Skip to main content
SaltStack Support

Connecting Active Directory Service with multiple groups in Auth BIND DN filter

Overview

This article describes how to configure a SaltStack Enterprise Directory Service connection using multiple groups in the Auth BIND DN filter.

This includes how to collect information and troubleshoot your configuration using the following tools:

  • Active Directory Users and Computers
  • ADSI Edit
  • ldapsearch
  • psql
  • tcpdump

To demonstrate the above, this article walks through an example scenario of synchronizing four groups and four corresponding users.

Assessing Active Directory information

Identify Active Directory objects

Identify the required Active Directory (AD) objects and review proper distinguished names for each object.

Start by listing the objects you need, and finding them in Active Directory Users and Computers.

Screen Shot 2019-08-22 at 9.17.37 PM.png

Screen Shot 2019-08-22 at 9.19.08 PM.png

Screen Shot 2019-08-22 at 9.19.19 PM.png

Screen Shot 2019-08-22 at 9.19.30 PM.png

 

This example scenario uses the following objects:

Domain: winad.lab

Base DN: CSE.winad.lab

Bind DN: saltservice.CSE.winad.lab

Groups:

  • NetEng_Admins.NetEng.CSE.winad.lab
  • Support_Admins.Support.CSE.winad.lab
  • QA_Admins.QA.CSE.winad.lab
  • DevOps_Admins.DevOps.CSE.winad.lab

Users:

  • neteng1.NetEng.CSE.winad.lab (member of NetEng_Admins)
  • support1.Support.CSE.winad.lab (member of Support_Admins)
  • qa1.QA.CSE.winad.lab (member of QA_Admins)
  • devops1.DevOps.CSE.winad.lab (member of DevOps_Admins)

 

In this scenario, we focus on four Organizational Units (OUs) under CSE.winad.lab. Each OU contains an admin group with a user member.

We aim to synchronize all four groups and their corresponding users with SaltStack Enterprise.

 

Get object Distinguished Names

Collect the proper Distinguished Name (DN) of each object.

This step is critical. Pay close attention as human error is common due to typos or lack of Directory schema knowledge. 

If you're not sure how to approach this step, contact your Domain Administrator, or a person in a similar role for assistance. The best approach varies per Directory Service, so make sure to review this carefully.

 

In AD, the best tool for this task is ADSI Edit available in the Domain Controller.

Use ADSI Edit to find the proper DN of each required element and take note of the DN attribute value.

The group DN attribute is used later to build the Auth BIND DN filter.

A recommended practice is to connect to the server using the assigned BIND DN username. This helps verify proper user rights and permissions to read all required objects.

Screen Shot 2019-08-22 at 9.27.02 PM.png

Screen Shot 2019-08-22 at 9.27.30 PM.png

Once you have connected with a selected user, access each object and take note of the object DN attribute value.

Screen Shot 2019-08-22 at 9.28.44 PM.png

Screen Shot 2019-08-22 at 9.29.47 PM.png

Screen Shot 2019-08-22 at 9.32.21 PM.png

 

We now have the following DNs:

Base DN: CSE.winad.lab - OU=CSE,DC=winad,DC=lab

Bind DN:  saltservice.CSE.winad.lab - CN=saltservice,OU=CSE,DC=winad,DC=lab

Groups:

  • NetEng_AdminsCN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab
  • Support_Admins - CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab
  • QA_Admins - CN=QA_Admins,OU=QA,OU=CSE,DC=winad,DC=lab
  • DevOps_Admins - CN=DevOps_Admins,OU=DevOps,OU=CSE,DC=winad,DC=lab

 

Next step: verify the LDAP connection settings and build the proper filter.

 

Verifying your LDAP connection

In your SaltStack Enterprise server (or any other client), install the ldapsearch utility.

 

With ldapsearch, test your connection using the gathered information.

Begin with simple queries, searching for all users and groups on selected OUs. 

 

In the following examples, pay close attention to each command line argument:

All objects under OU=CSE,DC=winad,DC=lab

ldapsearch -x -h 172.31.28.22 -W -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=CSE,DC=winad,DC=lab" samaccountName 

Screen Shot 2019-08-22 at 9.44.35 PM.png

 

All objects under OU=DevOps,OU=CSE,DC=winad,DC=lab

ldapsearch -x -h 172.31.28.22 -W -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=DevOps,OU=CSE,DC=winad,DC=lab" samaccountName 

Screen Shot 2019-08-22 at 9.46.40 PM.png

 

User objects under OU=QA,OU=CSE,DC=winad,DC=lab and subtree

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=QA,OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=user)(sAMAccountName=*))" samaccountName 

Screen Shot 2019-08-22 at 9.49.16 PM.png

 

Group objects under OU=NetEng,OU=CSE,DC=winad,DC=lab and subtree showing sAMAccountName and cn attribute

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=NetEng,OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=group)(sAMAccountName=*))" samaccountName CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab 

Screen Shot 2019-08-22 at 9.50.41 PM.png

 

Now that you have validated proper LDAP connection settings, the next step is to build a filter to extend ldapsearch to select users by group membership.

 

 

Filtering by group membership with AUTH BIND DN Filter

We have to build a filter for the following groups:

  • NetEng_AdminsCN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab
  • Support_Admins - CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab
  • QA_Admins - CN=QA_Admins,OU=QA,OU=CSE,DC=winad,DC=lab
  • DevOps_Admins - CN=DevOps_Admins,OU=DevOps,OU=CSE,DC=winad,DC=lab

 

Start by testing the first group and then adding the remaining ones:

 

Retrieve users who are members of CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab.

