#ldap

Managing who can access your systems and what they can do is a big deal in any IT environment. In OpenShift, this comes under Authentication and Identity Management—and if your organization uses systems like LDAP or OIDC, the good news is: OpenShift can work with both.

Let’s break that down.

What Are LDAP and OIDC?

LDAP (Lightweight Directory Access Protocol) is like a company phonebook, but instead of just names and numbers, it stores user credentials and group memberships. It's been around for a long time and is widely used in enterprise environments.

OIDC (OpenID Connect) is a modern, web-friendly way of handling login. It builds on top of OAuth 2.0 (used by services like Google and Facebook logins) and is becoming the standard for cloud-native identity.

Why Plug These Into OpenShift?

Instead of creating a whole new user system just for your OpenShift clusters, you can simply connect them to the identity system your company already uses. This brings three big benefits:

✅ Single Sign-On – Users can log in with the same username and password they use everywhere else.

🔒 Security Compliance – You stay aligned with your company's security policies and access rules.

👥 Group Awareness – OpenShift can recognize user groups from LDAP/OIDC, so access control becomes smarter and easier.

How OpenShift Handles Authentication

When someone tries to log in to OpenShift, it checks with your LDAP or OIDC system:

Are they who they say they are?

What groups do they belong to?

What are they allowed to do?

Once OpenShift knows this, it gives access based on roles and permissions assigned to users or their groups.

You can easily manage who gets admin-level access, who can deploy apps, and who should only be able to view stuff—all mapped to your identity system.

Where It Really Helps

Multiple Teams, One Cluster: Let devs from different departments use the same cluster but still stay in their own lanes.

Audit and Logging: Know exactly who did what, when—and trace it back to real user identities.

Faster Onboarding: New employee? Add them to the right LDAP group and they’re instantly ready to work in OpenShift.

Final Thoughts

You don’t need to reinvent the wheel when it comes to authentication. By integrating OpenShift with LDAP and OIDC, you're plugging into systems your organization already trusts. This not only boosts security but makes life a whole lot easier for admins and users alike.

Identity is the new perimeter—and OpenShift plays well with it.

Introduction

Description of method

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. 

LDAP injection attacks are common due to two factors:

The lack of safer, parameterized LDAP query interfaces

The widespread use of LDAP to authenticate users to systems.

How to test for the issue

During code review

Please check for any queries to the LDAP escape special characters, see here.

Automated Exploitation

Scanner module of tool like OWASP ZAP have module to detect LDAP injection issue.

Remediation

Escape all variables using the right LDAP encoding function

The main way LDAP stores names is based on DN (distinguished name). You can think of this like a unique identifier. These are sometimes used to access resources, like a username.

A DN might look like this

cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu

or

uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com

There are certain characters that are considered special characters in a DN. The exhaustive list is the following: \ # + < > , ; " = and leading or trailing spaces

Each DN points to exactly 1 entry, which can be thought of sort of like a row in a RDBMS. For each entry, there will be 1 or more attributes which are analogous to RDBMS columns. If you are interested in searching through LDAP for users will certain attributes, you may do so with search filters. In a search filter, you can use standard boolean logic to get a list of users matching an arbitrary constraint. Search filters are written in Polish notation AKA prefix notation.

Example:

(&(ou=Physics)(| (manager=cn=Freeman Dyson,ou=Physics,dc=Caltech,dc=edu) (manager=cn=Albert Einstein,ou=Physics,dc=Princeton,dc=edu) ))

When building LDAP queries in application code, you MUST escape any untrusted data that is added to any LDAP query. There are two forms of LDAP escaping. Encoding for LDAP Search and Encoding for LDAP DN (distinguished name). The proper escaping depends on whether you are sanitising input for a search filter, or you are using a DN as a username-like credential for accessing some resource.

Safe Java for LDAP escaping Example:

public String escapeDN (String name) {

//From RFC 2253 and the / character for JNDI

final char[] META_CHARS = {'+', '"', '<', '>', ';', '/'};

String escapedStr = new String(name);

//Backslash is both a Java and an LDAP escape character,

//so escape it first escapedStr = escapedStr.replaceAll("\\\\\\\\","\\\\\\\\");

//Positional characters - see RFC 2253

escapedStr = escapedStr.replaceAll("\^#","\\\\\\\\#");

escapedStr = escapedStr.replaceAll("\^ | $","\\\\\\\\ ");

for (int i=0 ; i < META_CHARS.length ; i++) {

escapedStr = escapedStr.replaceAll("\\\\" + META_CHARS[i],"\\\\\\\\" + META_CHARS[i]);

}

return escapedStr;

Are you ready to take control of your data and streamline your authentication and directory services? Look no further than our comprehensive guide on installing and configuring an OpenLDAP Server on Linux!

Introduction Are you ready to take control of your data and streamline your authentication and directory services? Look no further than our comprehensive guide on installing and configuring an OpenLDAP Server on Linux! OpenLDAP is a powerful, open-source solution that allows you to create and manage your own LDAP (Lightweight Directory Access Protocol) directory. With our step-by-step…

Are you ready to take control of your data and streamline your authentication and directory services? Look no further than our comprehensive guide on installing and configuring an OpenLDAP Server on Linux!

Introduction Are you ready to take control of your data and streamline your authentication and directory services? Look no further than our comprehensive guide on installing and configuring an OpenLDAP Server on Linux! OpenLDAP is a powerful, open-source solution that allows you to create and manage your own LDAP (Lightweight Directory Access Protocol) directory. With our step-by-step…