External Authentication
In a series of posts, I am going to take you through setting up the Automation Config product, manually enabling management of deployed systems, creating a custom desired state and eventually integrating with your Cloud templates.
This specific post will cover up configuring LDAP integration with Active Directory to enable centralised control of access and roles.
Preparation
Before we start configuring the integration in the Aria Automation Config product, we need to meet some initial requirements. As always, the process I am running through is not guaranteed fit for production, but for a lab environment it is fine.
Requirements
- Create an Active Directory group for Automation Config administrators. I named my group grp_ariaautomationconfig_admins
- Place your user account and any other accounts you want to have admin access into the Active Directory group
- Ensure you know you LDAP distinguished name paths for the following items
- Base DN location path. This is where groups and users will be searched for from, for example, DC=automationpro,DC=lan
- Users DN location path. This is where your user accounts are located, for example, CN=Users,DC=automationpro,DC=lan
- Groups DN location path. This may be the same as where your user accounts are located
- Admin DN location path. You need to provide a path to an account to use that will allow Aria Automation Config to sync and query the LDAP directory, for example, CN=Administrator,CN=Users,DC=automationpro,DC=lan
- The password for the Admin account
- Communication between the Aria Automation Config server and the domain controller is established (i.e. firewall configuration is correct)
Configuration
Login to the Aria Automation Config appliance using the admin account and password you specified during deployment.
From the menu, expand the Administration section and select the Authentication option.
From the Configuration type dropdown, select the LDAP option. Next select the PREFILL DEFAULTS dropdown and select AD, Windows Server 2008 and later (note: I am presuming that your AD server is going to be 2008 or newer!)
At this point we will have a form with some information included and some fields empty.
The required fields are noted by the red underline. The fields that need to be edited are as follows.
| Item | Example Value | Comments |
|---|---|---|
| Name | AutomationPro | Name for the LDAP connection |
| Host | aprodc1003.automationpro.lan | A domain controller |
| Port | 389 | LDAP port for the domain controller |
| SSL – Enable SSL | False | Disabled as I am not using certificates in this lab |
| SSL – Validate Certificate | False | Disabled as I am not using certificates in this lab |
| Auth base DN | dc=automationpro,dc=lan | Root DN for my domain |
| Admin bind DN | cn=administrator,cn=users,dc=automationpro,dc=lan | Full DN path to an administrator account in my domain |
| Admin bind password | *********************** | The password for the above account |
| Group search DN | cn=users,dc=automationpro,dc=lan | The location where my AD user accounts are located |
| User search DN | cn=users,dc=automationpro,dc=lan | The location where my AD group accounts are located |
Once you have configured the above fields with your settings click the UPDATE PREVIEW button. The pane below will eventually load Groups and Users into view. Depending on the size of your directory this may take some time.
Once you are happy with everything click the SAVE button to save the settings and confirm the LDAP connection.
Configuring Access
Now we have established and saved the connection we can proceed with allocating users and groups for access into the Aria Automation Config interface. From the toolbar select the Groups option.
Find your Active Directory group you created in the requirements section from the list and tick the checkbox. Click the SAVE button.
From the menu on the left, under Administration, select the Roles option. Ensure in the left pane, the Salt Master role is selected. Click on the Groups option.
Select the checkbox against your Active Directory group and then click SAVE.
Select the Resource access tab. Enable both Show all * options as shown below and assign full permissions to each entry. Then click the Save button.
Sign out from the interface. You may notice that the login page is slightly different now. In the select authentication background dropdown, select your LDAP connection as shown below.
Enter the user account and password for the Active Directory user that is within your Active Directory group and then login.
Congratulations, you have now established Active Directory connectivity and authentication for your Aria Automation Config instance.
