1.0 Introduction
The purpose of this article is to describe the procedure to set up LDAP or Active Directory (AD) authentication on the Sensu server. By connecting Sensu with LDAP/AD, you can use your existing directory users and groups for login and access.
2.0 Terminology References
AD - Active Directory
LDAP - Lightweight Directory Access Protocol
API - Application Programming Interface
3.0 Configure AD or LDAP Authentication
This section describes the procedure to configure AD or LDAP authentication on the Sensu server.
Perform the following steps:
Run the following command to create a YAML file for the AD configuration on the Sensu server:
vi ad.yml
Add the following content to the file (update placeholders with your environment details):
type: ad api_version: authentication/v2 metadata: name: ActiveDirectory spec: groups_prefix: ad servers: - binding: password: <bind account password> user_dn: cn=<bindaccount>,ou=<group>,dc=<domain>,dc=com default_upn_domain: <domain.com> include_nested_groups: true host: <domain controller FQDN> insecure: true port: 636 security: tls trusted_ca_file: /etc/ssl/certs/downstairs-root-ca.pem user_search: attribute: sAMAccountName base_dn: <DN for root of search> name_attribute: displayName object_class: user group_search: attribute: member base_dn: ou=groups,dc=downstairs,dc=com name_attribute: cn object_class: group username_prefix: ad
Run the following command to create the authentication (auth) resource defined in the
ad.yml
file on the Sensu server:sensuctl create --file /location/ad.yml
Run the following command to verify that the auth resource was created successfully:
sensuctl auth list
Log in with a user account that is within the search root.
The user will be able to log in, but will not see any namespaces or other resources until roles are assigned.
Run the following command to restart
sensu-backend
withoutsystemd
to monitor interactions in real time, or use it for troubleshooting by checking logs:journalctl -xe | grep sensu
Run the following command to create a resource role that determines permissions:
sensuctl role create djuser --namespace sdkms --resource=checks,entities,events --verb=get,list
Run the following command to create a role binding between an AD group and the role:
sensuctl role-binding create djuser --role=djuser --group=ad:sensu --namespace sdkms
Run the following command to list the roles:
sensuctl role list