We have a setup with Open OnDemand using Keycloak OIDC and we would like to filter access to OnDemand by LDAP groups/roles.
We have our LDAP Keycloak integration and our OnDemand client configured. We also configured OnDemand with the “groups” scope as documented here.
oidc_scope: "openid profile email groups"
,although in our implementation is “roles”.
With this setup we cannot filter group access, so if the user belongs to the LDAP group configured in Keycloak (which in our case is a general LDAP group that includes all users) you can login but then since we do SSSD authentication when the server tries to run the PUN process for the user it fails as expected.
Is there a way to configure OnDemand to filter by group/role membership?
Managed to make this work by changing the
/etc/apache2/sites-enabled/ood-portal.conf configuration with the following.
Require claim groups:<SOME-LDAP-GROUP>
Applied the change to the following:
This seems to work, users not part of the
<SOME-LDAP-GROUP> cannot login, which matches our SSSD configuration on the node itself.
That said, I’m not sure if this is the right way of doing it. Will try to implement these settings using the Ansible role, feedback welcome!
Editing the conf file by hand is could throw things off. Since you edited it by hand, outside of
update_ood_portal - that program (
update_ood_portal) won’t replace it any more. you’ll have to use
--force options or similar.
You should be able to add
Require claim groups:<SOME-LDAP-GROUP> to the
auth section of
- 'Require claim groups:<SOME-LDAP-GROUP>'
I say should because we may supply that by default for OIDC users.
If we don’t/can’t then we will need to add the capability to add extra
auth lines like this.
Thank you for your feedback, it worked!