Salt Using Active Directory Auth

360 views
Skip to first unread message

Blake Ferkingstad

unread,
May 14, 2015, 2:02:46 PM5/14/15
to salt-...@googlegroups.com

I am very new to SaltStack, and I have been tasked with trying to setup AD authentication to our Salt master server, but have been running into trouble. From what I have read this should work, but maybe I am missing something.

 

auth_mode: 1

auth.ldap.server: 'domain.local'

auth.ldap.basedn: 'OU=Users,OU=IT,OU=Company,DC=domain,DC=local'

auth.ldap.binddn: 'CN=BindUser,OU=Special Accounts,OU=Company,DC=domain,DC=local'

auth.ldap.bindpw: 'BindPassword'

auth.ldap.activedirectory: 'True'

auth.ldap.persontype: 'User'

auth.ldap.filter: cn={{ username }}

 

external_auth:

  ldap:

    Users%:

      - .*

      - '@runner'

      - '@wheel'

 

When I check the master log all I see is this.

2015-05-14 12:02:01,135 [salt.master      ][WARNING ] Authentication failure of type "eauth" occurred.

 

Unfortunately this error really didn’t help me much. Is there another place to look for errors in Salt?

C. R. Oldham

unread,
May 14, 2015, 2:08:53 PM5/14/15
to salt-...@googlegroups.com
AD authentication has changed significantly recently.  What Salt version are you working with?  

salt --versions-report

will help immensely.

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
--cro
C. R. Oldham, Platform Engineer, SaltStack

Blake Ferkingstad

unread,
May 14, 2015, 2:10:49 PM5/14/15
to salt-...@googlegroups.com

Here is the results of salt –versions-report

 

           Salt: 2014.7.5

         Python: 2.7.5 (default, Jun 17 2014, 18:11:42)

         Jinja2: 2.7.2

       M2Crypto: 0.21.1

msgpack-python: 0.4.6

   msgpack-pure: Not Installed

       pycrypto: 2.6.1

        libnacl: Not Installed

         PyYAML: 3.10

          ioflo: Not Installed

          PyZMQ: 14.3.1

           RAET: Not Installed

            ZMQ: 3.2.5

           Mako: Not Installed

C. R. Oldham

unread,
May 14, 2015, 2:15:39 PM5/14/15
to salt-...@googlegroups.com
That's what I was concerned about.  You can auth against Active Directory *users* in 2014.7.5, but not against *groups*.  Group AD auth didn't appear until 2015.5.0.  Also, better error message for eauth are in 2015.5.0.

As one extra data point, you'll need the python-ldap module installed on your master regardless of what version of Salt you are on.

Blake Ferkingstad

unread,
May 14, 2015, 2:45:05 PM5/14/15
to salt-...@googlegroups.com

Okay, thanks for that. I have updated my test box to version 2015.5.0

           Salt: 2015.5.0

         Python: 2.7.5 (default, Jun 17 2014, 18:11:42)

         Jinja2: 2.7.2

       M2Crypto: 0.21.1

msgpack-python: 0.4.6

   msgpack-pure: Not Installed

       pycrypto: 2.6.1

        libnacl: Not Installed

         PyYAML: 3.10

          ioflo: Not Installed

          PyZMQ: 14.3.1

           RAET: Not Installed

            ZMQ: 3.2.5

           Mako: Not Installed

 

I also checked that I have python-ldap installed. I have rebooted the box and tried again, but still am having issues.

 

I checked /var/log/salt/master but that is still sending the same output as last time.

 

Is something in my configuration messed up?

Blake Ferkingstad

unread,
May 15, 2015, 12:14:50 PM5/15/15
to salt-...@googlegroups.com

This turned out to be two things, first issue was I messed up on my groupsou and was pointing to something completely wrong. The second was on my SaltPad install I didn’t have it pointing to ldap for authentication yet.

 

Once I made those changes everything worked.

 

Thanks,

Blake

C. R. Oldham

unread,
May 15, 2015, 1:15:44 PM5/15/15
to salt-...@googlegroups.com
Great!  Thanks for sending the followup.
Reply all
Reply to author
Forward
0 new messages