BlogContact SalesTry Puppet 
Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

Use Cases
Puppet Enterprise LogoGet Puppet Enterprise

First 10 nodes are free!

Products
Pricing & Packaging
Integrations
Puppet Education Logo
Puppet Education

Puppet Education is your learning portal for tools and best practices to address common business challenges.

Professional services
Support
Custom consulting services

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

Puppet Forge

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

EcosystemOpen Source Projects
Community
Contribute
State of DevOps Report

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

Product Documentation
Resource library
Customers
Partners
Featured Partners
Servicenow Logo
Splunk Logo
Puppet Events
About Us

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

CompanyWorking at Puppet
Press & news
Events
It's our community that makes Puppet great. Connect with Puppet users and employees.
homeblogauthenticate puppet enterprise with freeipa using ldap

Authenticate Puppet Enterprise with FreeIPA using LDAP

by Becca Robinson|13 August 2020

Using a Linux Domain controller such as Red Hat Identity Management or FreeIPA? If so then the fields are a bit different than some other LDAP interfaces, which makes it difficult for some to connect to for authentication.

Here is a quick how-to on setting up Puppet Enterprise with authentication from FreeIPA. I am assuming that you already have Puppet Enterprise installed with eyaml configured. If not, then you may want to visit these prerequisites.

Installing Puppet Enterprise

Setting up Encrypted YAML (eyaml)

I am using the Roles and Profiles design pattern. If you’re not familiar with the Roles and Profiles method, then make sure to read up on it first.

Setup of FreeIPA server

I used the forge module addulact/freeipa to set up my FreeIPA server. I created a profile such as this:



After grouping and classifying
my FreeIPA domain controller to use this profile, I ran the Puppet agent and watched as FreeIPA was installed.


Notes:


If the installation of FreeIPA server fails for any reason, then you must uninstall FreeIPA
before you try again. Do this by running /usr/sbin/ipa-server-install --uninstall.


If managing DNS with FreeIPA, then the zone must not be managed anywhere else
that can be found with the configured DNS servers. This is why I chose to use a
local extension to the domain.


Setup of FreeIPA client


I used the same forge module to configure the client and created a profile for
the IPA client that was attached to my linux baseline profile.




This profile sets up the ipa-client on the Linux nodes to authenticate to FreeIPA.
In addition, since I have set up the DNS server in my FreeIPA server, this also adds A
and PTR records to the zone.


Configure Puppet Enterprise console to use FreeIPA


I started this step by creating a service account in FreeIPA. You can reference
the FreeIPA administration guide
section 1.1.1 for more information on how to do this.


After setting up the user account, read up on connecting external directory services to PE.


I'll walk through the settings that I used for the domain example.local


Directory name: FreeIPA


Friendly name for your directory


Hostname: dc01.example.local


FQDN for your FreeIPA domain controller


Port: 636


I chose to use SSL over port 636, but use what your organization requires


Lookup user (optional): uid=svc_ldap_pe,cn=users,cn=accounts,dc=example,dc=local


Although this is optional for Puppet Enterprise, FreeIPA requires auth to browse directory, at least with defaults


Lookup password (optional) 


Not optional for FreeIPA with default settings


Connection timeout (seconds): 30


You will probably want to adjust this according to your environment and latency thresholds


Validate the hostname:  checked


With this being authentication, I want to validate hostnames match certs


Base distinguished name: cn=accounts,dc=example,dc=local


This is going to be the base search path for LDAP queries


User login attribute: uid


This is where one of the variances are with other LDAP servers such as Active Directory


User email address: mail


User full name: displayName


Group object class: ipausergroup


This is where one of the variances are with other LDAP servers, such as Active Directory


Group membership field: member


Group name attribute: cn


This is where one of the variances are with other LDAP servers such as Active Directory


Group lookup attribute: cn


Search nested groups: checked


I checked this in my lab to be able to search nested groups, but this can cause
a performance impact


After you populate these fields, you should click Test Changes to ensure successful connection,
then click Commit Changes to save the changes.


Congratulations, you have configured Puppet Enterprise to authenticate against FreeIPA,
but you are not done yet. Next you will need to go in and map what FreeIPA groups
have permissions to perform actions in Puppet Enterprise. Take a look at our docs
on how to do this here.


Learn more


Puppet by Perforce gives IT operations teams back their time and offers peace of mind with infrastructure automation that enables security and compliance.
LegalPrivacy PolicyTerms of UseSecurity
 
© 2022 Puppet