EAuth using AD group membership

49 views
Skip to first unread message

Nick Garber

unread,
Aug 10, 2017, 7:37:00 PM8/10/17
to Salt-users
I have user authentication setup using our Active Directory domain controller, but can't get the group membership based matching to work.

Anyone using AD groups to manage privileges in Salt? If so, could you send me an example/snippet from your config?

Any other guidance would be appreciated!

C. R. Oldham

unread,
Aug 10, 2017, 8:13:50 PM8/10/17
to salt-...@googlegroups.com
Hi Nick,

Can you post a sanitized config and let us know what version you are at? This should work and I want to make sure it didn't get broken in a recent release.

-- 
C. R. Oldham, Engineer, SaltStack
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CACCJXwNWqSjBa3NqTL_LsfDuc9v1pV%2BDE_X5wBdgUPYLe%3D4r7g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Nick Garber

unread,
Aug 11, 2017, 11:36:06 AM8/11/17
to salt-...@googlegroups.com

I'd be happy to! I'll respond with that info shortly (in the next few hours). Thanks!


To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/C9AEFCE7-ADC1-4028-AE64-8B6020485D5F%40saltstack.com.

Nick Garber

unread,
Aug 12, 2017, 12:56:22 PM8/12/17
to salt-...@googlegroups.com
Hi CR,

Thanks again for taking a look ... sanitized config file contents follow:

## /etc/salt/master.d/eauth-ldap.conf
##
external_auth:
  ldap:
    user_example01:
      - .*
    admins%:
      - .*
    salt_test_only%:
      - "G@deploy:env:tst":
        - test.*
## EOF

------------------>%--new-file--%<------------------

## /etc/salt/master.d/auth.ldap - user and group auth using AD
##
auth.ldap.server: dc.mydomain.local
auth.ldap.basedn: DC=MYDOMAIN,DC=LOCAL
auth.ldap.binddn: CN=LDAP_QUERY_SALT,OU=Service Accounts,DC=mydomain,DC=local
auth.ldap.bindpw: sdb://sdb-mydomain/decafcoffeebad
auth.ldap.activedirectory: True
auth.ldap.accountattributename: sAMAccountName
auth.ldap.persontype: person
auth.ldap.groupclass: group
auth.ldap.filter: sAMAccountName={{ username }}
#auth.ldap.minion_stripdomains: ['.mydomain.local']
## EOF


Nick Garber

unread,
Aug 23, 2017, 11:58:27 AM8/23/17
to salt-...@googlegroups.com, C. R. Oldham
Hi CR,

Re-sending just in case you didn't see the answer to your request to see the configs...

I'm hoping you can help me figure out the reason that AD group-membership based permissions aren't working.

Cheers!
Reply all
Reply to author
Forward
0 new messages