# Begin: Connect ActiveDirectory RES_CLUSTER_HOME_DIR="{{ context.config.get_string('shared-storage.home.mount_dir', required=True) }}" AD_DOMAIN_NAME="{{ context.config.get_string('directoryservice.name', required=True) | lower}}" LDAP_CONNECTION_URI="{{ context.config.get_string('directoryservice.ldap_connection_uri', required=True) }}" AD_SUDOERS_GROUP_NAME="{{ context.config.get_string('directoryservice.sudoers.group_name', required=True) }}" AD_SUDOERS_GROUP_NAME_ESCAPED="{{ context.config.get_string('directoryservice.sudoers.group_name', required=True).replace(' ', '\ ') }}" SSSD_LDAP_ID_MAPPING="{{ context.config.get_bool('directoryservice.sssd.ldap_id_mapping', default=True) | lower }}" AD_TLS_CERTIFICATE_SECRET_ARN="{{context.config.get_string('directoryservice.tls_certificate_secret_arn', default='')}}" AD_LDAP_BASE="{{context.config.get_string('directoryservice.ldap_base', required=True)}}" ADDITIONAL_AD_CONFIGS="{{context.config.get_string('directoryservice.sssd.additional_sssd_configs', required=True).replace('"', '\\"')}}" ROOT_USER_DN_SECRET_ARN="{{ context.config.get_string('directoryservice.root_user_dn_secret_arn', required=True) }}" ROOT_USER_DN=$(get_secret "${ROOT_USER_DN_SECRET_ARN}") set +x SERVICE_ACCOUNT_CREDENTIALS_SECRET_ARN="{{ context.config.get_string('directoryservice.service_account_credentials_secret_arn', required=True) }}" AD_USER_CREDENTIALS=$(get_secret "${SERVICE_ACCOUNT_CREDENTIALS_SECRET_ARN}") AD_USER_USERNAME=$(echo $AD_USER_CREDENTIALS | jq -r 'keys[0]') AD_USER_PASSWORD=$(echo $AD_USER_CREDENTIALS | jq -r '.[]') set -x if [[ ${IDEA_MODULE_NAME} == "cluster-manager" ]]; then enumerate_value=True else enumerate_value=False fi sssd_config_file="/etc/sssd/sssd.conf" if [[ -f $sssd_config_file ]]; then cp $sssd_config_file $sssd_config_file.orig fi echo -e "[domain/${AD_DOMAIN_NAME}] id_provider = ldap auth_provider = ldap sudo_provider = none ldap_uri = ${LDAP_CONNECTION_URI} ldap_search_base = ${AD_LDAP_BASE} ldap_schema = ad use_fully_qualified_names = false case_sensitive = False ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uuid = objectGUID ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_group_member = member ldap_group_uuid = objectGUID ldap_default_bind_dn = ${ROOT_USER_DN} ldap_default_authtok_type = password ldap_default_authtok = generated_password enumerate = "${enumerate_value}" ldap_id_mapping = ${SSSD_LDAP_ID_MAPPING} cache_credentials = true default_shell = /bin/bash fallback_homedir = ${RES_CLUSTER_HOME_DIR}/%u" > $sssd_config_file echo -e $ADDITIONAL_AD_CONFIGS | jq -r 'to_entries[][]' | while read -r key ; do read -r value if grep -q "^$key = " "$sssd_config_file"; then # If the key exists, override the value sed -i "s/^$key = .*/$key = $value/" "$sssd_config_file" else # If the key doesn't exist, append the new key-value pair echo -e "$key = $value" >> $sssd_config_file fi done echo -e "[sssd] domains = ${AD_DOMAIN_NAME} config_file_version = 2 services = nss, pam [nss] homedir_substring = /home/ [pam] [autofs] [ssh] [secrets] $(cat $sssd_config_file)" > $sssd_config_file chmod 600 $sssd_config_file # Place obfuscated password in the sssd.conf file. # Executing the sss_obfuscate command removes the ldap_auth_disable_tls_never_use_in_production setting in sssd # thus, sssd fails to communicate to AD /usr/bin/expect <<EOD set timeout -1 eval spawn sudo sss_obfuscate --domain ${AD_DOMAIN_NAME} match_max 100 expect -exact "Enter password: " send -- "${AD_USER_PASSWORD}\r" expect -exact "\r Re-enter password: " send -- "${AD_USER_PASSWORD}\r" expect eof EOD if [[ "${AD_TLS_CERTIFICATE_SECRET_ARN}" == '' ]]; then # Adding the ldap_auth_disable_tls_never_use_in_production setting back into the file under sssd/domain section echo -e "ldap_auth_disable_tls_never_use_in_production = true" >> $sssd_config_file fi if [[ $RES_BASE_OS =~ ^(amzn2|rhel8|rhel9)$ ]]; then authconfig --enablemkhomedir --enablesssdauth --enablesssd --updateall elif [[ $RES_BASE_OS == "ubuntu2204" ]]; then pam-auth-update --enable sss fi systemctl enable sssd systemctl restart sssd # End: Connect ActiveDirectory