|(memberOf=CN=Openshift,OU=YourGroups,DC=domain,DC=com))" sAMAccountName -W

This will try to connect to yourdc.domain.com:<port> via LDAPS, with the account [email protected] (you can also enter the full AD path for the account - DN=account,OU=users.. and etc.).
We are also setting the sub flag so that we search the selected level and sub-levels of it - in the example that means searching dc=domain,dc=com and all sub-levels. We are searching for objects with the sAMAccountName property. The -W flag is just so that you are prompted to enter the password for the account.

If ldapsearch works, but oc adm group sync fails

You can try either adding your certificate to the OS trust store Example for RHEL or you can try specifying a different certificate.

In most cases the issue is that your server doesn't trust the LDAP server and specifying the correct certificate will remedy that.