Shulou(Shulou.com)05/31 Report--

This article is about how to configure AD domain authentication in rancher2.x. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

If your organization uses Microsoft Active Directory as the unified user management system, Rancher can integrate Active Directory services for unified authentication. Rancher controls access to clusters and projects based on users and groups managed by Active Directory, while allowing end users to authenticate with their AD credentials when logging in to Rancher UI.

Rancher uses LDAP to communicate with the Active Directory service. Therefore, the authentication process for Active Directory is the same as the OpenLDAP authentication integration method.

Note that before you begin, be familiar with the external authentication configuration and the concept of the primary user.

precondition

You need to create or obtain a new AD user through the AD administrator to use as the service account for Rancher. This user must have sufficient permissions to perform a LDAP search and read the properties of users and groups under the AD domain.

You should usually use a domain user account (not an administrator) to do this because by default this user has read-only access to most objects in the domain.

Note, however, that this default behavior may not apply in some locked Active Directory configurations. In this case, you need to ensure that the service account user has at least the read and list permissions granted on the basic OU (closed users and groups), or the domain granted globally.

Use TLS? If the certificate used by the AD server is self-signed or is not from a recognized certification authority, make sure that you have an CA certificate in PEM format (connected to all intermediate certificates). You must set this certificate during configuration so that Rancher can verify the certificate.

Select AD Certification

Log in to Rancher UI using your local admin account.

From the global view, navigate to Security > Authentication.

Select Active Directory to configure AD authentication parameters.

Configure the AD server

In the section entitled configuring Active Directory Server, fill in the configuration information specific to the Active Directory service. For more information about the required values for each parameter, see the following table.

Note if you are not sure what value to enter in the user / group search base field, see using ldapsearch to identify the Search-Base and schema.

Table 1:AD server parameters

Parameter description hostname specifies the domain name or IP address port of the AD server specifies the port on which the Active Directory server listens. Unencrypted LDAP usually uses standard port 389, while LDAPS uses port 636. TLS check this box to enable LDAP over SSL/TLS (commonly referred to as LDAPS). Server connection timeout the duration of waiting after Rancher was unable to access the AD server. Service account user name enter the user name of the AD account that has read-only access to your login domain (see prerequisites). The user name can be entered in NetBIOS format (for example: DOMAIN\ serviceaccount) or UPN format (for example: serviceaccount@domain.com). Password for the service account. Password for the service account. When the default login domain configures this field with the NetBIOS name of the AD domain, the user name entered when there is no domain (for example, jdoe) is automatically converted to a slashed NetBIOS login (for example, LOGIN_DOMAIN\ jdoe) when bound to the AD server. If your user uses UPN (for example, jdoe@acme.com) as the user name for authentication, this field must be blank. The distinguished name of the node in the User Search Base directory tree from which to search for user objects. All users must be descendants of this basic DN. For example: ou=people,dc=acme,dc=com. Group Search Base if your group is under a different node than the node configured by User Search Base, you need to provide a distinguished name here. Otherwise, leave it blank. For example: ou=groups,dc=acme,dc=com. Custom schema (optional)

Note that if your AD server is standard, you can skip this step

In the section titled Custom Schema, you must provide Rancher with the correct configuration of user and group properties corresponding to the patterns used in the directory.

Rancher uses LDAP queries to search and retrieve information about users and groups in Active Directory, and the attribute maps configured in this section are used to build search filters and resolve group membership. Therefore, it is important that the settings provided reflect the actual situation of the AD domain.

Note that if you are not familiar with the schema used in the Active Directory domain, see using ldapsearch to identify search bases and schemas to determine the correct configuration values.

User architecture

The following table details the parameters configured in the user architecture section.

Table 2: user Architecture configuration parameters

Parameter describes the type name of the user object in the object type field. The user name property has its value as the display name. Login attribute this value matches the user name portion of the credentials entered by the user when logging in to Rancher. If your users authenticate using their UPN (for example, "jdoe@acme.com") as the user name, you must usually set this field to userPrincipalName. Otherwise, this is usually the case for old NetBIOS-style login names (such as "jdoe"). The user member property contains the properties of the group to which the user belongs. Search Properties when a user enters text to add a user or group to UI, Rancher queries the AD server and attempts to match the user by the properties provided in this setting. You can specify multiple attributes by using a pipe ("|") symbol to separate them. To match the UPN user name (for example, jdoe@acme.com), you should usually set the value of this field to userPrincipalName. User-enabled properties contain properties that represent bitwise enumerated integer values of the user account flag. Rancher uses it to determine if the user account is disabled. You should usually leave this setting as the AD standard userAccountControl. Disable status bitmask this is the value of the user account that User Enabled Attribute specifies has been disabled. You should typically leave this setting at the default value of "2" specified in the Microsoft Active Directory schema (see here). Group architecture

The following table details the parameters for the group schema configuration.

