Deans Blog

As part of my Puppet Master server installation I wanted to enable Active Directory authentication based on the membership of security group to restrict access to the console rather than using the default local console authentication mechanism.

Firstly, you are required to disable the console authentication by running the following with elevated root privelages:

sudo /opt/puppet/bin/rake -f /opt/puppet/share/console-auth/Rakefile console:auth:disable

Once the console authentication mechanism has been disabled you will be required to edit the following file to use Active Directory authentication by running the following with elevated root privelages:

sudo vi /etc/puppetlabs/httpd/auth.d/puppetconsole_auth.ad 

In the below example I will use the following configuration settings in order to build the configuration file:

Username: SVCreadad
Password: P@55word!
Domain Controller: DC1
LDAP Search Parameter: OU=Users,DC=dean,DC=local
Security Group: PuppetConsole-Allow

<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName “Puppet Enterprise Console”

# Binding credentials, most AD doesn’t allow anon binding.
AuthLDAPBindDN “CN=SVCreadad,OU=Users,DC=dean,DC=local”
AuthLAPBindPassword “P@55word!”

#User Specification
AuthLDAPURL “ldap://dc1.dean.local/OU=Users,DC=dean,DC=local?SAMAccountName?sub?(objectClass=*)

# Requires that the user is a member of the specified security groups
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=PuppetConsole-Allow,DC=dean,DC=local

</Location >

Save the updated file and run the following command with elevated root privelages:

sudo vi /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf

Uncomment the below line which references the file we have just modified and save the configuration file

# Include /etc/puppetlabs/httpd/auth.d/puppetconsole_auth.ad 

Restart the pe-httd service by running the following command with elevated root privelages

sudo /etc/init.d/pe-httpd restart