Rancher uses LDAP to communicate with the Active Directory server. The authentication flow for Active Directory is therefore the same as for the OpenLDAP authentication integration.

You’ll need to create or obtain from your AD administrator a new AD user to use as service account for Rancher. This user must have sufficient permissions to perform LDAP searches and read attributes of users and groups under your AD domain.

Usually a (non-admin) Domain User account should be used for this purpose, as by default such user has read-only privileges for most objects in the domain partition.

Note however, that in some locked-down Active Directory configurations this default behaviour may not apply. In such case you will need to ensure that the service account user has at least Read and List Content permissions granted either on the Base OU (enclosing users and groups) or globally for the domain.

Using TLS?

If the certificate used by the AD server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain.

  1. Log into the Rancher UI using the initial local account.
  2. From the Global view, navigate to Security > Authentication
  3. Select Active Directory. The Configure an AD server form will be displayed.

Configure Active Directory Server Settings

In the section titled 1. Configure an Active Directory server, complete the fields with the information specific to your Active Directory server. Please refer to the following table for detailed information on the required values for each parameter.

Table 1: AD Server parameters

In the section titled 2. Customize Schema you must provide Rancher with a correct mapping of user and group attributes corresponding to the schema used in your directory.

Rancher uses LDAP queries to search for and retrieve information about users and groups within the Active Directory. The attribute mappings configured in this section are used to construct search filters and resolve group membership. It is therefore paramount that the provided settings reflect the reality of your AD domain.

If you are unfamiliar with the schema used in your Active Directory domain, please refer to Identify Search Base and Schema using ldapsearch to determine the correct configuration values.

User Schema

The table below details the parameters for the user schema section configuration.

Table 2: User schema configuration parameters

Group Schema

The table below details the parameters for the group schema configuration.

Table 3: Group schema configuration parameters

Test Authentication

Once you have completed the configuration, proceed by testing the connection to the AD server using your AD admin account. If the test is successful, authentication with the configured Active Directory will be enabled implicitly with the account you test with set as admin.

  1. Enter the username and password for the AD account that should be mapped to the local principal account.
  2. Click Authenticate with Active Directory to finalise the setup.

Result:

  • Active Directory authentication has been enabled.
  • You have been signed into Rancher as administrator using the provided AD credentials.

Note:

You will still be able to login using the locally configured account and password in case of a disruption of LDAP services.

In order to successfully configure AD authentication it is crucial that you provide the correct configuration pertaining to the hierarchy and schema of your AD server.

The ldapsearch tool allows you to query your AD server to learn about the schema used for user and group objects.

For the purpose of the example commands provided below we will assume:

  • The Active Directory server has a hostname of ad.acme.com
  • The server is listening for unencrypted connections on port 389
  • You have a valid AD account with the username jdoe and password secret

This command performs an LDAP search with the search base set to the domain root (-b "dc=acme,dc=com") and a filter targeting the user account (sAMAccountNam=jdoe), returning the attributes for said user:

Since in this case the user’s DN is CN=John Doe,CN=Users,DC=acme,DC=com [5], we should configure the User Search Base with the parent node DN CN=Users,DC=acme,DC=com.

Similarly, based on the DN of the group referenced in the memberOf attribute [4], the correct value for the Group Search Base would be the parent node of that value, ie. OU=Groups,DC=acme,DC=com.

Identify User Schema

The output of the above ldapsearch query also allows to determine the correct values to use in the user schema configuration:

  • : person [1]
  • Username Attribute: name [2]
  • Login Attribute: sAMAccountName [3]
  • User Member Attribute: memberOf [4]

We’ll also set the Search Attribute parameter to sAMAccountName|name. That way users can be added to clusters/projects in the Rancher UI either by entering their username or full name.

Next, we’ll query one of the groups associated with this user, in this case CN=examplegroup,OU=Groups,DC=acme,DC=com:

  1. $ ldapsearch -x -D "acme\jdoe" -w "secret" -p 389 \
  2. -h ad.acme.com -b "ou=groups,dc=acme,dc=com" \
  3. -s sub "CN=examplegroup"

This command will inform us on the attributes used for group objects:

LDAP Group

Again, this allows us to determine the correct values to enter in the group schema configuration:

  • Object Class: group [1]
  • Name Attribute: name [2]
  • Search Attribute: sAMAccountName [4]

Looking at the value of the member attribute, we can see that it contains the DN of the referenced user. This corresponds to the distinguishedName attribute in our user object. Accordingly will have to set the value of the parameter to this attribute.

In the same way, we can observe that the value in the memberOf attribute in the user object corresponds to the distinguishedName [5] of the group. We therefore need to set the value for the Group DN Attribute parameter to this attribute.