The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
Active Directory Integration
|Affected Puppet version:||0.24.8||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
Using the LDAPNodes system with Active Directory requires extending the ADS schema. This is trivial, but managing extensions is pain in the ass. To make things work with Active Directory’s native management tools I’ve moved to an External Nodes script. I’ve also added two plugins (all I’ve needed so far) to retrieve ADS info for my modules.
It’d be great to see Active Directory as a native node-discovery method. I new to both Puppet and Ruby so I have not been able to do this myself, but hopefully the work I have done will spur on some ideas.
I haven’t documented these properly and my Ruby is pretty weak, but I wanted to get them out there regardless. SSL is silently ignored at the moment.
In a nutshell, the ADSInt class wraps up ruby-ldap in a nice interface for the rest of the scripts. Searches take standard LDAP filters as arguments and, optionally, an array of attributes to be returned. By default, all attributes are returned. Like ruby-ldap, search can iterate through the results for you or return them in an array. Unlike ruby-ldap, it normalizes all hash keys to lowercase values.
node_from_ads searches Active Directory for a member of puppetGroup (I chose “PuppetClients”) and a name matching the first arugument. This means that your puppet nodes need to be created as ADS users with their fqdn as their names. When it finds the node, all its LDAP attributes are stuffed into the parameters hash, and its group membership is scanned for any groups in the form “puppetclient-suffix”. suffix is added to the list of classes and everything’s dumped out in a proper YAML format. Linking classes to ADS Group membership lets you link Puppet configuration with ADS security policy.
The functions are explained below, but note that they both require the variable “ads_conf” to be defined somewhere in your Puppet config.
At the very least, I hope this will open discussion on potential ADS integration.
#1 Updated by Luke Kanies almost 6 years ago
- Category set to node
- Status changed from Unreviewed to Accepted
I like the idea of more direct integration with such a widely deployed system, but I don’t really have the time to go through these patches right now.
Anyone else using AD and interested in this integration able to test this?