How does the VNXe integration with LDAP works?

After reviewing the OP's question again, I don't think I actually answered their question with my response below. I simply stated how to get it working, not really what it's used for. So far as I can tell (or at least so far as I've tested) it's simply used for authentication when logging into Unisphere. You can add Domain groups/users and select 1 of 3 privilege levels for those groups/users. Sorry I can't provide more detail than that.

Rather than delete everything I already typed, here's my original response for anyone else trying to get LDAP authentication working with their VNXe:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

After a lot of trial and error (and failing to find good documentation or answers on the web) I finally got LDAP authentication to work. Looking at it now, it's actually pretty simple. However, you're not provided with much feedback in regards to the errors when setting it up (or logging in), so I had to get creative when trying to narrow down the problems (which primarily revolved around the search paths and the syntax for logging in). Anyway, here's what you need to set it up:

• LDAP Domain:
  • Enter your domain's FQDN.
  • For example, Contso.local or Contso.com. Capitalization doesn't seem to matter (nor should it).
• LDAP Server:
  • Enter the FQDN of a DC in your domain (may work with just the DC name, did not try that). Any DC should do, but I used a Global Catalog. I did not try it with a standard DC.
  • Example: ContsoHQDC01.contoso.local
• Port: 389
  • Should work for most domains using default ports.
• Distinguished Name:
  • This is the DN of the domain account that the VNXe will use to connect to the DC listed above.
  • It need only have domain user privileges.
  • If you do a DSQuery user -o dn -name Username (SAMID) you'll get the exact DN needed to enter in this box. No need for quotes for elements that have spaces in them. For example dsquery user -o dn -name "LDAP User" (quotes needed if there is a space in the name).
  • Not sure how it will handle special characters and if the output from the dsquery will work in those cases.
  • Example: CN=LDAP User,OU=Service Account,OU=Global,DC=contoso,DC=local (no quotes need for spaces here)

Save those settings and leave everything else as default for now. Click on the "Check LDAP Server Connection" button and verify that the test is successful. If not, double check the password and the DN of the account entered. Once the test is successful, click the "Show advanced" button. The vast majority of these settings should work just fine, except for the default search path. It wants to search in the default Users OU for both users and groups. Change the user and group search paths to the root of the domain (unless you really do have all of your users in or under the default Users OU). For example: dc=contoso,dc=local. That way, it will do a recursive search throughout the domain for the user and group.

When adding LDAP groups in the "Manage Administration" tabs, you don't have to do anything special. Just enter the group name in exactly as it's shown in AD, spaces and all. Not sure if it will need the pre-Win 2k name for particularly long group names or not (did not test this).

When adding LDAP users, enter in the same username that would be used to log in.

With all of that done, here is what probably caused me the most trouble, actually logging in. Unisphere does not want DOMAIN\UID, or UID@domain.local, or just the UID. It wants DOMAIN/UID. The forward slash is vital. So long as you do that, and the group that grants the user permission to log into the VNXe is the search path it's using, you should be able to log in without issue.

I hope this saves someone from spinning their wheels trying to figure this out. If any corrections need to be made, please let me know.