ENTERPRISE: Role based access controls are available for Sensu Enterprise users only.

RBAC for LDAP (driver)

Reference Documentation

What is RBAC for LDAP?

The Sensu Enterprise Dashboard offers support for built-in Role Based Access Controls (RBAC), which depends on using some external source of truth for authentication. The Sensu Enterprise Dashboard RBAC for LDAP driver provides support for using a Lightweight Directory Access Protocol (LDAP) provider (e.g. Microsoft Active Directory, OpenLDAP, etc) for RBAC authentication.

LDAP provider compatibility

This driver is tested with Microsoft Active Directory (AD) and should be compatible with any standards-compliant LDAP provider.

RBAC for LDAP configuration

Example RBAC for LDAP definition

{
  "dashboard": {
    "host": "0.0.0.0",
    "port": 3000,
    "...": "",
    "ldap": {
      "debug": false,
      "servers": [
        {
          "server": "localhost",
          "port": 389,
          "basedn": "cn=users,dc=domain,dc=tld",
          "binduser": "cn=binder,cn=users,dc=domain,dc=tld",
          "bindpass": "secret",
          "insecure": false,
          "security": "starttls",
          "userattribute": "sAMAccountName"
        }
      ],
      "roles": [
        {
          "name": "guests",
          "members": [
            "guests_group"
          ],
          "datacenters": [
            "us-west-1"
          ],
          "subscriptions": [
            "webserver"
          ],
          "readonly": true
        },
        {
          "name": "operators",
          "members": [
            "operators_group"
          ],
          "datacenters": [],
          "subscriptions": [],
          "readonly": false
        }
      ]
    }
  }
}

RBAC for LDAP definition specification

ldap attributes

debug
description
Determines whether or not to output debug information about the LDAP connection. WARNING: not recommended for production use. Sensitive information including usernames and passwords may be sent to the log files when enabled.
required
false
type
Boolean
default
false
example
"debug": true
servers
description
An array of LDAP servers that each represent a LDAP directory or a Microsoft Active Directory domain controller. NOTE: each LDAP server will be tried in sequence until one of them authenticates the username and password provided or the end of the array.
required
yes
type
Array
example
"servers": [
  {
    "server": "localhost",
    "port": 389,
    "basedn": "cn=users,dc=domain,dc=tld",
    "binduser": "cn=binder,cn=users,dc=domain,dc=tld",
    "bindpass": "secret",
    "insecure": false,
    "security": "starttls",
    "userattribute": "sAMAccountName"
  }
]
roles
description
An array of Role definitions for LDAP groups.
required
true
type
Array
example
"roles": [
  {
    "name": "guests",
    "members": [
      "guests_group"
    ],
    "datacenters": [
      "us-west-1"
    ],
    "subscriptions": [
      "webserver"
    ],
    "readonly": true
  },
  {
    "name": "operators",
    "members": [
      "operators_group"
    ],
    "datacenters": [],
    "subscriptions": [],
    "readonly": false
  }
]

servers attributes

server
description
IP address or FQDN of the LDAP directory or the Microsoft Active Directory domain controller.
required
true
type
String
example
"server": "localhost"
port
description
Port of the LDAP/AD service (usually 389 or 636)
required
true
type
Integer
example
"port": 389
dialect
description
Which LDAP dialect to use (Microsoft Active Directory, or OpenLDAP).
required
false
type
String
allowed values
ad, openldap
example
"dialect": "ad"
basedn
description
Tells which part of the directory tree to search. For example, cn=users,dc=domain,dc=tld will search into all users of the domain.tld directory.
required
true
type
String
example
"basedn": "cn=users,dc=domain,dc=tld"
groupbasedn
description
Overrides the basedn attribute for the group lookups.
required
false
type
String
example
"groupbasedn": "cn=groups,dc=domain,dc=tld"
userbasedn
description
Overrides the basedn attribute for the user lookups.
required
false
type
String
example
"userbasedn": "cn=admins,dc=domain,dc=tld"
binduser
description
The LDAP account that performs user lookups. We recommend to use a read-only account. Use the distinguished name (DN) format, such as cn=binder,cn=users,dc=domain,dc=tld. NOTE: using a binder account is not required with Active Directory, although it is highly recommended.
required
true
type
String
example
"binduser": "cn=binder,cn=users,dc=domain,dc=tld"
bindpass
description
The password for the binduser.
required
true
type
String
example
"bindpass": "secret"
insecure
description
Determines whether or not to skip SSL certificate verification (e.g. for self-signed certificates).
required
false
type
Boolean
default
false
example
"insecure": true
security
description
Determines the encryption type to be used for the connection to the LDAP server.
required
true
type
String
allowed values
none, starttls, or tls
example
"security": "none"
userattribute
description
The LDAP attribute used to identify an account. You should typically use sAMAccountName for Active Directory and uid for other LDAP softwares, such as OpenLDAP, but it may vary.
required
false
type
String
default
sAMAccountName
example
"userattribute": "uid"
groupmemberattribute
description
The LDAP attribute used to identify the group memberships.
required
false
type
String
default
member
example
"groupmemberattribute": "uniqueMember"
userobjectclass
description
The LDAP object class used for the user accounts.
required
false
type
String
default
person
example
"userobjectclass": "inetOrgPerson"
groupobjectclass
description
The LDAP object class used for the groups.
required
false
type
String
default
groupOfNames
example
"groupobjectclass": "posixGroup"

roles attributes

Please see the RBAC definition specification for information on how to configure RBAC roles.

Start your FREE trial today.

Already using Sensu Core? Upgrade to Sensu Enterprise today to take advantage of its enterprise console, added-value features, built-in integrations, FREE annual training, and enterprise-class support.