I’ve been working on infrastructure of a fleet of a few dozen Amazon EC2 instances for the past week, and with a rapidly-growing team, we decided it was appropriate to make a central authentication / authorization service.
So, that meant setting up some sort of LDAP server.
I was a bit intimidated at first (the most I’ve done is seen people manage and complain about Active Directory), but I finally got it set up. Here are the components:
- AWS Directory Service (Simple Directory) is used as the directory server.
t2.largeWindows Server instance used to administer directory (usually stopped).
- A bunch of VPC settings to make the directory service the default DNS resolver of the VPC.
- An Ansible play I made to:
- Join the instance to the directory.
sshdto pull public keys from the directory.
- Add an access filter to allow access for users who are members of the appropriate groups.
sudoersto allow sudo for users who are members of the appropriate groups.
The first three weren’t too hard — Amazon has pretty good documentation and tutorials that cover this pretty well. I recommend reading them in this order:
- Tutorial: Create a Simple AD Directory.
- Create a DHCP Options Set.
- Joining a Windows Instance to an AWS Directory Service Domain — read the limitations and prerequisites (you’ll need a special EC2 IAM Role) — then skip to “Joining a Domain Using the Amazon EC2 Launch Wizard”.
- Delegating Directory Join Privileges — this is important for security.
- Manually Add a Linux Instance.
On step 5, the
realm join command will prompt for a password. I spent a few days trying to figure out what the best way to automate this was — I tried creating a Kerberos keytab and use that for authentication, but I wasn’t getting consistent results (for some reason that is probably clear to someone who knows a lot about Kerberos, the
realm join would work but after a
realm leave, Kerberos would complain that the join account didn’t exist anymore — even though I couldn’t find any differences from the AD admin tools). I eventually decided to encrypt the directory join account password in an Ansible vault and use the Ansible
expect module to automate the password entry.
I’m currently using the Active Directory “Users & Groups” administration tool to administer users, but this involves booting a Windows instance every time a change to the directory is made — ideally, I want a simple web-based tool to add/remove/change users, their SSH public keys, and groups. There are a few web-based tools out there already, but the ones I’ve come across are either too complicated or don’t manage SSH keys as well.