Chef User Authentication

Sign In with LDAP

Now we will read about signing in with Lightweight Directory Access Protocol. The user must enter their sign-in information. Chef Automate begins a sequence of operations after the user enters a username and password at the sign-in screen.

Steps of Signing in

This series of steps complete the sign-in process are:

1. Connect
2. Bind
3. User Search
4. Sign in Bind
5. Group Search

Sign In with LDAP

Chef Automate allows you to define permissions for LDAP users and groups.

Connect

Chef Automate must establish a secure TCP connection to your LDAP service. It will connect to the host specified in your TOML settings, such as:

host = "ldap.corp.com"
host = "ldap.corp.com:10636"

The TLS configuration determines whether the validity of the server's Transport Layer Security certificate is enforced. Chef Automate will not communicate with the LDAP service if an authorised certificate is not given. The CA certificate may indeed be used to validate the host's certificate.

User Search

Chef Automate will attempt to retrieve the directory name of the user trying to sign in after successfully binding.

To do so, it will search for an entry with "username_attr" equal to the username that attempted to sign in, using the configured base "base_user_search_dn."

It will obtain different properties with the identifiers "user_id_attr," "email_attr," and "user_display_name_attr" that have been configured.

Filtering Users to Sign In

You can narrow down the user search even further by passing a valid LDAP filter to "user_query_filter." As an example,

user_query_filter = "(objectClass=person)"

which will be linked one after the other using the sign-in screen's search filter based on the specified username The contents of "user_query_filter" are expanded to "(&user_query_filter_value>)" so that it can pass in multiple filters.

For example, assume you only wanted members of a specific Active Directory group to be able to sign in to Chef Automate. You could create a "user_query+filter" with various filters in that scenario.

Sign In Bind 

When the user directory entry search is finished, the LDAP connector will attempt to bind as the user entry using the given password.

For example, if the "bob:bobspassword" sign-in resulted in a successful user search, returning "cn=bob,ou=People,dc=corp,dc=com," the following things are to bind using that DN and the password "bobspassword."

Group Search

Finally, after the user has been validated, their internal record is supplemented with LDAP-provided groups. This is achieved by running another search using the identical bind DN and password used for the user search.

A basic DN must be provided, similar to a user search, and we can filter the by providing an extra filter :

base_group_search_dn = "ou=Groups,dc=corp,dc=com"
group_query_filter = "(objectClass=group)"

Knowing that your directory server's structure determines the correct setup options is vital.

The "base_group_search_dn" option is not required. Users authenticating via Microsoft Active Directory (MSAD) Lightweight Directory Access Protocol (LDAP) server will not be members of any teams if it is not given.

Configuration Overview

We may find the complete setup and more information on all Lightweight Directory Access Protocol (LDAP) configuration options.

[dex.v1.sys.connectors.ldap]  
#Setup for querying your LDAP server

ca_contents = "<your ca contents>"
 host = "<your host>"

#The DN and password you want to bind to your LDAP server for
#Chef Automate to look for users. Also, look for their organisation #membership.
bind_password = "<your bind_password>"

#When performing 'chef-automate' instructions, bind password can
#alternatively be provided via the AUTOMATE_SECRET_LDAP_PASSWORD #environment variable.
base_user_search_dn = "<this is our base user search DN>"

#User Query looks for LDAP users to authenticate for Chef Automate.
#The starting point for the user query. Chef Automate will use this as the
#basic DN when looking for people to authenticate with on your LDAP #server.
username_attr = "<this is our username attribute>"

#Optional Step LDAP query filter to use when looking for users to log in.
#This will be paired with the username attr filter mentioned earlier.
user_query_filter = "<this is the user query filter>"

#Using LDAP to populate the Chef Automate User Which LDAP
#information is used to populate the username in a user's Chef Automate session.
#This is when chef user authentication is successful.
user_id_attr = "<this is the userid attribute>"

#Optional:defines which LDAP field,upon chef user authentication,
#populates the email in a user's Chef Automate session.
email_attr = "<here goes the email attribute>"

#Optional: specifies which LDAP data should be used to populate the
#display name in a user's Chef Automate session after successful #chef user authentication.
#If not supplied, "name" is used as the default.
user_display_name_attr = "<the user display name attribute>"

#Group Query looks for an authenticated user's LDAP group membership.
#The starting point for the group membership inquiry.
#Chef Automate will use this as the basic DN to search for LDAP group
#membership for a given LDAP user.
base_group_search_dn = "<the base group search DN>"

#The following two fields assign a user to a group. If the settings are applied,
#you will get a group membership.
#Optional: The LDAP field is used to filter group membership. The default
#value is "member."
filter_groups_by_user_attr = "<this is the groups to filter by user attribute>"

#The LDAP field from the authenticated user that you want to utilise as
#input to the above filter. The default value is "DN."
filter_groups_by_user_value = "<here goes groups to filter by user value>"

#You can define an additional LDAP filter to filter group membership
#results.
group_query_filter = "<here goes group query filter>"

#The LDAP information on the group you want to utilise as the Chef
#Automate Team name. The default value is "name."
group_display_name_attr = "<here is the group display name attribute>"

Frequently Asked Questions

How do I add a user to the Chef server?

To make a user, use the create argument. This procedure will generate an RSA key pair for the specified user. The public key will be saved on the Chef server, while the private key will be shown on STDOUT or written to a specified file. The private key should get copied to the system for the user as "/etc/chef/client."

How does the Chef client authenticate with the Chef server?

Every request sent to the Chef server by the chef-client must get authenticated using the Chef server API and a private key. When the chef-client sends a request to the Chef server, it affirms the request with a private key stored in "/etc/chef/client. pem."

How are nodes configured in Chef?

The node object is made up of the run-list and node properties, which are kept in a JSON file on the Chef server. During each chef-client run, the chef-client obtains a copy of the node object from the Chef server and stores an updated copy on the Chef server at the end of each chef-client run.

How does Chef Server index the attributes sent by a chef-client?

Following the rebuild of the node object, all of its attributes get compared. Then the node is updated based on attribute priority. The node object that defines the node's current state is posted to the Chef server at the end of each chef-client run so it may be indexed for search.

Conclusion

In the article, we learned about the Chef user Authentication Concept. We read about SAML and LDAP. We also saw their identity management systems and also read about their configuration settings. We found ways to troubleshoot problems that may pop up. Visit our blogs on Chef to find out more. Go inside to find out how to configure the Chef infra server and manage the Chef infra server. If you want to dive deeper, find out about Chef Habitat Installation and Common Terms related to Chef InSpec. Explore Coding Ninjas Studio to find more exciting stuff. Happy Coding!