URL: https://rol.redhat.com/rol/app/courses/do380-4.10/pages/ch05
Reporter RHNID: wasim-rhls
Section: -
Language: en-US (English)
Workaround:

Description: Using uid=admin as a bindDN is a bad security practice bindDN and bindPassword are optional parameters for the LDAP identity provider. See OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/authentication_and_authorization/index#configuring-ldap-identity-provider Specifically see LDAP authentication flow: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/authentication_and_authorization/index#identity-provider-about-ldap_configuring-ldap-identity-provider By default an anonymous search can be used to perform a search for the specified uid. So specifying an admin account (that has all keys to the kingdom in IdM) is a bad security practice. Admin's password stored as a secret can be read by any cluster admin that might be not authorized to have access to IdM as admin. If the authors want to demonstrate how to use bindDN and bindPassword using secrets, it would be better to use a service account that has read permissions in IdM, instead of using admin account that has full domain access. It would also provide an audit trail in IdM for all search/bind requests performed by the oauth component in OpenShift.