Configuring External Authentication For Rancher


Would like some help please - Am struggling with understanding and hence configuring external authentication for my Rancher 2 instance.

The external authentication provider is my company AD server and I and configuring Rancher to integrate with this instance of AD using OpenLDAP.

I have freshly installed Rancher and have a local user called admin that has full privileges. Now, the Rancher documentation suggests that to configure integration with an external provider one has to have a local principal and an external principal with identical ID. To this end, I have created a local administration user called rancheradmin and also had our AD administrator create a user in AD called rancheradmin. I went for the new user (rancheradmin) because I wanted to disambiguate it from any other users in AD with the name of the default admin user.

I then logged in as the rancheradmin user and I proceeded to configure and test the configuration (specifying the AD rancheradmin user & AD password) and successfully established connection with AD. Now, the Rancher documentation says that upon successfully performing this test, the local principal (rancheradmin) will be mapped to the AD user (rancheradmin).

Now, turns out that earlier in the day,I had performed this test with a different AD user - my corporate AD user (say, petersonm), while logged in as the admin user. I proceeded to delete this configuration and then used the user described in the section above.

Now, questions follow:

  1. Was the AD user petersonm bound to the local admin user, admin, in spite of what the documentation say that these user names should be identical?

  2. After disabling the configuration made with petersonm, does that remove the link with the admin user?

  3. Is it important that the external principal and local principal have identical names?

  4. Can there be more that one local user full administrator rights and if so can any one of such a user be used to hook up with the external principal?


DId you ever get the a response? I am experiencing the same thing with ADFS. It makes the connection, but every user after seems bound to that one account. I can’t figure out for the life of me what is going on.