-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Looking for community feedback on the AD provider #53
Comments
We looked at using this but are currently using this other one: https://github.com/GSLabDev/terraform-provider-ad |
Thanks for the reply @tonglil. I have a couple follow-up questions, if you don't mind. Is there something that the provider you referenced covers that this one doesn't, that's preventing you from switching? Is there a part of your AD workflow that neither of these providers cover, that you have do manually or use another tool? |
Basic auth and only support for local accounts is a non-starter for us. Is there an ETA for maturing the security of the provider? |
Same, basic auth/local accounts only == unusable. I wouldn't even set up a test domain that way. Also #54 Group membership was recently added in #51 but I can't tell if it has the flexibility we need (to be able to add any member type supported by an AD group, including Foreign Service Principals to support cross-forest trusts). |
I imagine that most use cases for this provider are going require support for domain authentication (probably kerberos, cert, and NTLM as well). However, I do want to point out that the lack of support for domain accounts is not a native problem of the provider itself but rather an issue with the winrm golang library that is being used here. Which that library currently doesn't domain accounts. |
I have the same challenge. I have two possibilities :
For now, none of those options are usable with this provider. I also have some resources missing but it's less important at the moment |
Can you tell me what are the specific user permissions for the provider? The blog just says that you need a user with administrator privileges. Is it absolutely necessary to add the user in the administrators group? |
I'd be very interested to use it, but we would require functional AWS support #40 . |
Hello, just wanted to let you know that version 0.4.0 of the provider was released yesterday with support for Kerberos and NTLM authentication. |
Just tried it. Is it possible to auth on winrm without having password defined in a plaintext? |
First off, I'd like to say that I like the idea of an officially maintained Active Directory provider and I'm looking forward to seeing where this project goes. I spent a few hours experimenting with the plugin yesterday and I have some feedback on the current state.
The double-hop issue isn't really a problem with the provider per se, but at least in my use case I'd prefer not to have a domain admin account required for simply creating computer objects. I suppose we could set up resource-based Kerberos constrained delegation to a particular DC for a service account, but this seems like a burden just to create a computer/user/group. Honestly, I'm not even sure that would solve this issue since it doesn't support the second hop on WinRM. CredSSP could work as well, but it's somewhat of a security risk. In the end, I ended up using the GSLabDev AD Provider. Their LDAP-based approach to managing AD objects seems to be much simpler than having to mess with delegation, double-hop, needing direct use of a domain controller, etc. Perhaps adding an LDAP-based connection type to the provider could help use cases where users didn't want or weren't able to directly access a domain controller? The Hashicorp provider is available from the registry, while the GSLabDev one isn't, which is a huge benefit for using the Hashicorp provider. As I mentioned, I only spent a few hours experimenting, so it's possible that I could have missed a configuration step somewhere along the way which would make this work the way I want. The provider is still experimental, so I understand the documentation being a bit lacking at this point. I've always been impressed with Hashicorp documentation for every other Terraform function I've used, so I know it will be addressed at some point. I'm glad to see Hashicorp working on this provider and would be open to replacing my existing provider if the direct dependency on domain controllers is resolved in some way. Thanks for the work on this! |
@eramnes , The "problem" that I see with the LDAP based approach is that you're limiting yourself to pure LDAP object while using powershell you can open many other possibilities (manage GPO's, DNS etc...). About the double hop issue, I had similar problem and for security reasons. I ended up using a windows docker container including terraform authenticated as a gMSA. That way, you don't need to connect to any remote host, you can pass your cmdlet locally while being authenticated via kerberos.
|
There is another alternative, which is to connect to the domain controller with PSRP (PowerShell Remoting Protocol) instead of over pure WinRM + launch powershell.exe. This would allow one to use constrained endpoints and JEA to allow unprivileged users to connect to the domain controllers, and execute a limited set of commands, where the account that runs the commands can have just domain privileges needed (and can even be a virtual account). By crafting the role definitions and role capabilities files carefully, it could be possible to set up a policy without even writing PowerShell-side wrapper functions (although that's also easy to do). This also better allows for connections that don't directly hit a DC, since when using a RunAs account, you avoid the double-hop issue, so the server you connect to wouldn't have to be a DC (this wouldn't work with a virtual account, but would with a pre-defined domain service account). The main impediment to this though, is that I don't think there is any existing Go library that implements this protocol on the level of something like pypsrp. |
@jpatigny In my understanding, Terraform is used to define the machines/containers that things run on. In my use case, I just need to have a computer account created in AD that can be automatically removed when the resource is destroyed, so everything gets cleaned up. The LDAP-based provider module from GSLabDev does this easily without having to connect to a DC or handle double-hop authentication. This provider can also manage OUs, users, groups, etc. The Group Policy and DNS cases you mentioned seem to me to be configuration steps which, to my understanding, are something that Terraform isn't meant to do. I'm not saying that it's not needed in some use cases, but in my use case, many of our GPOs are already defined on the OUs where Terraform-created computer accounts would be located. If we wanted to configure something that wasn't defined by a GPO, this seems like a situation where we could use the Ansible DSC module or manually create a GPO for the OU the systems go in. Since they would affect all systems in the OU, this isn't a burden for us at this time. As far as I can tell, the I can't speak about any of the DNS cases, since we use Infoblox for DNS and have no need for managing AD-based DNS. In my opinion, the ideal would be for both WinRM and LDAP to be supported in the provider, with the understanding that if LDAP was selected as the method that some functionality would be unavailable:
This would allow for WinRM functionality for those that need it, and basic LDAP for those who just need LDAP objects created. What works in my use case is using Ansible dynamic inventory generated from Terraform to handle the configuration required for machines outside of the Terraform provisioning steps. I guess it all depends on your use case and what you need Terraform to manage. No single provider for this functionality is likely to satisfy every use case, and that's OK. @briantist |
@briantist thanks for the PSRP suggestion I will take a look and see what would it take for the provider to use it. I opened issue #78 to track this. |
Hi @eramnes. Thanks for your feedback, much appreciated. I will try to address the points you made, please let me know if I miss something !
