Skip to main content

Integrate with LDAP for Authentication

[edit on GitHub]

image

Danger

This documentation applies to a deprecated product. Chef Automate includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features. Chef Automate is included as part of the Workflow license agreement and is available via subscription.

You can configure Workflow to access your own LDAP database.

LDAP Attributes

The following table describes the LDAP attributes that may be used with Workflow:

Setting Description
ldap_attr_fullname The full user name for an LDAP user. Default value: nil.
ldap_attr_login The login user name for an LDAP user. Default value: sAMAccountName.
ldap_attr_mail The email for an LDAP user. Default value: mail.
ldap_base_dn Base dn to use when searching for users in LDAP, typically OU=Users and then the domain. Default value: OU=Employees,OU=Domain users,DC=examplecorp,DC=com.
ldap_bind_dn The user Workflow will use to perform LDAP searches. This is often the administrator or manager user. This user needs to have read access to all LDAP users that require authentication. The Workflow server must do an LDAP search before any user can log in. Many LDAP systems do not allow an anonymous bind. If anonymous bind is allowed, leave the bind_dn and bind_dn_password settings blank. If anonymous bind is not allowed, a user with READ access to the directory is required. This user must be specified as an LDAP distinguished name (dn). Default value: nil.
ldap_bind_dn_password The password for the user specified by ldap['bind_dn']. Leave this value and ldap['bind_dn'] unset if anonymous bind is sufficient. Default value: secret123. We do not recommend using a backslash (\) in the password, but if the password needs to have a backslash, please contact support.
ldap_encryption The type of encryption used to communicate with Workflow. Default value: start_tls. If tls is not in use, set to no_tls.
ldap_hosts An array of hostname(s) of the LDAP server. Be sure Workflow is able to resolve any host names. Default value: [].
ldap_port The default value is an appropriate value for most configurations. Default value: 3269.
ldap_timeout Timeout when Workflow connects to LDAP. Default value: 5000.

Configure LDAP

To configure LDAP for Workflow:

  1. Open /etc/delivery/delivery.rb and enter the LDAP attributes you want Workflow to use. If you do not specify an LDAP port, the default port of 3269 is used.

    delivery['ldap_hosts'] = ["ldap.tld"]
    delivery['ldap_port'] = 3269
    delivery['ldap_timeout'] = 5000
    delivery['ldap_base_dn'] = "OU=Employees,OU=Domain users,DC=opscodecorp,DC=com"
    delivery['ldap_bind_dn'] = "ldapbind"
    delivery['ldap_bind_dn_password'] = "secret123"
    delivery['ldap_encryption'] = "start_tls"
    delivery['ldap_attr_login'] = 'sAMAccountName'
    delivery['ldap_attr_mail'] = 'mail'
    delivery['ldap_attr_full_name'] = 'fullName'
    
  2. Run the following command to complete the configuration process:

    sudo automate-ctl reconfigure
    

Once Workflow is set up, you will have a usable LDAP option in the Workflow Users page that allows you to find users through your LDAP database.

Manage Users

Integrating Workflow with your LDAP system allows you to automatically add more user details and authenticate users against your existing identity management system. However, even once your LDAP system has been integrated to Workflow, you must manually add users. If you are going to add a user in your integrated LDAP system to Workflow, you must have their LDAP name.

Add

Note

In order to add or edit users, you must have root shell access and the Admin role assigned in Workflow.

To add or edit a user to Workflow:

  1. Log into the Workflow web UI as an administrator.

  2. Select Users from the drop-down menu on the upper right.

    The Users list page opens. You can use the search filter in the upper right corner to make sure that the user is not already added.

  3. Click the plus sign (+) next to Add a New User.

  4. In the Add New a User text area, select one of two types for user. The selection box is grey for the active selection.

    • Internal means you are manually adding the user to the Workflow database.
    • LDAP means the user is in an LDAP system that has been integrated to this Workflow.

    If you select Internal, options for Name and Email, first name, last name, email address, and Security Information, a login name and password, appear.

    If you select LDAP, the Name and Email options go away and a Security Information option for the user’s LDAP username and SSH public key appears.

  5. Enter the appropriate information for the type of user you are adding. Leave the SSH Public Key area blank, the user must log in and enter this information.

    Select user Roles Within the Enterprise.

    Click Save and Close, or Cancel to discard the operation.

    The User list page opens and a status message appears.

To check that the user was added properly when using LDAP, click Edit and verify that the user details are present.

Edit

Note

In order to add or edit users, you must have root shell access and the Admin role assigned in Workflow.

To edit LDAP details for a user:

  1. Log into the Workflow web UI as an administrator.

  2. Select Users from the drop-down menu on the upper right.

    The Users list page opens. You can use the search filter in the upper right corner to make sure that the user is not already added.

  3. Click the plus sign (+) next to Add a New User.

  4. In the Add New a User text area, select one of two types for user. The selection box is grey for the active selection.

    Internal means you are manually adding the user to the Delivery database.

    LDAP means the user is in an LDAP system that has been integrated to this Workflow.

    If you select Internal, options for Name and Email, first name, last name, email address, and Security Information, a login name and password, appear.

    If you select LDAP, the Name and Email options go away and a Security Information option for the user’s LDAP username appears.

  5. Enter the appropriate information for the type of user you are adding. Leave the SSH Public Key area blank. The user must log in and enter this information.

    Select user Roles Within the Enterprise.

    Click Save and Close, or Cancel to discard the operation.

    The User list page opens and a status message appears.

To check that the user was added properly when using LDAP, click Edit and verify that the user details are present.