$ sudo apt-get install ldap-utils
Twistlock lets you control access to Docker commands based on group membership.
Twistlock lets you:
Secure access to remote Docker Engine instances.
Control access to Docker commands on a user-by-user basis.
After integrating Twistock with Active Directory, OpenLDAP, or SAML, you could create a group called Dev Team. Then in Console, you could grant all users in Dev Team permission to remotely run any Docker commands on hosts in the development environment, but deny permission to create, start, or stop containers on hosts in the production environment.
You cannot run Docker commands
First remove Twistlock from the equation. Verify that you can communicate with Docker locally without Defender in the middle. After you have verified this setup, review the parameters you pass to the docker client.
Your policies are not being properly enforced.
Verify your user is in the AD group by following the below steps on the Docker host(s) where you’re trying to execute a command:
Install ldap-utils:
$ sudo apt-get install ldap-utils
Query Active Directory to verify that your user belongs to your AD group. Use the same parameters that you specified in your integration configuration.
$ ldapsearch \ -x -H [LDAP_URL] \ -D [LDAP_ADMIN_UPN] \ -W \ -b [LDAP_SEARCH_BASE]\ -s sub (&(userPrincipalName=[UPN])(memberof=[LDAP_GROUP_DN]))
Where:
UPN
|
User Principal Name of the user |
LDAP_GROUP_DN
|
Full DN of the LDAP group. For example: |