-
Notifications
You must be signed in to change notification settings - Fork 0
Setting up Azure AD for hpcc authentication
a. You can only create one domain services instance per subscription, so it's probably easier to setup a new azure account for testing. To create or set up the service in an existing account, work with the admin of the account.
b. From Azure Portal, "+ Create a resource" -> search "domain services" -> click on "Azure AD Domain Services" -> create
c. On the create page, create a new resource group (or use existing), fill in dns ymacorp.onmicrosoft.com, region us east, sku standard, forest type user. Click next
d. Networking you can use the default (it creates a new virtual network aadds-vnet)
f. Click "review+create", then create
g. It takes a long while to have the DS created, around 40 minutes in my case. And after you're notified the resource is ready, when you go to the resource, it would still say "deploy", with a message "The managed domain is being provisioned. This operation will take a while.". You need to wait till it's fully ready. The whole process can easily take over an hour.
h. When AADDS is ready, on the overview page, under "Update DNS server settings for your virtual network", click "Configure".
i. Go to Azure Active Directory (not the Domain Services), users, New user. Set "User name" and "Name" both to hpccadmin, auto generate password (show and copy the password to clip board), groups select "AAD DC Administrators", click "Create"
j. Browse to myapps.microsoft.com, login with the hpccadmin user, change to a permanent password. Make sure you use the full username, in my case [email protected]. In later steps, to configure and login to hpcc, "@ymacorp..." part is not needed.
a. If you create the vm in a shared account, please follow guidelines for that account. Pay special attention about the guidelines for networking and security etc. If you can't put the vm in the same virtual network aadds-vnet, one option is to make the virtual network you use a peered network as aadds-vnet.
b. In my own testing account, I created an VM called ymavm1, ubuntu server 18.04 LTS, in-bound port ssh 22, size Standard_B2s, standard ssd disk, virtual network aadds-vnet, NIC network security group "basic", public inbound ports allow SSH (22), turn off monitoring. Review+create, then Create.
a. Option 1 is to set up the ubuntu vm so that you can run hpcc from there. In this case, use domain-name:389 as the ldap server address. In my case it's ymacorp.onmicrosoft.com:389
b. Option 2, which I think is better, is to set up a ssh tunnel between your local desktop/laptop and AAD DS port 389, via the ubuntu vm:
sudo ssh -L 0.0.0.0:389:aadds-domain-name:389 azureuser@ubuntu-vm-public-ip
in my case:
sudo ssh -L 0.0.0.0:389:ymacorp.onmicrosoft.com:389 [email protected]
With this, you can use localhost:389 as your ldap server address
if the dns ymacorp.onmicrosoft.com doesn't work for any reason, you can also use the internal IP of aadds, in my case it is 10.0.0.4 (and 10.0.0.5, but one is enough).
a. AADDS puts users and groups under one OU "AADDC Users", and the default administrators group is "AAD DC Administrators".
b. A sample ldapSecurity configuration is as follows:
<ldapSecurity name="ldapserver" ldapProtocol="ldap" localDomain="localdomain" checkViewPermissions="" authMethod="simple" maxConnections="10" passwordExpirationWarningDays="10" ldapAddress="localhost" adminGroupName="" cacheTimeout="5" description="LDAP server process" filesBasedn="ou=files,ou=ecl" groupsBasedn="ou=AADDC Users" ldapPort="389" ldapSecurePort="636" resourcesBasedn="ou=resources,ou=ecl" serverType="AzureActiveDirectory" sudoersBasedn="ou=SUDOers" systemBasedn="ou=AADDC Users" systemCommonName="hpccadmin" systemPassword="YourEncryptedPassword" systemUser="hpccadmin" usersBasedn="ou=AADDC Users" workunitsBasedn="ou=workunits,ou=ecl"/>
Change ldapAddress to your tunneled local address (in my case it's localhost), or to the domain name or ip of the AADDS instance if you're running in azure.
c. When configure esp, make sure ws_access's basedns and other services basedns are configured properly and consistently (so that they'll manage and look for things in the same places).
d. Browse to esp http://localhost:8010, login with user hpccadmin.
e. Note: from eclwatch, you can manage the permissions and assign permissions to users and groups, but you can't manage the users and groups themselves (for example add or delete users), because azure doesn't allow that operation from outside of azure portal. You can manage the users and groups from within the azure portal, which is a good thing I think because that is a nice interface at a centralized location. If you do want to manage users and groups from within eclwatch, you can change the groupsBasedn and usersBasedn in the ldapSecurity config to a different OU from the default "AADDC Users", but the drawback of doing that is that you can't see or manage the users and groups you added from the azure portal. All things considered I think it's probably better to use the azure recognizable locations and use azure portal to manage users and groups.