Integrate with LDAP for Authentication
Danger
This documentation applies to a deprecated product. Chef Automate includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features. Chef Automate is included as part of the Workflow license agreement and is available via subscription.
You can configure Workflow to access your own LDAP database.
LDAP Attributes
The following table describes the LDAP attributes that may be used with Workflow:
Setting | Description |
---|---|
ldap_attr_fullname |
The full user name for an LDAP user. Default value: nil . |
ldap_attr_login |
The login user name for an LDAP user. Default value: sAMAccountName . |
ldap_attr_mail |
The email for an LDAP user. Default value: mail . |
ldap_base_dn |
Base dn to use when searching for users in LDAP, typically OU=Users and then the domain. Default value: OU=Employees,OU=Domain users,DC=examplecorp,DC=com . |
ldap_bind_dn |
The user Workflow will use to perform LDAP searches. This is often the administrator or manager user. This user needs to have read access to all LDAP users that require authentication. The Workflow server must do an LDAP search before any user can log in. Many LDAP systems do not allow an anonymous bind. If anonymous bind is allowed, leave the bind_dn and bind_dn_password settings blank. If anonymous bind is not allowed, a user with READ access to the directory is required. This user must be specified as an LDAP distinguished name (dn ). Default value: nil . |
ldap_bind_dn_password |
The password for the user specified by ldap['bind_dn'] . Leave this value and ldap['bind_dn'] unset if anonymous bind is sufficient. Default value: secret123 . We do not recommend using a backslash (\ ) in the password, but if the password needs to have a backslash, please contact support. |
ldap_encryption |
The type of encryption used to communicate with Workflow. Default value: start_tls . If tls is not in use, set to no_tls . |
ldap_hosts |
An array of hostname(s) of the LDAP server. Be sure Workflow is able to resolve any host names. Default value: [] . |
ldap_port |
The default value is an appropriate value for most configurations. Default value: 3269 . |
ldap_timeout |
Timeout when Workflow connects to LDAP. Default value: 5000 . |
Configure LDAP
To configure LDAP for Workflow:
-
Open
/etc/delivery/delivery.rb
and enter the LDAP attributes you want Workflow to use. If you do not specify an LDAP port, the default port of3269
is used.delivery['ldap_hosts'] = ['ldap.tld'] delivery['ldap_port'] = 3269 delivery['ldap_timeout'] = 5000 delivery['ldap_base_dn'] = 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' delivery['ldap_bind_dn'] = 'ldapbind' delivery['ldap_bind_dn_password'] = 'secret123' delivery['ldap_encryption'] = 'start_tls' delivery['ldap_attr_login'] = 'sAMAccountName' delivery['ldap_attr_mail'] = 'mail' delivery['ldap_attr_full_name'] = 'fullName'
-
Run the following command to complete the configuration process:
sudo automate-ctl reconfigure
Once Workflow is set up, you will have a usable LDAP option in the Workflow Users page that allows you to find users through your LDAP database.
Manage Users
Integrating Workflow with your LDAP system allows you to automatically add more user details and authenticate users against your existing identity management system. However, even once your LDAP system has been integrated to Workflow, you must manually add users. If you are going to add a user in your integrated LDAP system to Workflow, you must have their LDAP name.
Add
Note
In order to add or edit users, you must have root shell access and the Admin role assigned in Workflow.
To add or edit a user to Workflow:
Log into the Workflow web UI as an administrator.
-
Select Users from the drop-down menu on the upper right.
The Users list page opens. You can use the search filter in the upper right corner to make sure that the user is not already added.
Click the plus sign (+) next to Add a New User.
-
In the Add New a User text area, select one of two types for user. The selection box is grey for the active selection.
- Internal means you are manually adding the user to the Workflow database.
- LDAP means the user is in an LDAP system that has been integrated to this Workflow.
If you select Internal, options for Name and Email, first name, last name, email address, and Security Information, a login name and password, appear.
If you select LDAP, the Name and Email options go away and a Security Information option for the user’s LDAP username and SSH public key appears.
-
Enter the appropriate information for the type of user you are adding. Leave the SSH Public Key area blank, the user must log in and enter this information.
Select user Roles Within the Enterprise.
Click Save and Close, or Cancel to discard the operation.
The User list page opens and a status message appears.
To check that the user was added properly when using LDAP, click Edit and verify that the user details are present.
Edit
Note
In order to add or edit users, you must have root shell access and the Admin role assigned in Workflow.
To edit LDAP details for a user:
Log into the Workflow web UI as an administrator.
-
Select Users from the drop-down menu on the upper right.
The Users list page opens. You can use the search filter in the upper right corner to make sure that the user is not already added.
Click the plus sign (+) next to Add a New User.
-
In the Add New a User text area, select one of two types for user. The selection box is grey for the active selection.
Internal means you are manually adding the user to the Delivery database.
LDAP means the user is in an LDAP system that has been integrated to this Workflow.
If you select Internal, options for Name and Email, first name, last name, email address, and Security Information, a login name and password, appear.
If you select LDAP, the Name and Email options go away and a Security Information option for the user’s LDAP username appears.
-
Enter the appropriate information for the type of user you are adding. Leave the SSH Public Key area blank. The user must log in and enter this information.
Select user Roles Within the Enterprise.
Click Save and Close, or Cancel to discard the operation.
The User list page opens and a status message appears.
To check that the user was added properly when using LDAP, click Edit and verify that the user details are present.
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/integrate_delivery_ldap/