fiddyspence's blog

Dashboard and Active Directory

So, I decided to make the dashboard authenticate against Active Directory.  It took a surprising amount of time.

The first trick was to find the authoritative config for the ruby-cas YAML with a hash of authenticators (the file /etc/puppetlabs/console-auth/cas_client_config.yml is fairly straightforward):

# /etc/puppetlabs/rubycas-server/config.yml
  - class: CASServer::Authenticators::SQLEncrypted
      reconnect: true
      adapter: mysql
      database: console_auth
      username: console_auth
      password: ‘xxxxxxxx’
    user_table: users
    username_column: username
  - class: CASServer::Authenticators::ActiveDirectoryLDAP
        port: 389
        base: dc=puppet-ad,dc=spence,dc=org,dc=uk,dc=local
        filter: (&(objectClass=person)(memberof=CN=puppetconsoleaccess,OU=Groups,DC=puppet-ad,DC=spence,DC=org,DC=uk,DC=local))
        auth_user: cn=ldapbind,cn=users,dc=puppet-ad,dc=spence,dc=org,dc=uk,dc=local
        auth_password: xxxxxxxx

The other trick is to make sure the filter actually works.  I think somehow I managed to hose the default filter (objectClass=person), which caused all sorts of aggro.  The debugging info from the rubycas is awful - I resorted to running a tcpdump -i eth0 tcp port 389 -X to see the messages I was getting from the Active Directory, and the authentication method doesn’t cause any access denied errors in the event log at all on a Windows 2003 DC (which is irritating).

The rubycas doesn’t really help you when the YAML is broken either - using irb helped me here to validate that at least the YAML is sane:

irb(main):001:0> require ‘yaml’
=> true
irb(main):002:0> YAML.load_file ‘/etc/puppetlabs/rubycas-server/config.yml’
=> {“maximum_session_lifetime”=>172800, “<snip>

One thing I would have found useful is the option to configure access levels via active directory rather than having to add an AD user, then configure access level in dashboard.

Don’t forget to edit the console-auth/cas_client_config.yml file:

    default_role: read-only
    description: Local
    default_role: read-only
    description: Active Directory

So, to login just use the bare username in AD:

Which translates to:

(I added my AD account as an admin in the console already using the built-in admin account)