BreadcrumbHomeResourcesBlog Authenticate Puppet Enterprise With FreeIPA LDAP August 13, 2020 Authenticate Puppet Enterprise with FreeIPA LDAPHow to & Use CasesSecurity & ComplianceBy Becca RobinsonUsing a Linux Domain controller such as FreeIPA? If so then the fields are a bit different than some other LDAP interfaces, which makes it difficult for some to connect to for authentication. In this blog, we break down how to use FreeIPA LDAP.Table of ContentsWhat Is FreeIPA LDAP?How to Setup Puppet Enterprise with FreeIPA LDAPGet Started With Puppet EnterpriseTable of Contents1 - What Is FreeIPA LDAP?2 - How to Setup Puppet Enterprise with FreeIPA LDAP3 - Get Started With Puppet EnterpriseBack to topWhat Is FreeIPA LDAP?FreeIPA is an identity and authentication solution for Linux/UNIX that can be used for LDAP (Lightweight Directory Access Protocol).Puppet Enterprise can leverage FreeIPA as a directory service for managing user accounts, groups, and other identity-related information within your Puppet environment. With FreeIPA LDAP, Puppet Enterprise can centrally manage user access, authentication, and authorization for its infrastructure automation tasks, ensuring consistency and security across the IT environment.Need to Make Zero-Trust a Thing in Your IT? Learn How to Do It with PuppetPuppet can help you get closer to a zero-trust security model across with desired state enforcement and helpful reporting. Learn how in our free eBook.ZERO-TRUST EBOOKBack to topHow to Setup Puppet Enterprise with FreeIPA LDAPHere is a quick how-to on setting up Puppet Enterprise with authentication from FreeIPA. I am assuming that you already have Puppet Enterprise installed with eyaml configured. If not, then you may want to visit these prerequisites.Installing Puppet EnterpriseSetting up Encrypted YAML (eyaml)I am using the Roles and Profiles design pattern. If you’re not familiar with the Roles and Profiles method, then make sure to read up on it first.Setup of FreeIPA serverI used the forge module addulact/freeipa to set up my FreeIPA server. I created a profile such as this: # Manage FreeIPA domain controller class profile::linux::ipa::server ( String $admin_pass, String $dirsvc_pass, ) { class {'freeipa': ipa_role => 'master', domain => 'example.local', ipa_master_fqdn => 'dc01.example.local', ipa_server_fqdn => 'dc01.example.local', puppet_admin_password => $admin_pass, directory_services_password => $dirsvc_pass, install_ipa_server => true, ip_address => '10.0.10.2', enable_ip_address => true, enable_hostname => true, manage_host_entry => true, install_epel => true, custom_dns_forwarders => [ '8.8.8.8', '8.8.4.4' ], } }After grouping and classifying my FreeIPA domain controller to use this profile, I ran the Puppet agent and watched as FreeIPA was installed.Notes:If the installation of FreeIPA server fails for any reason, then you must uninstall FreeIPA before you try again. Do this by running /usr/sbin/ipa-server-install --uninstall.If managing DNS with FreeIPA, then the zone must not be managed anywhere else that can be found with the configured DNS servers. This is why I chose to use a local extension to the domain.Setup of FreeIPA clientI used the same forge module to configure the client and created a profile for the IPA client that was attached to my linux baseline profile. # Manage FreeIPA client class profile::linux::ipa::client ( String $admin_pass, String $dirsvc_pass, ) { class {'freeipa': ipa_role => 'client', domain => 'example.local', ipa_master_fqdn => 'dc01.example.local', puppet_admin_password => $admin_pass, directory_services_password => $dirsvc_pass, ip_address => $facts['ipaddress'], enable_hostname => true, manage_host_entry => true, install_epel => true, } }This profile sets up the ipa-client on the Linux nodes to authenticate to FreeIPA. In addition, since I have set up the DNS server in my FreeIPA server, this also adds A and PTR records to the zone.Configure Puppet Enterprise console to use FreeIPAI started this step by creating a service account in FreeIPA. You can reference the FreeIPA administration guide section 1.1.1 for more information on how to do this.After setting up the user account, read up on connecting external directory services to PE.I'll walk through the settings that I used for the domain example.localDirectory name: FreeIPAFriendly name for your directory.Hostname: dc01.example.localFQDN for your FreeIPA domain controller.Port: 636I chose to use SSL over port 636, but use what your organization requiresLookup user (optional):uid=svc_ldap_pe,cn=users,cn=accounts,dc=example,dc=localAlthough this is optional for Puppet Enterprise, FreeIPA requires auth to browse directory, at least with defaults.Lookup password (optional)Not optional for FreeIPA with default settings.Connection timeout (seconds): 30You will probably want to adjust this according to your environment and latency thresholds.Validate the hostname: checkedWith this being authentication, I want to validate hostnames match certs.Base distinguished name:cn=accounts,dc=example,dc=localThis is going to be the base search path for LDAP queries.User login attribute:uidThis is where one of the variances are with other LDAP servers such as Active Directory.User email address:mailUser full name:displayNameGroup object class:ipausergroupThis is where one of the variances are with other LDAP servers, such as Active Directory.Group membership field:memberGroup name attribute:cnThis is where one of the variances are with other LDAP servers such as Active Directory.Group lookup attribute:cnSearch nested groups: checkedI checked this in my lab to be able to search nested groups, but this can cause a performance impact.After you populate these fields, you should click Test Changes to ensure successful connection, then click Commit Changes to save the changes.Congratulations, you have configured Puppet Enterprise to authenticate against FreeIPA, but you are not done yet. Next you will need to go in and map what FreeIPA groups have permissions to perform actions in Puppet Enterprise. Back to topGet Started With Puppet EnterpriseNot using Puppet Enterprise yet? Get started with your free trial today. START MY TRIALBack to top
Becca Robinson Senior Professional Services Engineer, Puppet by Perforce Becca Robinson is a senior professional services engineer at Puppet.