docs: LDAP service account setup #8875
Conversation
ibeckermayer
requested review from
klizhentas,
r0mant and
russjones
as code owners
Co-authored-by: Zac Bergquist <[email protected]>
|
|
||
| Find your domain in the side menu, and right click the container you want the service account to live in (typically Users). From the context | ||
| menu, select `New > User` and fill out the fields for your Teleport LDAP Service Account. For the "User logon name" field, you can use `svc-teleport` | ||
| On the password screen, unselect “User must change password at next login” and select “Password never expires”. Make a note of what values you put |
There was a problem hiding this comment.
Users will be concerned about old passwords that are insecure and unexpiring? Is there any way to make sure that these passwords are never used
There was a problem hiding this comment.
This password is used by teleport to talk to LDAP, but we disable interactive login and restrict the permissions so it can't be used to login to a host or do any actions outside of what teleport requires.
| # This is usually the same password you use to login to the Domain Controller. | ||
| password_file: /var/lib/ldap-pass | ||
| ``` | ||
| Now right click the same container you did before, and select `New > Group`. Choose a Group name like `svc-teleport-group` and ensure that “Global” |
There was a problem hiding this comment.
Observation: users will be making a lot of mistakes here. Can we implement something like #8896 for Desktop Access?
There was a problem hiding this comment.
We have a separate issue filed to look into how much of this we can automate. It's looking like the answer is "not very much" but we'll see what we can do.
|
This requires a further update once #8932 is merged, so I'm converting it to a draft until that happens. |
|
@quinqu Can you take a look at this PR. It looks like Sasha approved, but then Isaiah re-requested a review. I think in that case, the check workflow should fail, but here it's passing. |
|
|
||
| ```text | ||
| Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall and Advanced Security | ||
| ## Step 5/6. Configure Teleport |
There was a problem hiding this comment.
This order is much better.
| Run the PowerShell script below, replacing variable values where appropriate. | ||
|
|
||
| ```powershell | ||
| $DomainDN="DC=domain-controller,DC=example,DC=com" # replace this with your domain |
There was a problem hiding this comment.
In this case, the cluster name needs to be same as the FQDN of the Teleport proxy?
There was a problem hiding this comment.
No, that should say "Domain Controller domain"
|
Good job improving the setup instructions @ibeckermayer, I've found a few small issue and had submitted suggestions. Is this ready to be deployed? I'm waiting for these instrustions before recording my setup video. |
It's ready in the sense that these instructions are complete. I believe I need at least one more code owner approval and it looks like there are some new CI checks that are failing, but I don't know why (@quinqu ?) |
|
FTR: The failing checks are under development and are optional, per https://gravitational.slack.com/archives/C0DF0TPMY/p1637295406278500 |
* updating docs with service account tutorial * minor corrections * Apply suggestions from code review Co-authored-by: Zac Bergquist <[email protected]> * wording changes based on CR * minor changes and fixes and adds updated photos with new naming convention * Updating documentation * updating gpo instructions to actually make sense * nits * adding instructions for exporting ca * removing unhelpful screen shot * Fixes quotes and updates to LDAPS Co-authored-by: Ben Arent <[email protected]> * clarifying comment Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Ben Arent <[email protected]>
* Expose endpoint for fetching single desktop (#9041) * updates endpoints * Exposes an endpoint for fetching a single desktop by name * Apply suggestions from code review Co-authored-by: Zac Bergquist <[email protected]> * changes inaccurate desktopUUID to desktopName Co-authored-by: Zac Bergquist <[email protected]> * docs: LDAP service account setup (#8875) * updating docs with service account tutorial * minor corrections * Apply suggestions from code review Co-authored-by: Zac Bergquist <[email protected]> * wording changes based on CR * minor changes and fixes and adds updated photos with new naming convention * Updating documentation * updating gpo instructions to actually make sense * nits * adding instructions for exporting ca * removing unhelpful screen shot * Fixes quotes and updates to LDAPS Co-authored-by: Ben Arent <[email protected]> * clarifying comment Co-authored-by: Zac Bergquist <[email protected]> Co-authored-by: Ben Arent <[email protected]> * Enhance LDAP desktop discovery (#9152) * Refactor component heartbeat callbacks Consolidate the OK/degraded broadcasts so the same logic isn't duplicated for each component. * Periodically update discovered desktops Fixes #8644 * Allow customizing the desktop search With this change, we support a discovery base DN other than '*', and add support for further filtering the results with additional LDAP filters. Additionally, we filter out group managed service accounts, which show up in LDAP searches for (objectClass=computer), despite not being comptuers. (This is mostly harmless, as the service accounts aren't present in DNS, so Teleport just ignores them. It does, however, log a DNS error message that could be confusing, so we explicitly filter these out just to be safe. This was discovered when testing on AWS managed AD, which creates a gMSA for DNS. * simplify connection establishment (#9098) * Adds username and initial screen size to the websocket parameter string and sends over tdp during the connection process * simplifications from CR * fixes // // * Update e ref * Create separate builds for CentOS7 (+fips) Add new buildboxes for centos7 and centos7-fips. For now, we will continue to support both CentOS 6 and 7. Eventually we will drop support for CentOS 6, and the only supported CentOS builds will be these new CentOS 7 builds. Fixes #9028 * [auto] Update webassets in zmb3/desktop-access-backports (#9210) 444cf33 simplify connection establishment (#480) gravitational/webapps@444cf33 [source: -w teleport-v8] [target: -t zmb3/desktop-access-backports] Co-authored-by: Isaiah Becker-Mayer <[email protected]> Co-authored-by: Ben Arent <[email protected]>
Adds instructions for setting up an LDAP service account with the minimum required permissions for Teleport to work.
One thing to note is -- This could be somewhat simplified by applying the Group Policy Object and the fine-grained permissions in the PowerShell script to the service account User directly, rather than applying them to a Group and adding the User to the Group. Since this is my first time configuring anything in Active Directory, I elected to go with the standard chain of GPO -> Group -> User to avoid any potential mishap due to a non-standard configuration.