Skip to content

Connect to an existing Active Directory

Pre-Requisites - Connectivity between your Active Directory and your AWS account

Make sure you do have all the required network ports/firewall configured between your Active Directory and the AWS account you are about to deploy your SOCA environment on. If you are using an existing VPC, make sure your AD domain resolve and all required network traffic is authorized to your Active Directory.

Step 1 - Service Account with Domain Join permissions

SOCA will need to use a Service Account configured with enough permissions such as being able to join a computer to the active directory domain. Reach out to your IT or Active Directory team for this information.

Once you have the account information, create a new Secret on AWS Secrets Manager in the same region where you are about to install your SOCA environment:

  • Go to Secret Manager on AWS Console
  • Click Store a new Secret
  • Select Other Type of Secret
  • Create a username and password Key/value pairs

IMPORTANT

The two keys name must be username and password (case sensitive)

  • Click Next
  • Specify a Secret Name
  • Make sure to have Automatic Rotation disabled
  • Click Next and finally click Store to save your secret

Step 2 - Prepare your SOCA environment

Open your installer/default_config.yml and locate the directoryservice section. You will have to update the following configuration keys:

  • provider: existing_active_directory
  • domain_name: Enter your Domain Name
  • base_dn: Enter your Base DN
  • short_name: The NETBIOS of your Active Directory
  • existing_active_directory
    • people_search_base: The distinguished name of the OU containing your users
    • group_search_base: The distinguished name of the OU containing your groups
    • admins_search_base: The distinguished name of the group containing the users who will have sudo/admin permissions on SOCA
    • endpoint: The IP/DNS of your AD
    • dc_ips: IPs of your AD domain controllers (Required if using FSx for NetApp ONTAP, otherwise highly recommended to improve performance)
    • service_account_secret_name_arn: The ARN of the Secret containing your Service Account credentials

Example

directoryservice:
  provider: existing_active_directory
  domain_name: acme.com
  base_dn: DC=acme,DC=com
  short_name: ACME
  existing_active_directory:
    people_search_base: ou=Users,DC=acme,DC=com
    group_search_base: ou=Users,DC=acme,DC=com
    admins_search_base: cn=admins,ou=Users,DC=acme,DC=com
    endpoint: ldap://ad.acme.com
    dc_ips:
      - 10.0.162.252
      - 10.0.110.116
    service_account_secret_name_arn: arn:aws:secretsmanager:us-east-2:<redacted>:secret:/soca-service-account/ADServiceAccount-dQKfQk

Note

people_search_base / group_search_base can be the same depending on your AD schema.

endpoint must start with ldap:// and can be either a DNS or an IP

service_account_secret_name_arn must point to the ARN of your Secret (not the secret name). Please note the ARN contains a unique suffix at the end. To retrieve the ARN, open your Secret in the Secrets Manager console and locate Secret ARN or retrieve this info via APIs.

dc_ips is a list of your domain controllers IPs. It's required if you are planning to let SOCA creates FSx for NetAPP ONTAP filesystems. It's still recommended to specify them to speed up AD query.

Installing SOCA with new FSx for NetAPP ONTAP

Ensure uniqueness of the FSxN NetBios name if you are planning to register a new FSxN to an existing Active Directory. NetBios name can be updated on default_config via Config.storage.[apps/data].fsx_ontap.

Step 3 - Install SOCA

Finally, proceed to a standard installation of SOCA

Please note that, when using an existing Active Directory, the default SOCA user (socaadmin) as well as the default AD Admin Groups (cn=socasudoadminsgroup) are not created. You can edit installer/resources/user_data/controller/03_setup.sh.j2