RBAC for LDAP

ENTERPRISE: Role based access controls are available for Sensu Enterprise users only.

Reference Documentation

What is RBAC for LDAP?

The Sensu Enterprise Dashboard offers support for built-in Role Based Access Controls (RBAC), which depends on using some external source of truth for authentication. The Sensu Enterprise Dashboard RBAC for LDAP driver provides support for using a Lightweight Directory Access Protocol (LDAP) provider (e.g. Microsoft Active Directory, OpenLDAP, etc) for RBAC authentication.

LDAP provider compatibility

This driver is tested with Microsoft Active Directory (AD) and should be compatible with any standards-compliant LDAP provider.

RBAC for LDAP configuration

Example RBAC for LDAP definition

{
  "dashboard": {
    "host": "0.0.0.0",
    "port": 3000,
    "...": "",
    "ldap": {
      "debug": false,
      "servers": [
        {
          "server": "localhost",
          "port": 389,
          "basedn": "cn=users,dc=domain,dc=tld",
          "binduser": "cn=binder,cn=users,dc=domain,dc=tld",
          "bindpass": "secret",
          "insecure": false,
          "security": "starttls",
          "userattribute": "sAMAccountName"
        }
      ],
      "roles": [
        {
          "name": "guests",
          "members": [
            "guests_group"
          ],
          "datacenters": [
            "us-west-1"
          ],
          "subscriptions": [
            "webserver"
          ],
          "readonly": true
        },
        {
          "name": "operators",
          "members": [
            "operators_group"
          ],
          "datacenters": [],
          "subscriptions": [],
          "readonly": false
        }
      ]
    }
  }
}

NOTE: You’ll notice in the example there are no attributes defined in dashboard.users. When using this provider, there will not be an option to have local users as a fallback option.

RBAC for LDAP definition specification

ldap attributes

debug
description Determines whether or not to output debug information about the LDAP connection. WARNING: not recommended for production use. Sensitive information including usernames and passwords may be sent to the log files when enabled.
required false
type Boolean
default false
example
"debug": true
servers
description An array of LDAP servers that each represent a LDAP directory or a Microsoft Active Directory domain controller. NOTE: each LDAP server will be tried in sequence until one of them authenticates the username and password provided or the end of the array.
required true
type Array
example
"servers": [
  {
    "server": "localhost",
    "port": 389,
    "basedn": "cn=users,dc=domain,dc=tld",
    "binduser": "cn=binder,cn=users,dc=domain,dc=tld",
    "bindpass": "secret",
    "insecure": false,
    "security": "starttls",
    "userattribute": "sAMAccountName"
  }
]
roles
description An array of Role definitions for LDAP groups.
required true
type Array
example
"roles": [
  {
    "name": "guests",
    "members": [
      "guests_group"
    ],
    "datacenters": [
      "us-west-1"
    ],
    "subscriptions": [
      "webserver"
    ],
    "readonly": true
  },
  {
    "name": "operators",
    "members": [
      "operators_group"
    ],
    "datacenters": [],
    "subscriptions": [],
    "readonly": false
  }
]

servers attributes

server
description IP address or FQDN of the LDAP directory or the Microsoft Active Directory domain controller.
required true
type String
example
"server": "localhost"
port
description Port of the LDAP/AD service (usually 389 or 636)
required true
type Integer
example
"port": 389
dialect
description Which LDAP dialect to use (Microsoft Active Directory, or OpenLDAP).
required false
type String
allowed values ad, openldap
example
"dialect": "ad"
basedn
description Tells which part of the directory tree to search. For example, cn=users,dc=domain,dc=tld will search into all users of the domain.tld directory.
required true
type String
example
"basedn": "cn=users,dc=domain,dc=tld"
groupbasedn
description Overrides the basedn attribute for the group lookups.
required false
type String
example
"groupbasedn": "cn=groups,dc=domain,dc=tld"
userbasedn
description Overrides the basedn attribute for the user lookups.
required false
type String
example
"userbasedn": "cn=admins,dc=domain,dc=tld"
binduser
description The LDAP account that performs user lookups. We recommend to use a read-only account. Use the distinguished name (DN) format, such as cn=binder,cn=users,dc=domain,dc=tld. NOTE: using a binder account is not required with Active Directory, although it is highly recommended.
required true
type String
example
"binduser": "cn=binder,cn=users,dc=domain,dc=tld"
bindpass
description The password for the binduser.
required true
type String
example
"bindpass": "secret"
insecure
description Determines whether or not to skip SSL certificate verification (e.g. for self-signed certificates).
required false
type Boolean
default false
example
"insecure": true
security
description Determines the encryption type to be used for the connection to the LDAP server.
required true
type String
allowed values none, starttls, or tls
example
"security": "none"
userattribute
description The LDAP attribute used to identify an account. You should typically use sAMAccountName for Active Directory and uid for other LDAP softwares, such as OpenLDAP, but it may vary.
required false
type String
default sAMAccountName
example
"userattribute": "uid"
groupmemberattribute
description The LDAP attribute used to identify the group memberships.
required false
type String
default member
example
"groupmemberattribute": "uniqueMember"
userobjectclass
description The LDAP object class used for the user accounts.
required false
type String
default person
example
"userobjectclass": "inetOrgPerson"
groupobjectclass
description The LDAP object class used for the groups.
required false
type String
default groupOfNames
example
"groupobjectclass": "posixGroup"

roles attributes

Please see the RBAC definition specification for information on how to configure RBAC roles.