Active Directory and LDAP

The Chef server supports Active Directory and LDAP authentication, which enables users to log in to the Chef server using their corporate credentials.

Configure LDAP

The Chef server supports using Active Directory or LDAP for any user that has an email address in the LDAP directory. This allows those users to log in to the Chef server by using their corporate credentials instead of having a separate username and password.

Warning

The following attributes MUST be in the user LDAP record:

  • mail:
  • sAMAccountName: or uid:

The following attributes SHOULD be in the user LDAP record:

  • displayname:
  • givenname:
  • sn:
  • c:
  • l:

To configure the Chef server to use Active Directory or LDAP do the following:

  1. Install the Chef management console (if it is not already).

  2. Add the following settings to the chef-server.rb file. These settings must be added to the chef-server.rb file on each machine in the Chef server frontend deployment of a High Availability installation as well as on Chef servers in a standalone installation.

    This configuration file has the following settings for ldap:

    ldap['base_dn']

    The root LDAP node under which all other nodes exist in the directory structure. For Active Directory, this is typically cn=users and then the domain. For example:

    'OU=Employees,OU=Domain users,DC=example,DC=com'

    Default value: nil.

    ldap['bind_dn']

    The distinguished name used to bind to the LDAP server. The user the Chef server will use to perform LDAP searches. This is often the administrator or manager user. This user needs to have read access to all LDAP users that require authentication. The Chef server must do an LDAP search before any user can log in. Many Active Directory and LDAP systems do not allow an anonymous bind. If anonymous bind is allowed, leave the bind_dn and bind_password settings blank. If anonymous bind is not allowed, a user with READ access to the directory is required. This user must be specified as an LDAP distinguished name similar to:

    'CN=user,OU=Employees,OU=Domainuser,DC=example,DC=com'

    Default value: nil.

    ldap['bind_password']

    The password for the binding user. The password for the user specified by ldap['bind_dn']. Leave this value and ldap['bind_dn'] unset if anonymous bind is sufficient. Default value: nil.

    ldap['group_dn']

    The distinguished name for a group. When set to the distinguished name of a group, only members of that group can log in. This feature filters based on the memberOf attribute and only works with LDAP servers that provide such an attribute. In OpenLDAP, the memberOf overlay provides this attribute. For example, if the value of the memberOf attribute is CN=abcxyz,OU=users,DC=company,DC=com, then use:

    ldap['group_dn'] = 'CN=user,OU=Employees,DC=example,DC=com'
    ldap['host']

    The name (or IP address) of the LDAP server. The hostname of the LDAP or Active Directory server. Be sure the Chef server is able to resolve any host names. Default value: ldap-server-host.

    ldap['login_attribute']

    The LDAP attribute that holds the user’s login name. Use to specify the Chef server user name for an LDAP user. Default value: sAMAccountName.

    ldap['port']

    An integer that specifies the port on which the LDAP server listens. The default value is an appropriate value for most configurations. Default value: 389 or 636 when ldap['encryption'] is set to :simple_tls.

    ldap['ssl_enabled']

    Cause the Chef server to connect to the LDAP server using SSL. Default value: false. Must be false when ldap['tls_enabled'] is true.

    Note

    Previous versions of the Chef server used the ldap['ssl_enabled'] setting to first enable SSL, and then the ldap['encryption'] setting to specify the encryption type. These settings are deprecated.

    ldap['system_adjective']

    A descriptive name for the login system that is displayed to users in the Chef server management console. If a value like “corporate” is used, then the Chef management console user interface will display strings like “the corporate login server”, “corporate login”, or “corporate password.” Default value: AD/LDAP.

    Warning

    This setting is not used by the Chef server. It is used only by the Chef management console.

    ldap['timeout']

    The amount of time (in seconds) to wait before timing out. Default value: 60000.

    ldap['tls_enabled']

    Enable TLS. When enabled, communication with the LDAP server is done via a secure SSL connection on a dedicated port. When true, ldap['port'] is also set to 636. Default value: false. Must be false when ldap['ssl_enabled'] is true.

    Note

    Previous versions of the Chef server used the ldap['ssl_enabled'] setting to first enable SSL, and then the ldap['encryption'] setting to specify the encryption type. These settings are deprecated.

    Note

    If the chef-server.rb file does not exist, create a file called chef-server.rb and put it in the /etc/opscode/ directory.

  3. Reconfigure the Chef server and the Chef management console (standalone and frontend group members

    of a High Availabilty installation):

    $ sudo chef-server-ctl reconfigure
    $ sudo chef-manage-ctl reconfigure

At this point, all users should be able to use their Active Directory or LDAP usernames and passwords to log in to the Chef server.

Test LDAP Connectivity

Use ldapsearch to test the ability of the Chef server to use Active Directory or LDAP. First, translate the Chef server LDAP settings into ldapsearch parameters:

Chef Server Setting ldapsearch Parameter
ldap['host'] and ldap['port'] -H [HOST:PORT]
ldap['bind_dn'] -D [BIND_DN]
ldap['bind_password'] -W; ldapsearch will prompt for this parameter
ldap['base_dn'] -b [BASE_DN]
ldap['login_attribute'] Defaults to SAMAccountName

And then from a front end machine (in a high availability or tiered configuration) or from the Chef server in a standalone configuration, run the following command. Be sure to replace the uppercase placeholders with the values for your organization:

$ ldapsearch -LLL -H ldap://HOST:PORT -b 'BASE_DN' -D 'BIND_DN' -W '(LOGIN_ATTRIBUTE=YOUR_LDAP_ACCOUNT_USERNAME)'

For example:

$ ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'

Output similar to the following is returned:

$ ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'
Enter LDAP Password:

dn: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Robert Forster
sn: Forster
c: 0
givenName: Robert
distinguishedName: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC
 =com

Note

The ldapsearch command may need to be installed on the platform. It is not included as part of the Chef server package.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs-archive.chef.io/release/server_12-8/server_ldap.html