Add support for pre existing Active Directory user #5988
Conversation
michalpristas
added
enhancement
internal/pkg/agent/cmd/install.go
Outdated
|
|
||
| flagInstallADUser = "ad-user" | ||
| flagInstallADGroup = "ad-group" | ||
| flagInstallADPass = "ad-password" |
There was a problem hiding this comment.
Why make this a specific Windows feature? Wouldn't it be better to just allow user and group for all platforms? password is only needed for Windows.
There was a problem hiding this comment.
i agree, let's see if i can squeeze this in as this is planned for 8.17. if not i can do it iteratively
There was a problem hiding this comment.
added support for mac and linux, tested on both including switch from privileged to unprivileged.
tests TBD still
|
|
||
| if (customUser != "" || customPass != "") && | ||
| (customUser == "" || customPass == "") { | ||
| return fmt.Errorf("error installing package: all Active Directory parameters must be provided") |
There was a problem hiding this comment.
Why? I think this could work by just providing say the user, then still allow the group to be created.
Or maybe you want to use the default user and password, but you want to just set the password with --password?
There was a problem hiding this comment.
Yeah but we need to be vocal about that and raise a warning that we are adding user somewhere or creating group that existing user will be part of
|
|
||
| if (customUser != "" || customPass != "") && | ||
| (customUser == "" || customPass == "") { | ||
| return fmt.Errorf("error installing package: all Active Directory parameters must be provided") |
| if username == "" { | ||
| // not installed with --unprivileged; nothing to do | ||
| return []serviceOpt{}, nil | ||
| } | ||
|
|
||
| if password != "" { | ||
| // existing user | ||
| return []serviceOpt{withUserGroup(username, groupName), withPassword(password)}, nil |
There was a problem hiding this comment.
At this point the username must either have .\ at the start or the DOMAIN NAME like AD\username-in-ad. You are going to need to handle username having AD\ or not having .\ in the name. Otherwise the service will not start.
Co-authored-by: Blake Rouse <[email protected]>
Co-authored-by: Blake Rouse <[email protected]>
|
Waiting on custom windows image for testing with AD e2e.
New flags are introduced
These flags are taken into account only when
--unprivilegedis used.New user is added same permissions as elastic-agent user when created in order to be able to log on as a service (otherwise agent won't start)
Custom user won't be created and needs to be present