Integration of Users from Active Directory into rancher

Our users are located in Active Directory with an LDAP path something like this:

CN=myusername,OU=User,OU=UnitedKingdom,DC=aaa,DC=bbb,DC=ccc

Using the OU=User,OU=UnitedKingdom,DC=aaa,DC=bbb,DC=ccc as the user search base we can set up the Authentication (https://rancher.com/docs/rancher/v2.5/en/admin-settings/authentication/ad/) And I have been able to get things working for UK people only….

However: There are multiple countries in which potential users of the cluster can come from E.G Germany, India etc… We have a lot of users organised in this way and so I wanted to get a unified view of them in the running rancher UI.

from the docs, User Search Base says

The Distinguished Name of the node in your directory tree from which to start searching for user objects. All users must be descendants of this base DN. For example: “ou=people,dc=acme,dc=com”.

So I cannot use either multiple search bases (AFAICS)

OU=User,OU=UnitedKingdom,DC=aaa,DC=bbb,DC=ccc 

OU=User,OU=Germany,DC=aaa,DC=bbb,DC=ccc”,….

or wildcards to specify the users.

OU=User,OU=(*),DC=aaa,DC=bbb,DC=ccc

Q1) Is there a way to have multiple search bases or use wildcards, or is there a way round this that we can use?

As an alternative

Q2) could use NIS to authenticate. Is there a way to set up NIS as the source of users and groups?

Unless your AD is extremely large why not just have the search base like below?

DC=aaa,DC=bbb,DC=ccc

Just to be sure and say definitively - I just retried this and it doesn’t work - The users seem to need to be direct descendants of the search base ? So under that search base we have nodes for country and then under those user… Am I missing something?

I was going to try and test this as well. If i had to guess its due to the fact you cannot specify an OU because of the way countries are used in you domain.

As if to disprove my own response I tried once more and I think I must have made a mistake before (all times before) because I have just got this to authenticate :slight_smile: so apologies for the terse response before but I think you are right (I’m new to LDAP and Rancher - not a good mix) - thanks for the response

Awesome to hear that it worked!

1 Like