Overview

This article describes how to verify proper Directory Service settings before establishing a connection with SaltStack Enterprise. It describes how to verify settings using two key tools, one Windows-based and the other Linux-based.

Verifying connection settings

Different directory services such as Active Directory and OpenLDAP include different schemas.

Due to the wide range of possible schemas, incorrect settings are easy to introduce when establishing a connection from your Directory Service to SaltStack Enterprise.

Below are descriptions of two key tools you can use to verify your connection settings.

Windows

ADSI Edit snap-in lets you browse the AD schema and see object attributes.

Just install and run adsiedit.msc in your Domain Controller.

Once ADSI Edit has started, create a connection using your BIND DN (service account) to log in to the selected server. Verify you can see the expected groups, users, distinguished names, and other objects as needed.

Linux

The following two examples show how to search for groups, and then for users, using a selected BIND DN using ldapsearch, provided by OpenLDAP* packages.

Example 1

Search for objectclass=group from base dn OU=ABC,DC=examplead,DC=lab and sub from base dn and all of its descendants, return dn cn member objectClass and objectCategory attributes.

ldapsearch -x -h x.x.x.x-D "CN=saltyadmins,OU=ABC,DC=examplead,DC=lab" -w'secret' -b "OU=ABC,DC=examplead,DC=lab" -s sub "(objectclass=group)" dn cn member objectClass objectCategory

Result:

# extended LDIF
#
# LDAPv3
# base <OU=ABC,DC=examplead,DC=lab> with scope subtree
# filter: (objectclass=group)
# requesting: dn cn member objectClass objectCategory
#
# Examplers, Example Company, ABC, examplead.lab
dn: CN=Examplers,OU=Example Company,OU=ABC,DC=examplead,DC=lab
objectClass: top
objectClass: group
cn: Examplers
member: CN=Jane Doe,CN=Users,DC=examplead,DC=lab
member: CN=Example Company,OU=Example Company,OU=ABC,DC=examplead,DC=lab
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=examplead,DC=lab

# Loremers, Lorem ipsum, ABC, examplead.lab
dn: CN=Loremers,OU=Lorem ipsum,OU=ABC,DC=examplead,DC=lab
objectClass: top
objectClass: group
cn: Loremers
member: CN=Lorem ipsum,OU=Lorem ipsum,OU=ABC,DC=examplead,DC=lab
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=examplead,DC=lab

# Berriers, Blueberry Inc, ABC, examplead.lab
dn: CN=Berriers,OU=Blueberry Inc,OU=ABC,DC=examplead,DC=lab
objectClass: top
objectClass: group
cn: Berriers
member: CN=Blueberry Inc,OU=Blueberry Inc,OU=ABC,DC=examplead,DC=lab
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=examplead,DC=lab

# pBotters, pBot, ABC, examplead.lab
dn: CN=pBotters,OU=pBot,OU=ABC,DC=examplead,DC=lab
objectClass: top
objectClass: group
cn: pBotters
member: CN=p Bot,OU=pBot,OU=ABC,DC=examplead,DC=lab
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=examplead,DC=lab

# saltyadmins, ABC, examplead.lab
dn: CN=saltyadmins,OU=ABC,DC=examplead,DC=lab
objectClass: top
objectClass: group
cn: saltyadmins
member: CN=Jane Doe,CN=Users,DC=examplead,DC=lab
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=examplead,DC=lab

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

Example 2

Search for objectclass=user from base dn OU=ABC,DC=examplead,DC=lab and sub from base dn and all of its descendants, return dn cn name sAMAccountName and distinguishedName attributes.

# ldapsearch -x -h 172.31.28.22 -D "CN=saltyadmins,OU=ABC,DC=examplead,DC=lab" -w'secret' -b "OU=ABC,DC=examplead,DC=lab" -s sub "(objectclass=user)" dn cn name sAMAccountName distinguishedName

Result:

# Example Company, Example Company, ABC, examplead.lab
dn: CN=Example Company,OU=Example Company,OU=ABC,DC=examplead,DC=lab
cn: Example Company
distinguishedName: CN=Example Company,OU=Example Company,OU=ABC,DC=examplead
 ,DC=lab
name: Example Company
sAMAccountName: examplecomp

# Lorem ipsum, Lorem ipsum, ABC, examplead.lab
dn: CN=Lorem ipsum,OU=Lorem ipsum,OU=ABC,DC=examplead,DC=lab
cn: Lorem ipsum
distinguishedName: CN=Lorem ipsum,OU=Lorem ipsum,OU=ABC,DC=examplead,DC=lab
name: Lorem ipsum
sAMAccountName: LoremI

# Blueberry Inc, Blueberry Inc, ABC, examplead.lab
dn: CN=Blueberry Inc,OU=Blueberry Inc,OU=ABC,DC=examplead,DC=lab
cn: Blueberry Inc
distinguishedName: CN=Blueberry Inc,OU=Blueberry Inc,OU=ABC,DC=examplead,DC=lab
name: Blueberry Inc
sAMAccountName: BlueberryI

# p Bot, pBot, ABC, examplead.lab
dn: CN=p Bot,OU=pBot,OU=ABC,DC=examplead,DC=lab
cn: p Bot
distinguishedName: CN=p Bot,OU=pBot,OU=ABC,DC=examplead,DC=lab
name: p Bot
sAMAccountName: pBot

# saltyadmins, ABC, examplead.lab
dn: CN=saltyadmins,OU=ABC,DC=examplead,DC=lab
cn: saltyadmins
distinguishedName: CN=saltyadmins,OU=ABC,DC=examplead,DC=lab
name: saltyadmins
sAMAccountName: saltyadmins

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

Summary

With ADSI Edit snap-in and ldapsearch, you can validate and verify proper settings before establishing your Directory Service connection in SaltStack Enterprise.

Base DN: OU=ABC,DC=examplead,DC=lab
Bind DN: CN=saltyadmins,OU=ABC,DC=examplead,DC=lab
Auth Bind DN: (not needed, just type anything)
Group Class: group
Group Name attribute: cn
User Object Class: user
User Name Attribute: sAMAccountName

If the connection is successful, proceed to import groups and users.

Note: If an existing connection is failing, a best practice is to delete the connection and create a new one, rather than modify an existing connection.

Environment

VMware Aria Automation Config 8.12.x

How to verify and troubleshoot a Directory Service connection

Article ID: 312993

Updated On:

Products

Issue/Introduction