RBAC for LDAP
ENTERPRISE: Role based access controls are available for Sensu Enterprise
users only.
Reference Documentation
What is RBAC for LDAP?
The Sensu Enterprise Dashboard offers support for built-in Role Based Access
Controls (RBAC), which depends on using some external source of truth for
authentication. The Sensu Enterprise Dashboard RBAC for LDAP driver provides
support for using a Lightweight Directory Access Protocol (LDAP) provider
(e.g. Microsoft Active Directory, OpenLDAP, etc) for RBAC
authentication.
LDAP provider compatibility
This driver is tested with Microsoft Active Directory (AD) and should be
compatible with any standards-compliant LDAP provider.
RBAC for LDAP configuration
Example RBAC for LDAP definition
{
"dashboard": {
"host": "0.0.0.0",
"port": 3000,
"...": "",
"ldap": {
"debug": false,
"servers": [
{
"server": "localhost",
"port": 389,
"basedn": "cn=users,dc=domain,dc=tld",
"binduser": "cn=binder,cn=users,dc=domain,dc=tld",
"bindpass": "secret",
"insecure": false,
"security": "starttls",
"userattribute": "sAMAccountName"
}
],
"roles": [
{
"name": "guests",
"members": [
"guests_group"
],
"datacenters": [
"us-west-1"
],
"subscriptions": [
"webserver"
],
"readonly": true
},
{
"name": "operators",
"members": [
"operators_group"
],
"datacenters": [],
"subscriptions": [],
"readonly": false
}
]
}
}
}
NOTE: You’ll notice in the example there are no attributes defined in dashboard.users. When using this provider, there will not be an option to have local users as a fallback option.
RBAC for LDAP definition specification
ldap attributes
| debug |
|
| description |
Determines whether or not to output debug information about the LDAP connection. WARNING: not recommended for production use. Sensitive information including usernames and passwords may be sent to the log files when enabled. |
| required |
false |
| type |
Boolean |
| default |
false |
| example |
|
| servers |
|
| description |
An array of LDAP servers that each represent a LDAP directory or a Microsoft Active Directory domain controller. NOTE: each LDAP server will be tried in sequence until one of them authenticates the username and password provided or the end of the array. |
| required |
true |
| type |
Array |
| example |
"servers": [
{
"server": "localhost",
"port": 389,
"basedn": "cn=users,dc=domain,dc=tld",
"binduser": "cn=binder,cn=users,dc=domain,dc=tld",
"bindpass": "secret",
"insecure": false,
"security": "starttls",
"userattribute": "sAMAccountName"
}
]
|
| roles |
|
| description |
An array of Role definitions for LDAP groups. |
| required |
true |
| type |
Array |
| example |
"roles": [
{
"name": "guests",
"members": [
"guests_group"
],
"datacenters": [
"us-west-1"
],
"subscriptions": [
"webserver"
],
"readonly": true
},
{
"name": "operators",
"members": [
"operators_group"
],
"datacenters": [],
"subscriptions": [],
"readonly": false
}
]
|
servers attributes
| server |
|
| description |
IP address or FQDN of the LDAP directory or the Microsoft Active Directory domain controller. |
| required |
true |
| type |
String |
| example |
|
| port |
|
| description |
Port of the LDAP/AD service (usually 389 or 636) |
| required |
true |
| type |
Integer |
| example |
|
| dialect |
|
| description |
Which LDAP dialect to use (Microsoft Active Directory, or OpenLDAP). |
| required |
false |
| type |
String |
| allowed values |
ad, openldap |
| example |
|
| basedn |
|
| description |
Tells which part of the directory tree to search. For example, cn=users,dc=domain,dc=tld will search into all users of the domain.tld directory. |
| required |
true |
| type |
String |
| example |
"basedn": "cn=users,dc=domain,dc=tld"
|
| groupbasedn |
|
| description |
Overrides the basedn attribute for the group lookups. |
| required |
false |
| type |
String |
| example |
"groupbasedn": "cn=groups,dc=domain,dc=tld"
|
| userbasedn |
|
| description |
Overrides the basedn attribute for the user lookups. |
| required |
false |
| type |
String |
| example |
"userbasedn": "cn=admins,dc=domain,dc=tld"
|
| binduser |
|
| description |
The LDAP account that performs user lookups. We recommend to use a read-only account. Use the distinguished name (DN) format, such as cn=binder,cn=users,dc=domain,dc=tld. NOTE: using a binder account is not required with Active Directory, although it is highly recommended. |
| required |
true |
| type |
String |
| example |
"binduser": "cn=binder,cn=users,dc=domain,dc=tld"
|
| bindpass |
|
| description |
The password for the binduser. |
| required |
true |
| type |
String |
| example |
|
| insecure |
|
| description |
Determines whether or not to skip SSL certificate verification (e.g. for self-signed certificates). |
| required |
false |
| type |
Boolean |
| default |
false |
| example |
|
| security |
|
| description |
Determines the encryption type to be used for the connection to the LDAP server. |
| required |
true |
| type |
String |
| allowed values |
none, starttls, or tls |
| example |
|
| userattribute |
|
| description |
The LDAP attribute used to identify an account. You should typically use sAMAccountName for Active Directory and uid for other LDAP softwares, such as OpenLDAP, but it may vary. |
| required |
false |
| type |
String |
| default |
sAMAccountName |
| example |
|
| groupmemberattribute |
|
| description |
The LDAP attribute used to identify the group memberships. |
| required |
false |
| type |
String |
| default |
member |
| example |
"groupmemberattribute": "uniqueMember"
|
| userobjectclass |
|
| description |
The LDAP object class used for the user accounts. |
| required |
false |
| type |
String |
| default |
person |
| example |
"userobjectclass": "inetOrgPerson"
|
| groupobjectclass |
|
| description |
The LDAP object class used for the groups. |
| required |
false |
| type |
String |
| default |
groupOfNames |
| example |
"groupobjectclass": "posixGroup"
|
roles attributes
Please see the RBAC definition specification for information on how to
configure RBAC roles.
