The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Feature #2381

Active Directory Integration

Added by S H almost 7 years ago. Updated over 5 years ago.

Status:AcceptedStart date:07/01/2009
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version:0.24.8 Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


Using the LDAPNodes system with Active Directory requires extending the ADS schema. This is trivial, but managing extensions is pain in the ass. To make things work with Active Directory’s native management tools I’ve moved to an External Nodes script. I’ve also added two plugins (all I’ve needed so far) to retrieve ADS info for my modules.

It’d be great to see Active Directory as a native node-discovery method. I new to both Puppet and Ruby so I have not been able to do this myself, but hopefully the work I have done will spur on some ideas.

I haven’t documented these properly and my Ruby is pretty weak, but I wanted to get them out there regardless. SSL is silently ignored at the moment.

In a nutshell, the ADSInt class wraps up ruby-ldap in a nice interface for the rest of the scripts. Searches take standard LDAP filters as arguments and, optionally, an array of attributes to be returned. By default, all attributes are returned. Like ruby-ldap, search can iterate through the results for you or return them in an array. Unlike ruby-ldap, it normalizes all hash keys to lowercase values.

node_from_ads searches Active Directory for a member of puppetGroup (I chose “PuppetClients”) and a name matching the first arugument. This means that your puppet nodes need to be created as ADS users with their fqdn as their names. When it finds the node, all its LDAP attributes are stuffed into the parameters hash, and its group membership is scanned for any groups in the form “puppetclient-suffix”. suffix is added to the list of classes and everything’s dumped out in a proper YAML format. Linking classes to ADS Group membership lets you link Puppet configuration with ADS security policy.

The functions are explained below, but note that they both require the variable “ads_conf” to be defined somewhere in your Puppet config.

At the very least, I hope this will open discussion on potential ADS integration.

ads-integration.rb Magnifier - Wrapper class for ruby-ldap that simplifies connecting and searching (2.96 KB) S H, 07/01/2009 05:12 pm

node_from_ads.rb Magnifier - Script called by External Nodes configuration (1.56 KB) S H, 07/01/2009 05:12 pm

ads_group_members.rb Magnifier - Puppet function for retrieving all users belonging to a specified group. Users are returned in an array of their sAMAccountNames. Does not follow group-group memberships (ie, User belongs to Group A which belongs to Group B, ads_group_members('Group B') w (1.71 KB) S H, 07/01/2009 05:12 pm

ads_get_user_attr.rb Magnifier - Puppet function for retrieving a specific user attribute. Called like: ads_get_user_attr(sAMAccountName, desiredAttribute) (1.35 KB) S H, 07/01/2009 05:12 pm

ads.conf - Config file required for things to work (387 Bytes) S H, 07/01/2009 05:12 pm


#1 Updated by Luke Kanies almost 7 years ago

  • Category set to node
  • Status changed from Unreviewed to Accepted

I like the idea of more direct integration with such a widely deployed system, but I don’t really have the time to go through these patches right now.

Anyone else using AD and interested in this integration able to test this?

Also available in: Atom PDF