Configuring authentication against Active Directory

New in version 1.5: Enterprise

By default, the WAPT Server is configured with a single SuperAdmin account whose password is setup during initial post-configuration.

On large and security-minded network, this SuperAdmin account should not be used since it cannot provide the necessary traceability for administrative actions that are done on the network.

It is thus necessary to configure authentication agains the Organization’s Active Directory for the Administrators and the Package Deployers; this will allow to use named accounts for administrative tasks.

Note

  • Active Directory authentication is used to authenticate access to the inventory via the WAPT Console;
  • however, all actions on the WAPT equiped remote devices are based on X.509 signatures, so an Administrator will need both an Active Directory login AND a private key whose certificate recognized by the remote devices to manage his installed base of devices using WAPT;
  • only the SuperAdmin account and the members of the Active Directory security group waptadmins will be allowed to upload packages on the main repository (authentication mode by login and password);

Enabling Active Directory authentication

  • Pour activer l’authentification du serveur wapt sur Active Directory, Configurer le fichier /opt/wapt/conf/waptserver.ini comme ceci:
wapt_admin_group_dn=CN=waptadmins,OU=groupes,OU=tranquilit,DC=mydomain,DC=lan
ldap_auth_server=srvads.mydomain.lan
ldap_auth_base_dn=DC=mydomain,DC=lan
ldap_auth_ssl_enabled=False
Paramètres Valeur Description
wapt_admin_group_dn CN=waptadmins,OU=groupes,OU=tranquilit,DC=mydomain,DC=lan DN complet vers le nom du groupe. Tous les membres de ce groupe pourrons se connecter a wapt
ldap_auth_server srvads.mydomain.lan Indiquer le server ldap que va utiliser wapt.
ldap_auth_base_dn DC=mydomain,DC=lan Indique le DN pour la recherche
ldap_auth_ssl_enable False /

Puis, lancer un redémarrage de waptserver:

systemctl restart waptserver

Enabling SSL / TLS support for the LDAP connection to the Active Directory Domain Controler

By default, authentication on Active Directory relies on LDAP SSL (default port 646).

SSL / TLS is not enabled by default on Microsoft Active Directory until a SSL certificate has been configured for the Domain Controler.

Note

The WAPT Server uses the Certificate Authority bundles from the operating system (CentOS) for validating the SSL / TLS connection to Active Directory.

If the Active Directory certificate is self-signed or has been signed by an internal CA, you’ll need to add these certificates to the certificate store of CentOS.

Add a Certificate Authority in the /etc/pki/ca-trust/source/anchors/ and update the CA store.

cp cainterne.pem /etc/pki/ca-trust/source/anchors/cainterne.pem
update-ca-trust
  • une fois le certificat mis en place et le support de LDAP SSL sur le contrôleur Active Directory effectué (étape non-documentée), basculer le support SSL / TLS a True dans le fichier /opt/wapt/conf/waptserver.ini :
ldap_auth_ssl_enabled=True

Lancer un redémarrage de waptserver:

systemctl restart waptserver

Passez maintenant à l’étape suivante pour installer la console WAPT