PowerStore: Unable to login using openLDAP group permissions

Log in to PowerStore Manager fails for OpenLDAP users that inherit access permissions from a user group on PowerStoreOS version 4.1. Log in is allowed if access is added to the specific OpenLDAP user.

Verify the current Authentication configuration in the PowerStore Manager settings:

Settings, Security, Authentication -> Edit LDAP Configuration

• Verify Server Type is OpenLDAP
• Advanced Settings, Group Search Settings - Member Attribute is set to memberUid

Settings, Security, Users - LDAP

• The assigned Permission Type is a Group permission

After an unsuccessful login attempt with the openLDAP user, verify Audit logs:

Settings, Security, Audit Logs

• Filter User to the openLDAP user that tried to log in (user@domain.com)
• Verify that password authentication was successful, but Authorization failed:
  • User "user@domain.com" logged in successfully using password authentication
  • Authorization failed for the user account: user@domain.com, while requesting....

The user is able to authenticate with the openLDAP server, but PowerStore is unable to get the user group memberships.

There are two possible workarounds available:

• Assign user-based access permissions on the PowerStore, in Settings, Security, Users - LDAP
• Change the member Attribute in openLDAP and the PowerStore LDAP settings to uniqueMember instead of memberUid.
  This setting has to be changed in both
  • PowerStore, Settings, Security, Authentication -> Edit LDAP Configuration
    Advanced Settings, Group Search Settings, Member Attribute
  • The openLDAP server, in the respective user group settings

This issue will be fixed in a future release of PowerStoreOS