Authentication metaexplicit for Microsoft Active Directory with Trust Relationships
authmanagers metaexplicit Object
The metaexplicit authentication manager supports exactly one provider entry. This provider must be defined with the reserved name metadirectory and is responsible for resolving the user's home domain before delegating credential validation to the appropriate Active Directory explicit provider.
'metaexplicit': {
'providers': {
'metadirectory': {
'config_ref': 'coporateconfig',
'enabled': True
}
}
| Variable name | Type | Description |
|---|---|---|
providers |
dictionary | { 'metadirectory': { 'config_ref': 'coporateconfig', 'enabled': True }} |
metadirectory Provider Configuration
The metadirectory provider is defined as a dictionary object whose key name must match the value of config_ref. The referenced configuration block provides the LDAP connection parameters for the metadirectory forest.
A metadirectory provider requires a dedicated LDAP attribute to map each user account to its originating domain and sAMAccountName. This attribute is specified using the join_key_ldapattribut key.
coporateconfig : { 'metadirectory': {
'domain' : 'CORPORATE',
'ldap_basedn' : 'DC=foo,DC=corporate,DC=local',
'ldap_fqdn' : '_ldap._tcp.foo.corporate.local',
'servers' : [ 'ldap://192.168.9.11', 'ldap://192.168.7.12', 'ldap://192.168.7.13' ],
# join_key_ldapattribut must be defined for a metadirectory provider
'join_key_ldapattribut' : 'description',
'auth_type' : 'KERBEROS',
'domain_fqdn': 'foo.corporate.local',
'kerberos_realm': 'FOO.CORPORATE.LOCAL',
# serviceaccount must be defined for a metadirectory provider
'serviceaccount': { 'login': 'svcaccount', 'password':'superpass' }
} }
Pyos binds to the metadirectory LDAP server using the service account credentials and reads the LDAP attribute specified by join_key_ldapattribut (in this example, description) to determine the user's trusted home domain. It then locates the matching explicit provider configuration and delegates authentication to that domain.
For example:
description: AD\john
Pyos then looks up the AD provider configuration and performs authentication against the AD domain.
Accounts in the metadirectory can exist in any account state. The LDAP attribute userAccountControl is not read for metadirectory provider lookups, and the UF_ACCOUNT_DISABLE flag is not evaluated. Account enablement enforcement is delegated to the target explicit provider.
A service account must be defined for every metadirectory provider. This account is used to bind to the metadirectory LDAP server and perform the domain-resolution attribute lookup.
Complete Example with a metadirectory Provider and Active Directory User Domains
In this example:
- The user's domain name is AD.
- The meta domain name is CORPORATE.
- The meta domain uses a dedicated attribute specified by join_key_ldapattribut.
authmanagers: {
#
# define the meta explicit manager
# This is the trusted external forest for the followed domain
#
'metaexplicit': {
'providers': {
# define the metadirectory provider
# only one metadirectory provider is supported
'metadirectory': {
'config_ref': 'coporateconfig',
'enabled': True }
}
},
#
# define the Active Directory provider for each DOMAIN
# define two domains in two disctinct forest with a trust relationship
#
'explicit': {
# define an Active Directory provider AD
'AD': { 'config_ref': 'adconfig', 'enabled': True },
# define an Active Directory provider ANOTHER
'ANOTHER': { 'config_ref': 'anotherconfig', 'enabled': True }
}
} # end of authmanagers
# In this example ldap attribut's description contains AD\myuser or ANOTHER\myuser
coporateconfig : { 'metadirectory': {
'domain' : 'CORPORATE',
'ldap_basedn' : 'DC=foo,DC=corporate,DC=local',
'ldap_fqdn' : '_ldap._tcp.foo.corporate.local',
'servers' : [ 'ldap://192.168.9.11', 'ldap://192.168.7.12', 'ldap://192.168.7.13' ],
# join_key_ldapattribut must be defined for a metadirectory provider
'join_key_ldapattribut' : 'description',
'auth_type' : 'KERBEROS',
'domain_fqdn': 'foo.corporate.local',
'kerberos_realm': 'FOO.CORPORATE.LOCAL',
# serviceaccount must be defined for a metadirectory provider
'serviceaccount': { 'login': 'svcaccount', 'password':'superpass' }
} }
#
# define the first DOMAIN AD
# The adconfig ref for domain AD
#
adconfig : { 'AD': { 'ldap_basedn' : 'DC=ad,DC=domain,DC=local',
'ldap_fqdn' : '_ldap._tcp.ad.domain.local',
'domain' : 'AD',
'auth_type' : 'NTLM',
'domain_fqdn' : 'AD.DOMAIN.LOCAL',
'servers' : [ 'ldap://192.168.7.12' ] } }
#
# define the second DOMAIN ANOTHER
# The anotherconfig ref for domain ANOTHER
#
anotherconfig : { 'ANOTHER': {
'ldap_basedn' : 'DC=another,DC=super,DC=local',
'ldap_fqdn' : '_ldap._tcp.another.super.local',
'domain' : 'ANOTHER',
'auth_type' : 'KERBEROS',
'domain_fqdn' : 'ANOTHER.SUPER.LOCAL',
'servers' : [ 'ldap://192.168.10.12' ],
'kerberos_realm': 'AD.SUPER.LOCAL' } }
metadirectory Support
The metadirectory provider supports Foreign Security Principals (FSPs), enabling it to query security principals residing in trusted external forests. These objects are stored in the Foreign Security Principals container of the local domain.
The metadirectory provider supports isMemberOf lookups on foreign security principals.
The user's SID from the AD or ANOTHER domain is not read directly from the metadirectory. Instead, a new LDAP bind is performed against the user's trusted home domain rather than reusing the service account credentials.
The LDAP query is constructed as:
( "search_base={q.basedn}, search_scope={q.scope}, search_filter={filter}" )
For more information about Foreign Security Principals, refer to: