Integrating Metworx with Active Directory
Scope
The purpose of this document is to provide directions to configure authentication to Metworx workflows via client-managed Active Directory (AD).
The integration of a Metworx workflow with client-managed Active Directory is accomplished with SSSD software, and configuration is passed to Metworx workflow node from specific AWS Secret Manager secret that the customer must provide.
Active Directory Integration Requirements
The client cloud administrator is responsible for providing the following:- Enable The Metworx Service IAM Role Access to the Secrets
- Network-level access from Metworx workflow subnet to Active Directory Controller
- Populate the Active Directory Secrets in AWS Secrets Manager
Enable The Metworx Service IAM Role Access to the Secrets
Support for AD is available in Metworx Blueprint version 22.06 and later. NOTE: If IAM objects for organization have been provisioned prior to 22.06, they need to be updated.Network-level Access from Metworx Workflow Subnet to Active Directory Controller
There needs to be access from Metworx workflow nodes to the Active Directory controller.The following ports needs to be opened on the AD Controller to provide the required level of access:
| Service | Port | Protocol | Notes |
|---|---|---|---|
| DNS | 53 | UDP/TCP | |
| LDAP | 389 | UDP/TCP | |
| Samba | 445 | UDP/TCP | For AD Group Policy Objects |
| Kerberos | 88 | UDP/TCP | |
| Kerberos | 464 | UDP/TCP | Used by kadmin for setting and changing passwords |
| LDAP Global Catalog | 3268 | TCP | Required if the id_provider = ad option is being used |
| NTP | 123 | UDP | Optional |
Populate the Active Directory Secrets in AWS Secrets Manager
- Navigate to Secrets Manager via the AWS Console in the AWS Account where the Metworx workflows run.
- Click the button labeled "Store a new secret".
- Next configure the secret per the directions below:
- Select "Other type of secret" from the secret type options and populate the key/value pairs with the values that need to be updated in the sssd.conf file to allow for Active Direcotry configuration in your organization.
- The keys for each value follow the standard sssd.conf naming conventions.
- For more information on the sssd.conf file and its options, review the following document: [sssd.conf](https://manpages.ubuntu.com/manpages/bionic/man5/sssd.conf.5.html)
- For a basic LDAP set up, you'll need the following key/value pairs:
- NOTE: The values in the table below are for demonstration purposes only and are non-functional, replace the values with the values required for your organization.
| Secret Key | Secret Value |
|---|---|
ldap_search_base |
LDAP Directory where the search for users begins |
ldap_default_bind_dn |
CN of the LDAP service account used |
ldap_default_authtok |
Password of service account |
ldap_uri |
IP or DNS Address of Domain Controller or load-balanced DC |
- Additional key/value pairs can be added as long as the key matches the format that it would appear in the
sssd.conffile.
- Click the "Next" button and proceed to naming the secret. Name the secret exactly as follows:
metworx-sssd-config - Proceed with additional configuration as needed and store the secret. The secret should now appear in the Secrets Manager console.
metworx-sssd-config
Proceed with additional configuration as needed and store the secret. The secret should now appear in the Secrets Manager console.
Final Steps
After this is configured, as long as the Metworx workflows have network access to the Domain Controller, then LDAP authentication should be functional from Metworx workflows.After this is configured, as long as the Metworx workflows have network access to the Domain Controller, then LDAP authentication should be functional from Metworx workflows.