Fortanix DSM for LDAP Authentication on Sensu Server

Prev Next

1.0 Introduction

The purpose of this article is to describe the procedure to set up LDAP or Active Directory (AD) authentication on the Sensu server. By connecting Sensu with LDAP/AD, you can use your existing directory users and groups for login and access.

2.0 Terminology References

  • AD - Active Directory

  • LDAP - Lightweight Directory Access Protocol

  • API - Application Programming Interface

3.0 Configure AD or LDAP Authentication

This section describes the procedure to configure AD or LDAP authentication on the Sensu server.

Perform the following steps:

  1. Run the following command to create a YAML file for the AD configuration on the Sensu server:

    vi ad.yml 

    Add the following content to the file (update placeholders with your environment details):

    type: ad 
    api_version: authentication/v2 
    metadata: 
      name: ActiveDirectory 
    spec: 
      groups_prefix: ad 
      servers: 
      - binding: 
          password: <bind account password> 
          user_dn: cn=<bindaccount>,ou=<group>,dc=<domain>,dc=com 
        default_upn_domain: <domain.com> 
        include_nested_groups: true 
        host: <domain controller FQDN> 
        insecure: true 
        port: 636 
        security: tls 
        trusted_ca_file: /etc/ssl/certs/downstairs-root-ca.pem 
        user_search: 
          attribute: sAMAccountName 
          base_dn: <DN for root of search> 
          name_attribute: displayName 
          object_class: user 
        group_search: 
          attribute: member 
          base_dn: ou=groups,dc=downstairs,dc=com 
          name_attribute: cn 
          object_class: group 
      username_prefix: ad 
  2. Run the following command to create the authentication (auth) resource defined in the ad.yml file on the Sensu server:

    sensuctl create --file /location/ad.yml 
  3. Run the following command to verify that the auth resource was created successfully:

    sensuctl auth list 
    1. Log in with a user account that is within the search root.

    2. The user will be able to log in, but will not see any namespaces or other resources until roles are assigned.

  4. Run the following command to restart sensu-backend without systemd to monitor interactions in real time, or use it for troubleshooting by checking logs:

    journalctl -xe | grep sensu 
  5. Run the following command to create a resource role that determines permissions:

    sensuctl role create djuser --namespace sdkms --resource=checks,entities,events --verb=get,list 
  6. Run the following command to create a role binding between an AD group and the role:

    sensuctl role-binding create djuser --role=djuser --group=ad:sensu --namespace sdkms 
  7. Run the following command to list the roles:

    sensuctl role list