Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automation and changes for 'DistinguishedName' #142

Merged
merged 6 commits into from
Sep 30, 2024
Merged

Automation and changes for 'DistinguishedName' #142

merged 6 commits into from
Sep 30, 2024

Conversation

smhmhmd
Copy link
Contributor

@smhmhmd smhmhmd commented Sep 23, 2024
edited
Loading

Automation and changes for 'DistinguishedName'

Issue #, if available:

Description of changes:

  • Testing automation: Create CDK with gMSA accounts inside an OU.
  • 'DistinguishedName' in Secrets Manager is optional.
    It is recommended to have the DN in Secrets Manager for large directories since the DN is figured out by searching AD over LDAP.

Testing done:
Yes

[root@ip-10-0-3-41 ec2-user]# ls -al /var/credentials-fetcher/krbdir/c14226368d8273e40cd3/
total 20
drwxr-xr-x.  3 root root        64 Sep 29 02:17 .
drwxr-xr-x. 35 root ec2-user 16384 Sep 29 02:17 ..
drwxr-xr-x.  2 root root        20 Sep 29 02:29 WebApp01
-rw-r--r--.  1 root root       384 Sep 29 02:17 c14226368d8273e40cd3_metadata.json
[root@ip-10-0-3-41 ec2-user]# klist /var/credentials-fetcher/krbdir/c14226368d8273e40cd3/WebApp01/krb5cc
Ticket cache: FILE:/var/credentials-fetcher/krbdir/c14226368d8273e40cd3/WebApp01/krb5cc
Default principal: [email protected]

Valid starting     Expires            Service principal
09/29/24 02:29:00  09/29/24 12:29:00  krbtgt/[email protected]
	renew until 10/06/24 02:29:00
Today:
[ec2-user@ip-10-0-3-41 ~]$ ls -al /var/credentials-fetcher/krbdir/c14226368d8273e40cd3/
total 20
drwxr-xr-x.  3 root root        64 Sep 29 02:33 .
drwxr-xr-x. 35 root ec2-user 16384 Sep 29 02:17 ..
drwxr-xr-x.  2 root root        20 Sep 30 16:39 WebApp01
-rw-r--r--.  1 root root       384 Sep 29 02:17 c14226368d8273e40cd3_metadata.json
[ec2-user@ip-10-0-3-41 ~]$ sudo klist /var/credentials-fetcher/krbdir/c14226368d8273e40cd3/WebApp01/krb5cc
Ticket cache: FILE:/var/credentials-fetcher/krbdir/c14226368d8273e40cd3/WebApp01/krb5cc
Default principal: [email protected]

Valid starting     Expires            Service principal
09/30/24 16:39:47  10/01/24 02:39:47  krbtgt/[email protected]
	renew until 10/07/24 16:39:47
[ec2-user@ip-10-0-3-41 ~]$

Merge Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.

General

  • I have read the CONTRIBUTING doc
  • I used the commit message format described in CONTRIBUTING
  • I have updated any necessary documentation, including READMEs and comments (where appropriate)

Tests

  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have checked that my tests are not configured for a specific environment

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@smhmhmd
Create CDK stack with Active Directory OU
a2e86ec 
Create gMSA accounts inside an OU, no logic changes.
@smhmhmd
Read distinguished_name from secrets manager via credspec arn
5aa74fa 
Sequence is:
   Fetch the credspec from S3
   Read credspec and get the secretsmanager arn
   Read the 'distinguishedName' from the secretsmanager arn

TBD: Fix DN in the renew path
@smhmhmd
Write distinguished name to metadata
262ad60 
Distinguished name is used to create tickets and write a metadata.json for the ticket.
For renewing, the metadata.json is read to renew ticket.
{
	"krb_ticket_info" :
	[
		{
			"credspec_info" : "",
			"distinguished_name" : "CN=WebApp1,OU=MYOU,OU=Users,OU=ActiveDirectory,DC=ActiveDirectory1,DC=com",
			"domain_name" : "ActiveDirectory1.com",
			"domainless_user" : "standarduser01",
			"krb_file_path" : "/var/credentials-fetcher/krbdir/ac3f8490ca9a56a2ade8/WebApp1/krb5cc",
			"service_account_name" : "WebApp1"
		}
	]
}
@smhmhmd
CDK changes for OU
2f3ff9d 
Add docker image as well
@smhmhmd
Distinguished name changes tested with Fargate
771c237 
Secrets manager can have username,password,domain, distinguishedName
or
usernameOfStandardUserAccount, passwordOfStandardUserAccount, distinguishedNameOfgMSA
@smhmhmd
ldapsearch without using "distinguishedName" in secrets manager
fa114e9 
If "distinguishedName" is not provided in secrets manager, it is searched using ldapsearch.
The upside is that it is one-less configuration, the down-side is that the search maybe
costly if the directory is very large.
For large AD installations, avoiding the search maybe better.
@as14692
Copy link
Contributor

as14692 commented Sep 30, 2024

Please add the non CDK changes in the Description of changes as well

@smhmhmd smhmhmd changed the title Create CDK stack with Active Directory OU Automation and changes for 'DistinguishedName' Sep 30, 2024
@smhmhmd
Copy link
Contributor Author

smhmhmd commented Sep 30, 2024

Please add the non CDK changes in the Description of changes as well

Updated

Please add the non CDK changes in the Description of changes as well

DOne

@smhmhmd smhmhmd merged commit aa1ec01 into aws:mainline Sep 30, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@as14692 as14692 as14692 approved these changes

@bhallasaksham bhallasaksham bhallasaksham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smhmhmd @as14692 @bhallasaksham