|
@awasilyev I opened #79 to track adding keytab support. |
First off thanks for all the hard work on this. We all know its not easy and takes a lot of work. The community greatly appreciates it. So my feedback:
|
|
Hello again! I've opened #99 to focus on the subject of how can we get the provider to work without having to talk to a DC directly. Please take a look and let me know what you think! |
Does this provider only run on windows or can it run on mac/linux? |
I wrote a patch (Pull Request 107) that works around the double-hop issue by creating a System.Management.Automation.PSCredential object in the remote PowerShell session using the winrm_username and winrm_password defined in the provider's configuration, then using that object to authenticate to the AD DC. This is the 'Pass credentials inside an Invoke-Command script block' referenced in this article: The approach is different from the solution proposed in #99, but achieves the expected result. I welcome any feedback on the proposed patch. |
@jpatigny can you elaborate on your Windows docker setup? |
@redeux, we are experiencing the problems described in the issue #113. We are interested in understanding if we can consider Linux equivalent to windows from a coverage, testing and support point of view. Currntly it appears that the Linux build is less stable than the Windows one. We prefer using Linux because it is simpler to deploy or run in containers. For this reason we run all of our terraform based atomations in Linux and we would like to include automation of the AD, without having to migrate everything to Windows. If you want more details about our use cases we can arrange a call. |
I want to use it, but I'm either not understanding based on the examples, or just having general issues with using Kerberos and WinRM. #62 |
i also want to use it, mostly for adding and editing gpos and also for joining windows servers to the domain. for the gpo part it would be great if theres a possibility to import existing gpo configurations for using with this provider. like this it would be much easyer to migrate a existing gpo to terraform. export gpo as xml and use this file as input for the provider for example. is there any way to do so or are there any other ideas for this requirement? |
I am currently not using but would very much like to. Unfortunately, my use case is currently not covered by the functionalities provided. I would like to get group information to be able to iterate over (transitive) memberships. I acknowledge that group memberhships can already be managed as a resource using the 'ad_group_membership' resource but it would be nice to have the 'ad_group_membership' data source. |
Hello, we also like to use this provider and are currently evaluating if we can.
Latest real change was over a year ago 67b4dfd Is this provider still alive? We would also like if we can use a linux container to run terraform with this provider.
I found these comments which would indicate that:
But why does the requirements than list a windows server? Because it is in the Terraform Registry documentation for the provider does it means the provider has to be executed on this os? Or does it have something to do with on what the AD/DC runs?
terraform-provider-ad/docs/index.md Line 12 in 7e28235
When using linux is the Double hop Authentication required like (linux runs terraform with ad provider) -> (windows server) -> (AD/DC) Unfortunately I am only familiar with terraform and not with AD so I assume I don't understand it correctly. |
I've resisted using this provider since it appears abandoned at this point. Some PR's are hitting their anniversary dates and they include a lot of large fixes |
I use this provider. It does seem the maintainers have stopped maintaing it, but it does work. @MarkRKar the provider does work from a Linux server, but it requires that intermediate servers running Windows be used for the provider to communicate with the AD DCs. These intermediate servers need to be joined to the domain and have WinRM enabled/configured. I believe this is because Microsoft does things where they don't open the APIs for integration purposes. It seems that most things related to managing Active Directory are not available on any platform outside Windows. |
Hi @redeux Has this project been abandoned or will new releases be released? Regards |
Patches above solved the most of the issues that I have faced during tests but now I found another one - using commas in OU name will lead to the issue with it's distinguishedName due to the escaping backslash in state file after creating OU. |
Hi @katbyte Will the development of the Active Directory provider resume? Regards |
Hi!
I'm Phil, the product manager for the team working on the Active Directory provider. We're trying to determine the future of the provider, and I could use your help. If you're actively using the provider, or if you'd like to use the provider but can't, I'd like to speak with you for a few minutes to learn more about your use cases.
If that's something you're willing to do, please book time directly on my calendar.
Thanks in advance.
The text was updated successfully, but these errors were encountered: