Active Directory and LDAP
The Chef Infra Server supports Active Directory and LDAP authentication, which enables users to log in to the Chef Infra Server using their corporate credential and the Manage interface. Without the Manage interface add-on installed, there is no need to enable the Chef Infra Server LDAP functionality. LDAP isn’t used with Supermarket logins, nor with any Chef Infra Client related authentication.
Configure LDAP
The Chef Infra Server supports using Active Directory or LDAP for any user that has an email address in the LDAP directory. This allows those users to log in to the Chef Infra Server by using their corporate credentials instead of having a separate username and password.
Warning
The following attributes MUST be in the user LDAP record:
mail:
sAMAccountName:
oruid:
The following attributes SHOULD be in the user LDAP record:
displayname:
givenname:
sn:
c:
l:
To configure the Chef Infra Server to use Active Directory or LDAP do the following:
Install the Chef management console (if it’s not already).
Add the following settings to the
/etc/opscode/chef-server.rb
file. These settings must be added to thechef-server.rb
file on each machine in the Chef Infra Server frontend deployment of a High Availability installation as well as on Chef servers in a standalone installation.Warning
The following settings MUST be in the config file for LDAP authentication to Active Directory to work:
base_dn
bind_dn
group_dn
host
If those settings are missing, you will get authentication errors and be unable to proceed.
This configuration file has the following settings for
ldap
:ldap['base_dn']
: The root LDAP node under which all other nodes exist in the directory structure. For Active Directory, this is typically
cn=users
and then the domain. For example:'OU=Employees,OU=Domain users,DC=example,DC=com'
Default value:
nil
.ldap['bind_dn']
: The distinguished name used to bind to the LDAP server. The user the Chef Infra Server will use to perform LDAP searches. This is often the administrator or manager user. This user needs to have read access to all LDAP users that require authentication. The Chef Infra Server must do an LDAP search before any user can log in. Many Active Directory and LDAP systems don’t allow an anonymous bind. If anonymous bind is allowed, leave the
bind_dn
andbind_password
settings blank. If anonymous bind isn’t allowed, a user withREAD
access to the directory is required. This user must be specified as an LDAP distinguished name similar to:'CN=user,OU=Employees,OU=Domainuser,DC=example,DC=com'
Note
If you need to escape characters in a distinguished name, such as when using Active Directory, they must be escaped with a backslash escape character.
'CN=example\\user,OU=Employees,OU=Domainuser,DC=example,DC=com'
Default value:
nil
.ldap['bind_password']
: Legacy configuration for the password of the binding user. The password for the user specified by
ldap['bind_dn']
. Leave this value andldap['bind_dn']
unset if anonymous bind is sufficient. Default value:nil
. As of Chef Infra Server 12.14, this is no longer the preferred command.Please use
chef-server-ctl set-secret ldap bind_password
from the Secrets Management commands.chef-server-ctl set-secret ldap bind_password Enter ldap bind_password: (no terminal output) Re-enter ldap bind_password: (no terminal output)
Remove a set password using
chef-server-ctl remove-secret ldap bind_password
ldap['group_dn']
: The distinguished name for a group. When set to the distinguished name of a group, only members of that group can log in. This feature filters based on the
memberOf
attribute and only works with LDAP servers that provide such an attribute. In OpenLDAP, thememberOf
overlay provides this attribute. For example, if the value of thememberOf
attribute isCN=common_name,OU=users,DC=company,DC=com
, then use:ldap['group_dn'] = 'CN=abcxyz,OU=users,DC=company,DC=com'
ldap['host']
: The name (or IP address) of the LDAP server. The hostname of the LDAP or Active Directory server. Be sure the Chef Infra Server is able to resolve any host names. Default value:
ldap-server-host
.ldap['login_attribute']
: The LDAP attribute that holds the user’s login name. Use to specify the Chef Infra Server user name for an LDAP user. Default value:
sAMAccountName
.ldap['port']
: An integer that specifies the port on which the LDAP server listens. The default value is an appropriate value for most configurations. Default value:
389
or636
whenldap['encryption']
is set to:simple_tls
.ldap['ssl_enabled']
: Cause the Chef Infra Server to connect to the LDAP server using SSL. Synonymous with simple_tls Default value:
false
. Must befalse
whenldap['tls_enabled']
istrue
.Note
Enable SSL for Active Directory.Note
Previous versions of the Chef Infra Server used theldap['ssl_enabled']
setting to first enable SSL, and then theldap['encryption']
setting to specify the encryption type. These settings are deprecated.ldap['system_adjective']
: A descriptive name for the login system that’s displayed to users in the Chef Infra Server management console. If a value like “corporate” is used, then the Chef management console user interface will display strings like “the corporate login server,” “corporate login,” or “corporate password.” Default value:
AD/LDAP
.Warning
This setting isn’t used by the Chef Infra Server. It’s used only by the Chef management console.ldap['timeout']
: The amount of time (in seconds) to wait before timing out. Default value:
60000
.ldap['tls_enabled']
: Enable TLS. When enabled, communication with the LDAP server is done using a secure SSL connection on a dedicated port. Synonymous with STARTTLS. This mode is rarely used. When
true
,ldap['port']
is also set to636
. Default value:false
. Must befalse
whenldap['ssl_enabled']
istrue
.Note
Previous versions of the Chef Infra Server used theldap['ssl_enabled']
setting to first enable SSL, and then theldap['encryption']
setting to specify the encryption type. These settings are deprecated.Note
If thechef-server.rb
file doesn’t exist, create a file calledchef-server.rb
and put it in the/etc/opscode/
directory.Reconfigure the Chef Infra Server and the Chef management console (standalone and frontend group members of a High Availabilty installation):
chef-server-ctl reconfigure
At this point, all users should be able to use their Active Directory or LDAP usernames and passwords to log in to the Chef Infra Server.
Test LDAP Connectivity
Use ldapsearch
to test the ability of the Chef Infra Server to use
Active Directory or LDAP. First, translate the Chef Infra Server LDAP
settings into ldapsearch
parameters:
Chef Infra Server Setting | ldapsearch Parameter |
---|---|
ldap['host'] and ldap['port'] | -H [HOST:PORT] |
ldap['bind_dn'] | -D [BIND_DN] |
ldap['bind_password'] | -W ; ldapsearch will prompt for this parameter |
ldap['base_dn'] | -b [BASE_DN] |
ldap['login_attribute'] | Defaults to SAMAccountName |
And then from a front end machine (in a high availability or tiered configuration) or from the Chef Infra Server in a standalone configuration, run the following command. Be sure to replace the uppercase placeholders with the values for your organization:
ldapsearch -LLL -H ldap://HOST:PORT -b 'BASE_DN' -D 'BIND_DN' -W '(LOGIN_ATTRIBUTE=YOUR_LDAP_ACCOUNT_USERNAME)'
For example:
ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'
Output similar to the following is returned:
ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'
Enter LDAP Password:
dn: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Robert Forster
sn: Forster
c: 0
givenName: Robert
distinguishedName: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC
=com
Note
ldapsearch
command may need to be installed on the platform. It’s
not included as part of the Chef Infra Server package.