LDAP Access - Preseeding Users

[Jay Farschman]

Afternoon,

I setup LDAP access against our MS Active Directory (AD) today and found that once you understand how all the parts work, it's really very well done.  However, I have a question about the workflow

Scalr does not allow me to do any operations on an LDAP user until that user first logs in.  After they login, I can assign them to teams and apply the proper ACLs, but not before then.

How have others handled this?  For now I'm personally inviting a limited number of users and I can work with them all personally, but if there a better, more automated way?

[Vitaliy Demidov]

Hi Jay,

Actually workflow may look like this:

1. Admin adds all necessary Teams, which are essence of the LDAP Groups. 

2. Each Team should be set with default ACL. In this case admin user does not need to set ACL individually for each User it is set for the whole Team.

3. Admin associates each Environment with the appropriate set of these Groups.

Then only thing admin does is to manage Users in LDAP. When new user is created admin will give him an appropriate set of the LDAP Groups in the Active Directory.

[Jay Farschman]

Vitaliy,

Brilliant.  I should have seen.  Yes, it works great.

[Randy Black]

Care to share your ldap config?  I am attaching to an AD environment and having no luck.

Thanks,

Randy

app[:configuration] = {

  :scalr => {

    # Tells Scalr to use LDAP for authentication

    :auth_mode => 'LDAP',

    :connections => {

      :ldap => {

        # Tells Scalr what LDAP server to connect to

        :bind_type => 'simple',

        :host => 'ldaps://ad.ddd.ccc.com:3269',

        :port => '3269',

        # Tells Scalr where to look at for users and groups

        :base_dn => 'CN=USER,OU=xxxx,DC=ad,DC=xxx,DC=com',

        :base_dn_groups => 'OU=xxx,OU=Sites,DC=ad,DC=xxx,DC=com',

        :user => 'cn="xx,ou=xx,ou=xxx,ou=xxx,dc=ad,dc=xxx,dc=com"',

        :password => '*****',

        # Tells Scalr what attributes to look at

        :username_attribute => 'sAMAccountName',

        :groupname_attribute => 'memberOf',

        # Tells Scalr how group membership is represented

        :group_member_attribute_type => 'memberUid',

        # Tells Scalr to use filters to speed up queries

        :filter => {

          :users => '(&(objectClass=posixAccount))',

          :groups => '(&(objectClass=groupOfNames))',

        },

        # Uncomment for debug output if you can't login

        :debug => 1,

      }

    }

[Jay Farschman]

Hey Randy,

To me it looks like you have the port specified on the host line an should not.  The other thing I remember messing with my brain a bit was the fact that I had to create my groups as CNs under security groups.  In my case - OU=Security Groups,DC=my,DC=company,DC=com

• CN=QA
  
• CN=DEV
  
• CN=etc...

Your config is a little difficult to read because you XXX-ed things out, leaving me guessing at how the LDAP portions interconnect. 

I'm curious, what kind of an error are you returning? The error messages are pretty good.  For further clarity I ended up doing a tcpdump and switching back to unencrypted traffic. I was able to see quite a bit with a dump, including the password which I was mistyping frequently ;)

Finally, if you are running encrypted against Microsoft AD, then you'll be using a TLS cert and you need to have a cert from your CA to get things working.

app[:configuration] = {
  :scalr => {
    # Tells Scalr to use LDAP for authentication

    :auth_mode => 'ldap',

    :connections => {
      :ldap => {
        # Tells Scalr what LDAP server to connect to

        :bind_type => 'regular',
        :host      => 'ldaps://auth01.my.company.com',
        :port      => '636',
        :user      => 'CN=Scalr,OU=Service Accounts,DC=my,DC=company,DC=com',
        :pass      => 'xxxxxxxxxxxxxxxx',

        # User Attributed
        :domain             => 'my.company.com',
        :mail_attribute     => 'mail',
        :fullname_attribute => 'displayName',

        # Tells Scalr where to look at for users and groups

        :base_dn        => 'OU=Employees,DC=my,DC=company,DC=com',
        :base_dn_groups => 'OU=Security Groups,DC=my,DC=company,DC=com',

        # Tells Scalr what attributes to look at CN
        :username_attribute  => 'sAMAccountName',
        :groupname_attribute => 'CN',

        # Tells Scalr how group membership is represented

        :group_member_attribute_type => 'member',

        # Tells Scalr to use filters to speed up queries
        :filter   => {

          :users  => '(&(objectClass=person))',
          :groups => '(&(objectClass=group))',
        },
      }
    }
  }
}