Disable ROKS User Authentication

ROKS user authentication can cause conflicts with the users authenticated against the LDAP server.

Symptoms

If you enable ROKS user authentication, you cannot register users authenticated against the LDAP server. See the following steps to identify root cause of this issue. The third step will display 2 users. The first user will be the ROKS user. By examining these users, you can confirm the source of the conflict.

  1. Log in to your Red Hat OpenShift Container Platform cluster as an admin user.

    oc login <cluster host:port> --username=<cluster admin user> --password=<cluster admin password>
    

  2. Execute the following commands to obtain an access token for querying SCIM API:

    iamadmin=$(oc get secret -n CS_NAMESPACE platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' | base64 -d)
    iampass=$(oc get secret -n CS_NAMESPACE platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d)
    
    iamhost=https://$(oc get route -n CS_NAMESPACE cp-console -o jsonpath="{.spec.host}")
    
    iamaccesstoken=$(curl -sk -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" \
    -d "grant_type=password&username=$iamadmin&password=$iampass&scope=openid" $iamhost/idprovider/v1/auth/identitytoken | jq -r .access_token)
    
  3. Use the following curl command to query the username (the same entered on the RPA CR):

    curl -sik -H "Authorization: Bearer $iamaccesstoken" \
    "$iamhost/idmgmt/identity/api/v1/scim/Users?filter=userName+eq+%22USERNAME_TO_QUERY%22&attributes=displayName,userName,emails" \
    > SCIM_specific_user_search.json
    

Resolving this issue

To resolve this issue, you must manually disable the ROKS user authentication to register the users authenticated against the LDAP server.

Procedure

  1. Login to your Red Hat OpenShift Container Platform web console.

  2. On the left side panel, go to Workloads > Config Maps.

  3. Enter the ibm-common-services namespace.

  4. Modify the platform-auth-idp config map to include a flag that disables ROKS user authentication.

    ROKS_ENABLED: false
    
  5. Restart the authentication IDP pod to apply the changes.

    oc -n <CS_NAMESPACE> delete pod -l k8s-app=auth-idp
    
Note: CS_NAMESPACE refers to the namespace that you have installed IBM RPA.

After applying these changes, the ROKS users will no longer be authenticated, allowing LDAP users to operate without any username conflicts.