DLm LDAP configuration for multiple users
Summary: Basic DLm LDAP Authentication resources
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
LDAP is not a Dell Technologies or EMC native application and specific access configuration help is not provided by Dell Technologies technical support.
For more complete instructions, see http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
NOTE: on the DLm, LDAP access control is mutually exclusive with native access. You may not maintain both
LDAP users and native users other than dlmadmin.
LDAP Access Filters can use logical operators to construct the filter line, which would filter out the users that match the conditions for one of the user groups: Admin, User, Service. In DLm Login via LDAP looks like:
1. User enters login/pass
2. Authenticator uses login name to replace any “%s” placeholders (if any) for all specified filters.
3. Then it passes the filters one by one to LDAP search utility (using user pass to get access to AD server, if pass is incorrect, login is unsuccessful)
4. LDAP search utility returns the list of user records that match the one of the filters
5. The condition to successful login is when LDAP search utility returns only one user record for one of the filters, on that searching is stopped. If it returns many user records to one of the filters or it does not return any records for any of the filters – login is unsuccessful.
So, basically the main task is to create a filter in the way it will match only one user record. As an example / general guidance:
For userid dlmtapeadmin, if you put in (sAMAccountName=%dlmtapeadmin) in the Administrative access filter, then that AD authentication works. (memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com) Which works until the EMC_Tape_Admins group has only one user in it, since such a filter always matches to all the users in the group.
Add at least one more user there and we would not comply with condition (5).
To make it work properly, we need to provide more info for the filter, in this case we want the filter to check only the user record that is trying to login at the moment (assuming that we have only one user with such login name as an ID on AD server), but also to check that he/she is a member of Admins group. So it may look like:
(&(sAMAccountName=%s)(memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com)) OR (depending on how AD server is configured) (&(cn=%s)(memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com))
So for example %s will be replaced with dlmtapeadmin on login, now we are filtering for both: a specified user name exists in the system and it is only one unique user dlmtapeadmin AND he/she is a member of EMC_Tape_Admins group. The same may be done for hypothetical EMC_Tape_Users and EMC_Tape_Services groups for User and Service filters respectively, if necessary.
For more complete instructions, see http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
NOTE: on the DLm, LDAP access control is mutually exclusive with native access. You may not maintain both
LDAP users and native users other than dlmadmin.
LDAP Access Filters can use logical operators to construct the filter line, which would filter out the users that match the conditions for one of the user groups: Admin, User, Service. In DLm Login via LDAP looks like:
1. User enters login/pass
2. Authenticator uses login name to replace any “%s” placeholders (if any) for all specified filters.
3. Then it passes the filters one by one to LDAP search utility (using user pass to get access to AD server, if pass is incorrect, login is unsuccessful)
4. LDAP search utility returns the list of user records that match the one of the filters
5. The condition to successful login is when LDAP search utility returns only one user record for one of the filters, on that searching is stopped. If it returns many user records to one of the filters or it does not return any records for any of the filters – login is unsuccessful.
So, basically the main task is to create a filter in the way it will match only one user record. As an example / general guidance:
For userid dlmtapeadmin, if you put in (sAMAccountName=%dlmtapeadmin) in the Administrative access filter, then that AD authentication works. (memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com) Which works until the EMC_Tape_Admins group has only one user in it, since such a filter always matches to all the users in the group.
Add at least one more user there and we would not comply with condition (5).
To make it work properly, we need to provide more info for the filter, in this case we want the filter to check only the user record that is trying to login at the moment (assuming that we have only one user with such login name as an ID on AD server), but also to check that he/she is a member of Admins group. So it may look like:
(&(sAMAccountName=%s)(memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com)) OR (depending on how AD server is configured) (&(cn=%s)(memberOf=CN=EMC_Tape_Admins,OU=Domain Groups,DC=hdq,DC=emc,DC=com))
So for example %s will be replaced with dlmtapeadmin on login, now we are filtering for both: a specified user name exists in the system and it is only one unique user dlmtapeadmin AND he/she is a member of EMC_Tape_Admins group. The same may be done for hypothetical EMC_Tape_Users and EMC_Tape_Services groups for User and Service filters respectively, if necessary.
Affected Products
DD for DLm8100, Disk Library for mainframe DLm2100, Disk Library for mainframe DLm2500, Disk Library for mainframe DLm8100, Disk Library for mainframe DLm8500, VNX for DLm2100, VNX for DLm8100Article Properties
Article Number: 000187558
Article Type: How To
Last Modified: 01 Feb 2022
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.