Allow password login to external AD users


#1

I have a unit which is setup to authenticate via “SSSD” (AD backend).

What would be the best way to enable password-login to allow my users to login a machines that allows this?

Is it through the charm layers (Modifying or is this something that I would be able to do through some juju tools?


#2

So are you authenticating to the charm tool or the juju cli itself? I’m trying to tell if you’re authenticating to the charmstore, JAAS, or a juju controller of your own?

EDIT: and is this using candid for the juju controller or normal Juju auth?


#3

Its for user(s) to ssh from a “non juju” client at a separate network to access a/few nodes in a model which has been setup to use AD as a backend authentication mechanism (sssd + pam).

Its needed to allow users to log in as their “real” users.


#4

Oooooh, ok so this is system accounts on the physical machines. Hmmm, are these MAAS machines? It feels like something that would be seeded on the machines themselves with cloud-init config such that they are setup so the support the AD auth on machine deploy time aside from Juju.


#5

Thats true and we do that as a part of a subordinate, specific to our environment. It runs a few ansible playbooks “scania-specific” where we probably will end up placing this facility if juju doesn’t have an intelligent mechanism to do this out-of-the-box.


#6

It feels like either a subordinate, or a primary charm that you deploy to each machine to configure its PAM to integrate with your AD backend.
We have discussed in the past a sort of “machine subordinate”, that defines a charm to deploy on every machine in a model for similar use cases as this. (On all the machines, I want it to run this snippet of code, and do so reasonably early on.)

Putting the ansible code in a charm and installing it would get you there, and give you reasonable ways to upgrade it over time, see that its running, status, etc. I do think ‘global subordinate’ as a way to ensure that it is always available fits your use case pretty well.


#7

We ended up putting it in a subordinate with an ansible configuration to point towards the AWX. It feels a bit awkward, but does it for us at the moment. Thanx!