As part of my Puppet Master server installation I wanted to enable Active Directory authentication based on the membership of security group to restrict access to the console rather than using the default local console authentication mechanism.
Firstly, you are required to disable the console authentication by running the following with elevated root privelages:
sudo /opt/puppet/bin/rake -f /opt/puppet/share/console-auth/Rakefile console:auth:disable
Once the console authentication mechanism has been disabled you will be required to edit the following file to use Active Directory authentication by running the following with elevated root privelages:
sudo vi /etc/puppetlabs/httpd/auth.d/puppetconsole_auth.ad
In the below example I will use the following configuration settings in order to build the configuration file:
Domain Controller: DC1
LDAP Search Parameter: OU=Users,DC=dean,DC=local
Security Group: PuppetConsole-Allow
AuthName “Puppet Enterprise Console”
# Binding credentials, most AD doesn’t allow anon binding.
# Requires that the user is a member of the specified security groups
require ldap-group CN=PuppetConsole-Allow,DC=dean,DC=local
Save the updated file and run the following command with elevated root privelages:
sudo vi /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf
Uncomment the below line which references the file we have just modified and save the configuration file
# Include /etc/puppetlabs/httpd/auth.d/puppetconsole_auth.ad
Restart the pe-httd service by running the following command with elevated root privelages
sudo /etc/init.d/pe-httpd restart
3 thoughts on “Enabling Active Directory authentication for Puppet Console Authentication”
Everyone that logs in now with AD has full access; how do I make a group for admins; and a group for read only’s???
which puppet version is this???