Sensu AD configuration

vanilla1 · June 15, 2021, 3:30am

Hello, I followed all the links to try to get SENSU GO working with AD but Cant seem to get it to work.

My authentication provider is as following:
{
“type”: “ad”,
“api_version”: “authentication/v2”,
“spec”: {
“servers”: [
{
“host”: “ad.company.org”,
“binding”: {
“user_dn”: “cn=binder,cn=users,dc=company,dc=org”,
“password”: “YOUR_PASSWORD”
},
“group_search”: {
“base_dn”: “cn=admins, dc=company, dc=org”,
“attribute”: “member”,
“name_attribute”: “cn”,
“object_class”: “memberOf”
},
“user_search”: {
“base_dn”: “dc=company,dc=org”,
“attribute”: “sAMAccountName”,
“name_attribute”: “displayName”,
“object_class”: “person”
}
}
],
“groups_prefix”: “ad”,
},
“metadata”: {
“name”: “ad”
}
}

I am then able to authenticate but have zero access to any namespaces. I currently have 5 namespaces that I set up with the default admin user.

I set up the cluster role with the following configuration:

{
“type”: “ClusterRole”,
“api_version”: “core/v2”,
“metadata”: {
“name”: “default-admin”
},
“spec”: {
“rules”: [
{
“resource_names”: ,
“resources”: [
“assets”, “checks”, “entities”, “events”, “filters”, “handlers”,
“hooks”, “mutators”, “rolebindings”, “roles”, “silenced”,
“cluster”, “clusterrolebindings”, “clusterroles”,
“namespaces”, “users”, “authproviders”, “license”
],
“verbs”: [“get”, “list”, “create”, “update”, “delete”]
}
]
}
}

and my cluster role binding with the following configs:

{
“type”: “ClusterRoleBinding”,
“api_version”: “core/v2”,
“metadata”: {
“name”: “default-admin”
},
“spec”: {
“role_ref”: {
“name”: “default-admin”,
“type”: “ClusterRole”
},
“subjects”: [
{
“name”: “admins”,
“type”: “ad:admins”
}
]
}
}
Please help!! I have been trying for a few days and unable to get anywhere. I get authenticated and dont see unauthorized messages in the logs however i still zeros everywhere with no namespaces.

jspaleta · June 15, 2021, 2:36pm

Hey,
First the good news you’re able to authenticate, so I’m pretty sure your AD authentication provider is working. That’s the hard part.

I definitely see at least one problem in your ClusterRoleBinding. the subjects type needs to either be User or Group
Assuming you have an AD group called “admins”
Try this:

{
  “type”: “ClusterRoleBinding”,
  “api_version”: “core/v2”,
  “metadata”: {
    “name”: “default-admin”
  },
  “spec”: {
    “role_ref”: {
      “name”: “default-admin”,
      “type”: “ClusterRole”
    },
    “subjects”: [
      {
        “name”: “ad:admins”,
        “type”: “Group”
      }
    ]
  }
}

Ref: https://docs.sensu.io/sensu-go/latest/operations/control-access/rbac/#subjects-specification

jspaleta · June 15, 2021, 2:40pm

One more thing, I can’t confirm that your group search in your AD is correct from visual inspection of the provider definition. You might need to confirm the search is working using something like the ldapsearch client to confirm the group search returns what you expect.

vanilla1 · June 16, 2021, 2:28am

actually that is what I had. I double checked and it is still not working. I also used the ldapsearch tool to make sure that is the right group

jspaleta · June 16, 2021, 3:18am

Okay,
This puts me in a difficult position.

The cluster-role-binding resource you previously passed has at least one potential error, but you said you double checked and the actual resource definition is using the correct value. Is what you pasted previously accurate? If I can’t be reasonable sure that the information you are providing is an accurate representation of the configuration (to the extent possible for security reason you have to obfuscate some information) it’s difficult to provide ideas on what needs to be corrected…

That being said…
assuming the rest of the configuration you provided earlier is accurate, i would be surprised if the group search is working correctly. “memberOf” is probably not a Object in the Active Directory flavor LDAP model. Usually AD groups have object type group and memberOf is an attribute attached to AD user objects.

If you are trying to use the memberOf attributed returned from the user search, you do not need the group search section at all. There is logic in the AD provider that will read the memberOf attribute from the user search if you do not explicitly include a group_search

There is an example of this provided here:
https://docs.sensu.io/sensu-go/latest/operations/control-access/ad-auth/#ad-configuration-examples

Use that link to AD configuration examples and search for subsection called Example AD configuration: Use memberOf attribute instead of group_search

Also as the documented example shows, if you increase the sensu-backend log level to debug you should capture messages concerning what LDAP/AD search results.

Topic		Replies	Views
Jef Practice: Troubleshooting LDAP and AD auth providers Sensu Go	0	874	June 16, 2020
Anonymous bind when using Sensu-go ldap integration Sensu Go	4	784	May 1, 2019
New sensu go installation Sensu Go	2	1114	August 24, 2021
Requiring full UPN to log in via Active Directory credentials Sensu Go sensu-go	8	427	August 18, 2020
How to monitor multiple environments in sensugo Sensu Go	7	473	September 4, 2019

Sensu AD configuration

Related topics