This post is more than 5 years old
19 Posts
0
5983
September 26th, 2008 05:00
Active Directory & Navisphere
We are new Clariion CX4-480 users with Navisphere Manager. We would like to use Active Directory to control our storage team logins for Navisphere like we do with EMC Control Center.
Anyone have good hints for implementing AD with Navisphere? The instructions are very vague and I do not remember having to supply all the information that Navisphere is requesting when we did ECC.
Thanks for any hints.
Anyone have good hints for implementing AD with Navisphere? The instructions are very vague and I do not remember having to supply all the information that Navisphere is requesting when we did ECC.
Thanks for any hints.
No Events found!
AranH1
2.2K Posts
1
September 29th, 2008 09:00
I typed up some basic instructions below. See if this helps you.
On the Server tab:
Use the IP address of a AD Domain Controller and the port number to use for connecting to LDAP. If you are going to use Secure LDAP (LDAPS) then you will need the secure port number. We use this and I recommend it.
Select the Server Type of Active Directory and LDAP or LDAPS depending on which port you used above.
BindDN is the Distinguished Name of the service account used to bind to Active Directory. So if I have a user account called san in the Service Accounts OU, which is under the Servers OU which is at the root of the corp.com domain, then the DN I will use in this field is:
CN=san,OU=Service Accounts,OU=servers,DC=corp,DC=com
The Bind Password is just the password of the user account above.
The User Search path and Group Search Path fields are just an LDAP reference used for searching the directory for users and groups. You can be as broad or narrow in your search as you like. For our example above I would just use the broadest approach (unless you have a really large directory):
DC=corp,DC=com
On the Role Mapping tab:
For my environment I use AD groups to control access to Navisphere. So all users that need access to Navisphere I place in a Group called SAN Admins. For the Role Mapping select Group from the first drop down box, type the name of the group in the Name box, and select the Role you want to assign to the group.
On the Advanced tab:
I use the following values which I find to work well:
User ID Attribute: sAMAccountName
User Name Attribute: cn
Group Name Attribute: cn
Group Member Attribute: member
User Object Class:
Group Object Class: group
Hopefully this will help you setup the connection.
Allen Ward
6 Operator
•
2.1K Posts
0
September 26th, 2008 08:00
If you figure it out and find out it is easier than it looks, I'm sure I'm not the only one who would be interested in hearing about it.
Anyone else have any experience with this?
AranH1
2.2K Posts
0
September 26th, 2008 09:00
Ann, Allen,
The trick may be in getting the correct format for the DN (Distinguished Name) used for the connection to AD. I can help you find the correct information for the connection.
Aran
bertog
61 Posts
0
September 26th, 2008 09:00
I would appreciate it if you could provide some additional information about where you are stuck and where the pain points are with configuring LDAP authentication with Navisphere Manager. It would be good to understand specifically what is causing the hang up here, and more generally how the implementation process could be improved.
Specifically, if in Navisphere Manager you click Help topics, and "LDAP" are there holes in that documentation that you think need to be addressed?
thank you.
AranH1
2.2K Posts
0
September 26th, 2008 09:00
We use it in our environment. I was able to successfully setup a connection to AD and authenticate using users and groups.
What part of the setup are you stuck on?
Aran
bertog
61 Posts
0
September 26th, 2008 10:00
The following White Paper may be of value to folks implementing LDAP:
"Securely Managing EMC CLARiiON Storage Systems"
available on Powerlink here:
http://powerlink.emc.com/km/live1/en_US/Offering_Technical/White_Paper/C1114_Securely_Mng_EMC_CLARiiON_Storage_Sys_WP_ldv.pdf
The paper was written for Flare Release 26, but the concepts are the same with Release 28 on the CX4-480.
zippityann
19 Posts
0
September 26th, 2008 11:00
For ECC, when we set up the AD for logon, we did not have to enter all the AD information required for Navisphere.
bertog
61 Posts
0
September 26th, 2008 11:00
Were there specific fields that you did not have information to fill in, or you just not not feel comfortable inputting the information requested?
AranH1
2.2K Posts
0
September 29th, 2008 08:00
Navisphere screen for the LDAP/AD parameters this
morning and he couldn't image why you all needed DN,
etc.
For ECC, when we set up the AD for logon, we did not
have to enter all the AD information required for
Navisphere.
The he needs to go back to AD class
Navisphere appears to be using native LDAP for connecting to Active Directory and authentication. ECC may not be using LDAP and may be either using a backwards compatibility authentication, which is like NT 4, or may be Active Directory aware and is sending a specifically crafted AD authentication session to AD.
AranH1
2.2K Posts
0
September 30th, 2008 11:00
Let me know if what I wrote up helps. I think changing the default settings on the Advanced tab (it didn't work until I changed them to the values I recommended) and getting the format of the BindDN are the biggest hurdles to getting this implemented. It has worked great for me following the steps I laid out.
Aran
zippityann
19 Posts
0
October 2nd, 2008 05:00
We use the group for our access to our ECC console through AD and in some tools as well and it works successfully.
Any suggestions?
AranH1
2.2K Posts
0
October 2nd, 2008 07:00
ECC does not use LDAP for AD authentication that I can tell. It looks like it is using the old LANMAN authentication from NT. This is still available in AD for backwards compatibility.
zippityann
19 Posts
0
October 2nd, 2008 11:00
AranH1
2.2K Posts
1
October 2nd, 2008 11:00
bertog
61 Posts
0
October 3rd, 2008 07:00