Table 3: group schema configuration parameters

Parameter describes the type name of the group object in the object type field. The name property has its value as the display name. The name Group Member Mapping Attribute of the user attribute that matches the group member in the group member format. The group member mapping attribute contains the name of the group attribute of the group member. Search properties are used to build the properties of the search filter when adding groups to a cluster or project. Refer to the description of the user architecture Search Attribute. Group DN attribute the name of the group attribute in a format that matches the value in the user attribute that describes the user's membership. See User Member Attribute. Nested group membership this setting defines whether Rancher should resolve nested group membership. Use only when your organization uses these nested memberships (that is, you have groups that contain other groups as members). Use ldapsearch to identify Search Base and schema

In order to successfully configure AD authentication, you must provide the correct configuration related to the hierarchy and architecture of the AD server.

This ldapsearch tool can help you query the patterns of AD server user and group objects.

For demonstration purposes, we assume:

The hostname of the Active Directory server is ad.acme.com.

The server is listening for an unencrypted connection 389 on the port.

The Active directory domain is acme

Have a valid AD account with user name jdoe and password secret

Identify Search Base

First, we will use ldapsearch to identify the distinguished names (DN) of the parent nodes of users and groups:

Ldapsearch-x-D "acme\ jdoe"-w "secret"-p 389\

-h ad.acme.com-b "dc=acme,dc=com"-s sub "sAMAccountName=jdoe"

This command performs a LDAP search, search base is set to the root domain (- b "dc=acme,dc=com"), and the filter targets the user (sAMAccountNam=jdoe) and returns the user's properties:

Since in this case the user's DN is CN=John Doe,CN=Users,DC=acme,DC=com [5], we should configure the user Search BaseCN=Users,DC=acme,DC=com with the parent node DN.

Similarly, based on the DN of the group referenced in the memberOf attribute [4], the correct value of the group Search Base should be the parent node of that value, that is, OU=Groups,DC=acme,DC=com.

Identify user architecture

The output of the above ldapsearch query can also determine the configuration of the user architecture:

Object Class: person [1]

Username Attribute: name [2]

Login Attribute: sAMAccountName [3]

User Member Attribute: memberOf [4]

Note that if AD users in your organization authenticate using their UPN (for example, jdoe@acme.com) instead of a short login, then we must set Login Attribute to userPrincipalName.

You can also set the Search Attribute parameter to sAMAccountName | name. In this way, users can be added to the cluster / project through Rancher UI by entering a user name or full name.

Identify the group architecture

Next, we query a group associated with this user, in which case CN=examplegroup,OU=Groups,DC=acme,DC=com:

Ldapsearch-x-D "acme\ jdoe"-w "secret"-p 389\

-h ad.acme.com-b "ou=groups,dc=acme,dc=com"\

-s sub "CN=examplegroup"

The above command displays the properties of the group object:

Object Class: group [1]

Name Attribute: name [2]

Group Member Mapping Attribute: member [3]

Search Attribute: sAMAccountName [4]

Looking at the value of the member property, we can see that it contains the DN that references the user. This corresponds to the distinguishedName property in the user object. Therefore, the value of the Group Member User Attribute parameter must be set to this property value. In the same way, we can observe that the value in the memberOf attribute in the user object corresponds to the group's distinguishedName [5]. Therefore, we need to set the value of the Group DN Attribute parameter to this property value.

Test authentication

After the configuration is complete, continue to test the connection to the AD server. If the test is successful, authentication using the configured Active Directory is implicitly enabled.

Note that the AD user associated with the credentials entered in this step will be mapped to the local principal account and assigned administrator privileges in Rancher. Therefore, you should consciously decide which AD account to use to perform this step.

Enter the username and password of the AD account that should be mapped to the local owner account.

Click use Active Directory for authentication to complete the setup.

Note that if the LDAP service is interrupted, you can log in with a local account and password.

Thank you for reading! This is the end of this article on "how to configure AD domain authentication for rancher2.x". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.