Requiring full UPN to log in via Active Directory credentials

Hi all,

We’re currently setting up LDAP integration with AD for user logins to view/edit and manage Sensu Web. One of the issues we’ve run into is that we cannot seem to require full UPN to log in. This is an issue as we have multiple domains that will need access here. From what I can read in the docs, this doesn’t seem possible. Is that true or have I missed something here?

  1. We’ve attempted changing the “attributes” tag to userPrincipalname, but that doesn’t seem to need to include the domain piece. I can’t see an option to include it anywhere.
  2. We’re running Sensu built by the Sensu\Sensu-Puppet module, which has worked flawlessly 95% of the time. It is running on an Ubuntu 18.04 box.
  3. No Github issue is currently present.
1 Like

Hey,

First question, are you using the Sensu auth ldap provider or the ad provider? The ad provider has a configuration specifically to enable upn domain default_upn_domain
https://docs.sensu.io/sensu-go/latest/operations/control-access/auth/#ad-spec-attributes

It might be as simple as changing to using the ad provider and using that configuration option.

Hey,

Unfortunatey we do have the default_upn_domain set, but signing in with the full upn (ie putting the username as first.last@example.com) the logon fails, and it only accepts first.last

Hmm you are probably going to need to turn on debugging log output and look at the messages to determine what is failing.

Ref:
https://docs.sensu.io/sensu-go/latest/operations/control-access/auth/#ldap-troubleshooting

Enabling the default upn option only changes how the ldap bind operation works which is used to test the password. The ldap user and group searches still needs to be valid though, depending…

So depending on the error your are getting in the sensu backend logs, there is either a problem with

  1. establishing the connection with the server:
    log messages like “failed to connect to LDAP server:…”

  2. the upn enabled bind operation:
    log messages like “failed to bind to LDAP server:…”

  3. the username search
    log messages like
    “failed to search for user in LDAP:…”
    or
    "failed to search for user’s groups in LDAP:

  4. the upn enabled bind operation to establish validity of the searched user
    msg like “failed to bind with userdn:…”

If you can get the unix/linux cmdline ldapsearch tool to do a user lookup query using the UPN styled binding then we should be able to sort this out in Sensu’s configuration.

It’s not just the binding, but the search query to refind the username and groups still needs to be valid.

“invalid username and/or password” is the error I get in the logs when I try to log in with first.last@example.com, but it allows me in with first.last, and doesn’t throw a message into the logs - if that helps?

what version of sensu-backend is this?

Okay I fixed it, so so sorry for wasting time.

For future reference, it was Sensu Go

I had the attribute set to displayName all along, when it should have been set to UserPrincipalName. Looks as though it was working as intended - I just thought setting the name_attribute to UserPrincipalName was the thing that needed to be changed, and the attribute piece was used for group searches, but definitely wrong.

Ah good,
Hmm maybe we need to enhance the documentation around name_attribute to make it clearer how the name_attribute is used with Sensu RBAC.

The key here is Sensu constructs a username from the ldap name_attribute and username_prefix
of the form <username_prefix>:<name_attribute> and this is what is used in Sensu’s internal RBAC rolebinding subjects.

1 Like