blog
Integrating ClusterControl with FreeIPA and Windows Active Directory for Authentication
Integrating ClusterControl with a corporate LDAP directory is a common task for many IT organizations. In an earlier blog, we showed you how to integrate ClusterControl with OpenLDAP. In this post, we will show you how to integrate with FreeIPA and Windows Active Directory.
How ClusterControl Performs LDAP Authentication
ClusterControl supports up to LDAPv3 protocol based on RFC2307. More details on this in the documentation.
When authenticating, ClusterControl will first bind to the directory tree server (LDAP Host) using the specified Login DN user and password, then it will check if the username you entered exists in the form of uid or cn of the User DN. If it exists, it will then use the username to bind against the LDAP server to check whether it has the configured group as in LDAP Group Name in ClusterControl. If it has, ClusterControl will then map the user to the appropriate ClusterControl role and grant access to the UI.
The following flowchart summarizes the workflow:
FreeIPA
FreeIPA is a Red Hat sponsored open source project which aims to provide an easily managed Identity, Policy and Audit (IPA) suite primarily targeted towards networks of Linux and Unix computers. It is easy to install/configure, and is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System).
Let’s assume we have the following users/roles in our FreeIPA directory:
User | Username (uid) | Group (cn) | Role |
---|---|---|---|
Gareth Dave | admin | admin | IPA administrator |
Matt Taylor | matt.taylor | dba | Database administrator. All access to all clusters |
Kathleen Spears | kathleen.spears | programmer | Programmer. All access to specific cluster. |
Robert Juve | robert.juve | manager | Manager. Read-only access to specific cluster. |
FreeIPA does not make direct use of RFC2307 for its trees, but uses RFC2307bis instead. (RFC2307bis was not published as a RFC by the IETF as the author didn’t decide to pursue it nor the companies). The slapi-nis module does not support bind against compat tree. slapi-nis issues LDAP referral to the original LDAP entry with the hope that an LDAP client would follow it and perform a bind against the referral, as shown in following ldapsearch command output:
$ ldapsearch -h ipa.severalnines.org -b "cn=groups,cn=compat,dc=ipa,dc=severalnines,dc=org" -D "uid=matt.taylor,cn=users,cn=compat,dc=ipa,dc=severalnines,dc=org" -w secret
ldap_bind: Referral (10)
referrals:
ldap:///uid=matt.taylor,cn=users,cn=accounts,dc=ipa,dc=severalnines,dc=org
To authenticate against FreeIPA, we need to use cn=compat replacing cn=accounts to view the directory data in the standard RFC2307-compatible format. To make things even more complicated for ClusterControl, when browsing the tree you need to use compat’s DN, but when binding against it, you need to use the accounts DN. However, this is not happening with ldapsearch command line (as you can see above). You can read this blog post for further reading.
ClusterControl (from v1.2.8) is able to bind to a FreeIPA server and perform lookups on compatible schema. Once the DN for that user is retrieved, it tries to bind using the full DN (in standard tree) with the entered password to verify the LDAP group of that user.
Thus, for FreeIPA, the user’s and group’s DN should use compatible schema, cn=compat replacing the default cn=accounts in ClusterControl LDAP Settings except for the Login DN, as shown in following screenshot:
Then map the ClusterControl role with the LDAP group by going to ClusterControl > Admin > LDAP Settings > click + button. Specify the LDAP Group Name as in the example below:
That’s it. You should now able to login using your LDAP username.
Windows Active Directory
Let’s now look at how to integrate with Active Directory. First, please make sure AD runs with Identity Management for UNIX enabled. You can enable this under Server Manager > Roles > Active Directory Domain Services > Add Role Services. Detailed instructions on how to do this is explained in this article.
Once enabled, ensure that each group you want to authenticate from ClusterControl has a Group ID (see the UNIX Attributes tab). The following screenshot shows the properties of the group Programmer:
Next, make sure that each user you want to authenticate from ClusterControl has a UID and is assigned with a GID. The following screenshot shows the properties of user Matt Taylor (Database Administrator):
For Active Directory, we need to configure the exact distinguished name since the LDAP interchange format (LDIF) fields are returned in capital letters. Pay attention to the capital letters in the below example:
Next, map the ClusterControl role with the LDAP group by going to ClusterControl > Admin > LDAP Settings > click + button. Specify the LDAP Group Name as in example below (also pay attention to the capital letters):
That’s it. We have now configured ClusterControl to authenticate with Active Directory.