CF_GMSA_OU environment variable

aws · Dec 1, 2023 · 365ed62 · 365ed62
1 parent 065ac8d
commit 365ed62
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -109,6 +109,7 @@ journalctl -u credentials-fetcher
 | :-------------------------- | ---------------------------------------- | :------------------------------------------------------------------------------------------- |
 | `CF_CRED_SPEC_FILE`         | '/var/credentials-fetcher/my-credspec.json' | Path to a credential spec file used as input. (Lease id default: credspec) |
 |                             | '/var/credentials-fetcher/my-credspec.json:myLeaseId' | An optional lease id specified after a colon
+| `CF_GMSA_OU`                | 'CN=Managed Service Accounts' | Component of GMSA distinguished name (see docs/cf_gmsa_ou.md) |
 
 ## Compatibility
 

diff --git a/auth/kerberos/src/krb.cpp b/auth/kerberos/src/krb.cpp
@@ -13,6 +13,7 @@
 // Active Directory uses NetBIOS computer names that do not exceed 15 characters.
 // https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
 #define HOST_NAME_LENGTH_LIMIT 15
+#define ENV_CF_GMSA_OU "CF_GMSA_OU"
 
 static const std::string install_path_for_decode_exe =
     "/usr/sbin/credentials_fetcher_utf16_private.exe";
@@ -611,7 +612,6 @@ std::pair<int, std::string> get_gmsa_krb_ticket( std::string domain_name,
 {
     std::string domain_controller_gmsa( "DOMAIN_CONTROLLER_GMSA" );
     std::vector<std::string> results;
-
     if ( domain_name.empty() || gmsa_account_name.empty() )
     {
         cf_logger.logger( LOG_ERR, "ERROR: %s:%d null args", __func__, __LINE__ );
@@ -655,15 +655,18 @@ std::pair<int, std::string> get_gmsa_krb_ticket( std::string domain_name,
             return std::make_pair( -1, std::string( "" ) );
         }
     }
-
     /**
      * ldapsearch -H ldap://<fqdn> -b 'CN=webapp01,CN=Managed Service
      *   Accounts,DC=contoso,DC=com' -s sub  "(objectClass=msDs-GroupManagedServiceAccount)"
      *   msDS-ManagedPassword
      */
+    std::string gmsa_ou = std::string( ",CN=Managed Service Accounts," );
+    if ( getenv(ENV_CF_GMSA_OU) != NULL)
+    {
+        gmsa_ou = std::string( "," ) + getenv(ENV_CF_GMSA_OU)+ std::string( "," );
+    }
     std::string cmd = std::string( "ldapsearch -H ldap://" ) + fqdn;
-    cmd += std::string( " -b 'CN=" ) + gmsa_account_name +
-           std::string( ",CN=Managed Service Accounts," ) + base_dn + std::string( "'" ) +
+    cmd += std::string( " -b 'CN=" ) + gmsa_account_name + gmsa_ou + base_dn + std::string( "'" ) + 
            std::string( " -s sub  \"(objectClass=msDs-GroupManagedServiceAccount)\" "
                         " msDS-ManagedPassword" );
 

diff --git a/docs/cf_gmsa_ou.md b/docs/cf_gmsa_ou.md
@@ -0,0 +1,5 @@
+Active Directory administrator can create the GMSA account with any distinguished name format. 
+
+credentials-fetcher uses the GMSA distinguished name format "CN=${GMSA_ACCOUNT_NAME},${CF_GMSA_OU},DC=example,DC=com" where ",DC=example,DC=com" is generated depending on the domain. The environment variable CF_GMSA_OU default value is "CN=Managed Service Accounts". Users should change it to match their directory format.
+
+For example, GMSA account "BobSponge" in domain "example.com" results in GMSA distinguished name "CN=BobSponge,CN=Managed Service Accounts,DC=example,DC=com". When the user defines CF_GMSA_OU='OU=DA Managed Service Accounts,OU=DA' results in GMSA distinguished name "CN=BobSponge,OU=DA Managed Service Accounts,OU=DA,DC=example,DC=com"