+++ title = "Active Directory and LDAP" draft = false
aliases = ["/server_ldap.html", "/install_server_post.html"]
[menu] [menu.docs] title = "Active Directory & LDAP" identifier = "chef_infra/managing_chef_infra_server/server_ldap.md Active Directory & LDAP" parent = "chef_infra/managing_chef_infra_server" weight = 50 +++
The Chef Infra Server supports Active Directory and LDAP authentication, which enables users to log in to the Chef Infra Server using their corporate credentials.
The Chef Infra Server supports using Active Directory or LDAP for any user that has an email address in the LDAP directory. This allows those users to log in to the Chef Infra Server by using their corporate credentials instead of having a separate username and password.
{{< warning >}}
The following attributes MUST be in the user LDAP record:
mail:sAMAccountName:oruid:
The following attributes SHOULD be in the user LDAP record:
displayname:givenname:sn:c:l:
{{< /warning >}}
To configure the Chef Infra Server to use Active Directory or LDAP do the following:
-
Install the Chef management console (if it is not already).
-
Add the following settings to the
/etc/opscode/chef-server.rbfile. These settings must be added to thechef-server.rbfile on each machine in the Chef Infra Server frontend deployment of a High Availability installation as well as on Chef servers in a standalone installation.{{< shortcode_indent shortcode="config_rb_server_settings_ldap" >}}
{{< note spaces=4 >}}
If the chef-server.rb file does not exist, create a file called
chef-server.rband put it in the/etc/opscode/directory.{{< /note >}}
-
{{< shortcode_indent shortcode="install_chef_server_reconfigure" >}}
At this point, all users should be able to use their Active Directory or LDAP usernames and passwords to log in to the Chef Infra Server.
Use ldapsearch to test the ability of the Chef Infra Server to use
Active Directory or LDAP. First, translate the Chef Infra Server LDAP
settings into ldapsearch parameters:
| Chef Infra Server Setting | ldapsearch Parameter |
|---|---|
ldap['host'] and ldap['port'] |
-H [HOST:PORT] |
ldap['bind_dn'] |
-D [BIND_DN] |
ldap['bind_password'] |
-W; ldapsearch will prompt for this parameter |
ldap['base_dn'] |
-b [BASE_DN] |
ldap['login_attribute'] |
Defaults to SAMAccountName |
And then from a front end machine (in a high availability or tiered configuration) or from the Chef Infra Server in a standalone configuration, run the following command. Be sure to replace the uppercase placeholders with the values for your organization:
ldapsearch -LLL -H ldap://HOST:PORT -b 'BASE_DN' -D 'BIND_DN' -W '(LOGIN_ATTRIBUTE=YOUR_LDAP_ACCOUNT_USERNAME)'For example:
ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'Output similar to the following is returned:
ldapsearch -LLL -H ldap://win-ad1.chef.co:389 -b 'OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -D 'CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com' -W '(sAMAccountName=rforster)'
Enter LDAP Password:
dn: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Robert Forster
sn: Forster
c: 0
givenName: Robert
distinguishedName: CN=Robert Forster,OU=Employees,OU=Domain users,DC=opscodecorp,DC
=com{{< note >}}
The ldapsearch command may need to be installed on the platform. It is
not included as part of the Chef Infra Server package.
{{< /note >}}