LDAP/AD Integration : With Microsoft AD

Follow

Assessment

You have your Eucalyptus cloud up and running and a corporate Microsoft Active Directory where you manage all your users and groups, and would like to use this to manage your users on the cloud.

How-to ?

First, you have to create a read-only user in your AD so Eucalyptus can pull the informations regarding your users and groups. Using the builtin-group "replicators" will allow this behaviour.

NOTE : Eucalyptus will never write on your AD nor keep the passwords in its local database. All informations are "read-only".

Once the user is created, we have to use a "lic" file, which will contain all the informations regarding the AD synchronisation

First, create an empty lic file

euca-lictool --password secret > example.lic

Change the secret by the password used by the read-only user on your AD.

The first part of the lic file describe how you get connected to your MS AD server.

"ldap-service":{

"server-url":"ldap://ad.mycompany.lan:389",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"cn=ldapadmin,dc=mycompamy,dc=lan",
"auth-credentials":"{RSA/ECB/PKCS1Padding}FHB7vqplr+TDyMuBAXxI8v69sBPY7411Pm8/vxiMnSmqhAGU8VonbWC6fcD97yY75BcpHeMO8VfUlLhEjtL2IahXjvCG4qb4VNCcToNCyfQqKEd5X+en9OHys1eFK3Fjl2H2YBbrRIYSaZJ7hq1L99naKy/hb4xjWzbqbQveoDSnQMRxPV/++NkQFNJqvM\
izSLBgYonqywd4YSuC7XzH+CnSbA0J8h8Cj5+X0pb63XM7pTSXkAZcfLi6FTAmooxn+XQfJt2bmZZAyl5J+4YFsjiMght/tZVUED4zL0OFPA2sz0qfOEoxylxaVDZIpkqL8GQajf6oyqtMVTXe7hDBdg==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"false",
"krb5-conf":"/path/to/krb5.conf",
},

Now we saw how we get connected to our AD, we gonna configure how we are doing the synchronisation 

"sync":{

"enable":"true",
"auto":"true",
"interval":"900000",
"clean-deletion":"false",
},

We recommend to set the clean-deletion to "true" in order to avoid any differences between your AD and Eucalyptus users & groups. Unexpected results may happen.

Eucalyptus has two ways to create "Cloud accounts" (the cloud accounts are the highest level of Identity in Eucalyptus, as on AWS) : 

  • "groups-partition" : Using "hand-defined" accounts : the cloud administrator will decide by hand of the accounts creation and users/groups from the AD which will be part of it
  • "accounting-groups" : Using a third layer in the AD which will be used to automatically create Cloud accounts with its groups and users.

 

How to decide ?

Depending on your needs and security policies : the accounting groups will create / delete / modify accounts, groups and users without any action on the cloud properties. This allow the cloud users to manage all accounts only from the AD. Whereas, the groups-partitions will need the cloud administrator to modify the lic file and the cloud property each time a modification has to be done.

The first one will allow an elastic management, but in case of a mistake (ie: account deletion) all is to be done again, and cant be recovered. The groups-accounting will make the cloud administrator the only person capable to change accounts, groups and users, but will need to do changes by hand everytime. In this article you will find examples using the two possibilities.

Finally,

"groups":{

"base-dn":"ou=eucalyptus,dc=mycompanydc=lan",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{

"filter":"(&(objectClass=group)(memberOf=*))"
}
},

"users":{

"base-dn":"ou=eucalyptus,dc=mycompanydc=lan",
"id-attribute":"cn",
"user-info-attributes":
{
"displayname":"Full name"
},
"selection":{

"filter":"(&(objectClass=organizationalPerson)(objectClass=user))",
}
},
}

This last part will allow the administrator to decide how to gather information and put them as a group or a user, using different attributes of the AD object. This is agnostic of the accounting system you have chosen previously.

Have more questions? Submit a request

Comments

Powered by Zendesk