To configure the pluggable authentication module (PAM) on a host operating system to support LDAP authentication in MCP, you must create a separate file for this definition in your cluster model and add it to all the nodes where you want to enable this authentication method.
In this section, the ldap.yml
file is used as an example.
To enable PAM authentication:
Open the Git project repository with your cluster model.
Create the cluster/<cluster_name>/infra/auth/ldap.yml
file.
Create a configuration for your LDAP server in this file.
Example:
parameters:
linux:
system:
auth:
enabled: true
ldap:
enabled: true
binddn: CN=<UserName>,OU=<OU-name>,DC=<DomainName>,DC=<DomainExtension>
bindpw: <Password>
uri: ldap://<LDAP URL>
base: DC=<DomainName>,DC=<DomainExtension>
ldap_version: 3
pagesize: 1000
referrals: "off"
##You can also setup grouping, mapping, and filtering using these parameters.
filter:
passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
group: (&(objectClass=group)(gidNumber=*))
map:
passwd:
uid: sAMAccountName
homeDirectory: unixHomeDirectory
gecos: displayName
loginShell: '"/bin/bash"'
shadow:
uid: sAMAccountName
shadowLastChange: pwdLastSet
In cluster/<cluster_name>/openstack/cluster.yml
, include the previously
created class to the bottom of the classes
section:
classes:
...
cluster.<cluster_name>.infra.auth.ldap
cluster.<cluster_name>
parameters:
...
Enforce the linux.system
update:
salt '<target_node>*' state.sls linux.system