DELL ECS domain user rights

Hello molnar.csaba,

I would double check your AD setup with this KB to make sure that all is set correctly.  https://dell.to/3xbDHh9  

Were you getting any error codes?  What is your current version of ECS?

Hello DELL-Sam L,

Version: Dell EMC ECS v3.7.0.0

I followed the same documentation that you mentioned. The AD-provider is working, here are the outputs of the object user creation with curl:

First test the connection of the domain user to ECS:

[admin@luna ~]$ curl -ik -u ecs_testuser@mydomain.local https://192.168.100.10:4443/login
Enter host password for user 'ecs_testuser@mydomain.local':
HTTP/1.1 200 OK
Date: Fri, 09 Sep 2022 09:25:52 GMT
Content-Type: application/xml
Content-Length: 116
Connection: keep-alive
X-SDS-AUTH-TOKEN: MYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKEN
X-SDS-AUTH-USERNAME: ecs_testuser@mydomain.local
X-SDS-AUTH-MAX-AGE: 28800

ecs_testuser@mydomain.local[admin@luna ~]$

Create a secret key for the user:

[admin@luna ~]$ curl -ks -H "X-SDS-AUTH-TOKEN: MYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKEN" https://192.168.100.10:4443/object/secret-keys | xmllint --format -



false

false

Use the token to create valid domain object user, and examine:

[admin@luna ~]$ curl -ks -H "X-SDS-AUTH-TOKEN: MYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKENMYLONGAUTHTOKEN" -H "Content-Type:application/json" -X POST -d "{}" https://192.168.100.10:4443/object/secret-keys | xmllint --format -



m7gdZciBvS7iu7dHXGC7xYP+1wNCFi5JQ3JoUpbj

2022-09-09 09:27:48.821

After this steps, the created user appears in the management GUI, under Manage -> Users, and I can connet to the ECS with S3 Browser.

My problem is, that I don't know, how to add this type of AD-user to a ECS S3 Group.

My goal is to assign AD-users to ECS S3 Groups with appropriate rights.

Example:

testuser_ro1@mydomain.local -> How to add this user to Group_RO?
testuser_ro2@mydomain.local -> How to add this user to Group_RO?
testuser_ro3@mydomain.local -> How to add this user to Group_RO?
testuser_rw1@mydomain.local -> How to add this user to Group_RW?
testuser_rw2@mydomain.local -> How to add this user to Group_RW?
testuser_ro3@mydomain.local -> How to add this user to Group_RW?
testbucket1 -> assign GroupRO and GroupRW groups to it
testbucket2 -> assign GroupRO and GroupRW groups to it

Hello molnar.csaba,

Here are a couple of other links to kb’s that also can be assistance in configuring ECS.

https://dell.to/3eQkQSo

https://dell.to/3U0mbGu

https://dell.to/3U7guqp

The problem is, I can not set user rights to domain users.

Example: I try to add a domain user to a group, and the response is:

https://192.168.100.10:4443/iam?Action=AddUserToGroup&UserName=ecs_testuser_rw@mydomain.local&GroupName=S3_FULL_ACCESS




Sender
NoSuchEntity
Iam user with name ecs_testuser_rw@mydomain.local in namespace ns1 is not found

c0a8652c:18128bedf7f:d771:37-none

Is there any way to add domain users to IAM?

The domaun user is created with the procedure you linked before. It appears in Users menu but not in IAM (Identity and Access Management (S3)).

Hello molnar.csaba,

It is best to open a support case for this so that we can look into your issue.

Hello DELL-SAM L

I'm facing the same situation as molnar.csaba. I don't know how to reference a domain user in groups or in role policies. My goal is to be able to perfom cross-namespace "AssumeRole" requests from an AD user but since my AD user cannot have a user policy, or be part of a group I don't have the proper right to do so.

Did molnar.csaba opened a support case and find a solution ?

Best regards.

Hello Tomsadoum,

It is best to open a support case for this, as this is more of a custom configuration.