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=user)(sAMAccountName=*)(memberOf=CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab))" samaccountName 

Screen Shot 2019-08-22 at 10.15.17 PM.png

The search returned the user neteng1.

 

Extend the filter to include a second group, CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab, so the search will return members of either NetEng_Admins OR Support groups.

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=user)(sAMAccountName=*)(|(memberOf=CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab)(memberOf=CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab)))" samaccountName 

Screen Shot 2019-08-22 at 10.20.15 PM.png

The search returned both users neteng1 and support1.

 

Extend the filter to include all four groups.

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=user)(sAMAccountName=*)(|(memberOf=CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab)(memberOf=CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab)(memberOf=CN=QA_Admins,OU=QA,OU=CSE,DC=winad,DC=lab)(memberOf=CN=DevOps_Admins,OU=DevOps,OU=CSE,DC=winad,DC=lab)))" samaccountName 

Screen Shot 2019-08-22 at 10.23.29 PM.png

The filter retrieved all four users, so we have confirmed it's ready.

 


 

Configuring your Directory Service connection

Avoid modifying an existing connection in SaltStack Enterprise. Before you add a new connection, remove old ones from the Directory Service page.

Screen Shot 2019-08-22 at 10.30.59 PM.png

 

Check for garbage from previous configuration attempts in the database, and remove if necesary.

In your PostgreSQL server:

Login as postgres and run psql client, and locate the raas DB. This is named raas_<customer_id> (customer_id can be located in the /etc/raas/raas configuration file in the SaltStack Enterprise server) and query for auth_configs, groups, and users.

 

su - postgres
psql
\l
\c raas_.......
select * from groups;
select username from users; 

 

Screen Shot 2019-08-22 at 10.35.04 PM.png 

Screen Shot 2019-08-22 at 10.36.42 PM.png

As an added safety measure, restart the raas service if possible to start with a clean process.

 

Log in to SaltStack Enterprise as the root user and configure the Directory Service connection as follows:

 

Screen Shot 2019-08-22 at 10.44.19 PM.png

Settings:

Base DN: OU=CSE,DC=winad,DC=lab

Bind DN:  CN=saltservice,OU=CSE,DC=winad,DC=lab

Auth Bind DN: cn={username}

Auth Bind DN Filter:  (&(objectclass=user)(sAMAccountName={username})(|(memberOf=CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab)(memberOf=CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab)(memberOf=CN=QA_Admins,OU=QA,OU=CSE,DC=winad,DC=lab)(memberOf=CN=DevOps_Admins,OU=DevOps,OU=CSE,DC=winad,DC=lab)))

Note the sAMAccountName value is replaced by sAMAccountName={username}.

Group Class: group

Group Name attribute: cn

User Object Class: user

User Name attribute: sAMAccountName

Attributes for group and user class and name may vary in your directory service.

 

Save the connection and then synchronize groups and users.

Screen Shot 2019-08-22 at 10.45.05 PM.png

Screen Shot 2019-08-22 at 10.45.23 PM.png

 

Verify data in Postgresql.

Screen Shot 2019-08-22 at 10.48.02 PM.png

 

Now groups and users are synchronized with SaltStack Enterprise. You can start managing roles and permissions for these objects.

 


Adding a new user

Once you have added a new user to an AD group, you can sync the user immediately from the Directory Service connection page.

Make sure the new user is visible using ldapsearch, as in the following example search for user devops2.

ldapsearch -x -h 172.31.28.22 -w 'saltstack!2019' -D "CN=saltservice,OU=CSE,DC=winad,DC=lab" -b "OU=CSE,DC=winad,DC=lab" -s sub "(&(objectclass=user)(sAMAccountName=*)(|(memberOf=CN=NetEng_Admins,OU=NetEng,OU=CSE,DC=winad,DC=lab)(memberOf=CN=Support_Admins,OU=Support,OU=CSE,DC=winad,DC=lab)(memberOf=CN=QA_Admins,OU=QA,OU=CSE,DC=winad,DC=lab)(memberOf=CN=DevOps_Admins,OU=DevOps,OU=CSE,DC=winad,DC=lab)))" samaccountName | grep devops2
# devops2, DevOps, CSE, winad.lab
dn: CN=devops2,OU=DevOps,OU=CSE,DC=winad,DC=lab 

As of this date (2019-08-22), updating existing groups/users does not work in a reliable way.

Automatic sync does not add the new user.

Clicking Sync Now in either the Groups or Users tab does not work.

A workaround is described below.

Workaround
Summary

Deselect the given group and save, then synchronize groups again and select the previous group. The new user is now synchronized.

 

Example

devops2 user is not present in the DB (after waiting for auto sync and clicking on Sync Groups/Users).

Screen Shot 2019-08-22 at 11.18.31 PM.png

Deselect and then re-select the group.

Screen Shot 2019-08-22 at 11.30.27 PM.png

 

Screen Shot 2019-08-22 at 11.31.38 PM.png

In the Users tab, you can now select the user.

Screen Shot 2019-08-22 at 11.31.46 PM.png

After saving, the user is saved to the DB.

Screen Shot 2019-08-22 at 11.31.55 PM.png