-
Bug
-
Resolution: Done
-
Minor
-
DO280 - OCP4.12-en-3-20231130
-
None
Please fill in the following information:
URL: | https://role.rhu.redhat.com/rol-rhu/app/courses/do280-4.12/pages/ch03s04 |
Reporter RHNID: | rhn-support-ablum |
Section title: | Guided Exercise: Define and Apply Permissions with RBAC |
Language: | EN |
Issue description
`oc get groups` produces a list of the ocp groups including those sync'd from LDAP backed IPA server on idm.ocp4.example.com. Developers cn looks like this:
[student@idm ~]$ ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com" -W -b "cn=users,cn=accounts,dc=ocp4,dc=example,dc=com" -h idm.ocp4.example.com -s subject "(uid=developer)" cn
- developer, users, accounts, ocp4.example.com
dn: uid=developer,cn=users,cn=accounts,dc=ocp4,dc=example,dc=com
cn: . developer
The oauth configuration included uses the cn to present this string as the name in various places.
Consider the groups output like:
[student@workstation ~]$ *oc get groups ocpdevs -o jsonpath='{.users[0]}
{"\n"}'*
. developer
Also, visible when logging into the webconsole (see screenshot) and in screenshots found in the coursebook (see step 4.5 in the GE).
Workaround:
Ignore the misleading . in the developer's CN. Questions I've received from learners on this include "Is that period there to act as a wildcard to include other LDAP users?" "Why does the developer user have a period in their name and not the admin user?" The only workaround I have is to explain the backend configuration in IPA.
Expected result:
The CN for developer should only use alphanumeric strings (ie avoid periods, asterisks, etc). Consider that for the admin user the cn is "Administrator". So, maybe use "Developer".