Configure LDAP with host OS

Configure LDAP with host OSΒΆ

To configure the pluggable authentication module (PAM) on a host operating system to support LDAP authentication in MCP, you must create a separate file for this definition in your cluster model and add it to all the nodes where you want to enable this authentication method.

In this section, the ldap.yml file is used as an example.

To enable PAM authentication:

  1. Open the Git project repository with your cluster model.

  2. Create the cluster/<cluster_name>/infra/auth/ldap.yml file.

  3. Create a configuration for your LDAP server in this file.

    Example:

    parameters:
      linux:
        system:
          auth:
            enabled: true
            ldap:
              enabled: true
              binddn: CN=<UserName>,OU=<OU-name>,DC=<DomainName>,DC=<DomainExtension>
              bindpw: <Password>
              uri: ldap://<LDAP URL>
              base: DC=<DomainName>,DC=<DomainExtension>
              ldap_version: 3
              pagesize: 1000
              referrals: "off"
              ##You can also setup grouping, mapping, and filtering using these parameters.
              filter:
                passwd: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
                shadow: (&(&(objectClass=person)(uidNumber=*))(unixHomeDirectory=*))
                group:  (&(objectClass=group)(gidNumber=*))
              map:
                passwd:
                  uid: sAMAccountName
                  homeDirectory: unixHomeDirectory
                  gecos: displayName
                  loginShell: '"/bin/bash"'
                shadow:
                  uid: sAMAccountName
                  shadowLastChange: pwdLastSet
    
  4. In cluster/<cluster_name>/openstack/cluster.yml, include the previously created class to the bottom of the classes section:

    classes:
      ...
      cluster.<cluster_name>.infra.auth.ldap
      cluster.<cluster_name>
    parameters:
      ...
    
  5. Enforce the linux.system update:

    salt '<target_node>*' state.sls linux.system