I have successfully added Rancher to openldap. Bu I have several questions about it.
- When asks for
service account name, I provide the RootDN and RootPW directly. From the note:
Rancher needs a service account that has (read-only) access to all of the domains that will be able to login, so that we can determine what groups a user is a member of when they make a request with an API key.
So if I plan to set a read-only access to all, any recommend setting or sample ldif file I should add in openldap?
- After I successfully integrate openldap with Rancher, the default
Test and enable authentication account becomes administrator automatically. Only this account have admin permission in Rancher, not other.
My request is, I hope to allow a group (with several members) have admin permission. How to set it.
- Regarding access control in Rancher, there is only one page in Rancher website. http://docs.rancher.com/rancher/latest/en/configuration/access-control/ , any other documents I can read for reference?
Spent some time and answer my own questions partly.
My answer for question #1
It’s an openldap question, more than rancher question.
My answer for question #2:
Didn’t find the feature in Rancher currently.
First you need let new ldap user login Rancher first, otherwise, you can’t see these accounts in Rancher account management at all.
Then first register account will be administrator automatically. This account has to manually (or via API) to change the new ldap user’s permission from user to admin.
If you disable ldap in Rancher server, then add ldap again, the previous ldap user accounts with admin permission will get admin permission directly.
For environment set, the administrator has to add the new ldap user to the nominated environments (or via api), environment permission can be different owner, member, readonly, and restricted. Otherwise, the new account can’t see any other environments, except his/her <own_account_default> environment.
New ldap user need login and set default environment by himself/herself. Otherwise, always login with a blank environment.
My answer for question #3:
Found these useful documents.