PowerStore: Security Change for LDAP User Login in Version 3.5

Samenvatting: This article describes an LDAP issue after array code is upgraded to version 3.5.

Dit artikel is van toepassing op Dit artikel is niet van toepassing op Dit artikel is niet gebonden aan een specifiek product. Niet alle productversies worden in dit artikel vermeld.
Bekijk andere hulpbronnen

Symptomen

Customer is unable to log in with LDAP user on version 3.5 array. The same LDAP user continues to work on other arrays running on version 3.2.

The LDAP is configured with default port 389 on all arrays, Bind DN is set up successfully, and verification is good.

Oorzaak

There are changes in release 3.5. A short name does not work, full FQDN is required to log in.

For example:
  • The user gets AD forest, child domain name aisa.nsroot.com, and americ.nsroot.com
  • LDAP domain is configured as "nsroot.com," and BindDN is bind_user@aisa.nsroot.com
  • The user logs in with admin_pst@aisa (short name) for PowerStore Manager login. (Full FQDN=admin_pst@aisa.nsroot.com)
In version 3.2, the LDAP search is working with port 389: 
Aug 08 06:10:12.032199 DE404123456739-B control-path[40711]: 2023-08-08 06:10:12.032 [] [INFO] [com.emc.cyclone.contexts.security.authn.impl.CycShiroAuthProviderImpl|vert.x-worker-thread-4] [CycShiroAuthProviderImpl] LDAP authentication used url is: ldap://10.XX.XX.XX:389   <<<
Aug 08 06:10:12.032281 DE404123456739-B control-path[40711]: 2023-08-08 06:10:12.032 [] [INFO] [com.emc.cyclone.contexts.security.ldap.utils.LdapAuthUtil|vert.x-worker-thread-4] [CycLdapAuthUtil] create an LDAP Realm with domain name is:nsroot.com
Aug 08 06:10:25.733020 DE4041123456739-B control-path[40711]: 2023-08-08 06:10:25.732 [] [INFO] [com.emc.cyclone.contexts.security.ldap.utils.LdapAuthUtil|vert.x-worker-thread-4]  The number of groups this LDAP account belongs to is : 184
Aug 08 06:10:25.733147 DE404123456739-B control-path[40711]: 2023-08-08 06:10:25.733 [] [INFO] [com.emc.cyclone.contexts.security.authn.impl.CycShiroAuthProviderImpl|vert.x-worker-thread-4] [CycShiroAuthProviderImpl] LDAP account authentication with remote server succeed, user is admin_pst   <<<<
Aug 08 06:10:25.734903 DE404123456739-B control-path[40711]: 2023-08-08 06:10:25.734 [] [INFO] [com.emc.cyclone.contexts.security.authn.impl.CycShiroAuthProviderImpl|vert.x-eventloop-thread-2] [CycShiroAuthProviderImpl] No role is mapped to LDAP account: admin_pst@asia and start check group role
Aug 08 06:10:25.753220 DE404123456739-B control-path[40711]: 2023-08-08 06:10:25.753 [] [INFO] [com.emc.cyclone.contexts.security.ldap.utils.LdapAuthUtil|vert.x-eventloop-thread-2] [CycLdapAuthUtil] the number of group roles this LDAP account has: 1
Aug 08 06:10:25.754623 DE404123456739-B control-path[40711]: 2023-08-08 06:10:25.754 [] [INFO] [com.emc.cyclone.contexts.security.authn.impl.CycShiroAuthProviderImpl|vert.x-eventloop-thread-2] [CycShiroAuthProviderImpl] LDAP account:admin_pst@asia has roles as: [Operator]
In version 3.5, the array reports "LDAP domain name mismatch." 
Aug 08 06:10:42.363468 DE412123456722-A control-path[105947]: 2023-08-08 06:10:42.363 [] [ERROR] [com.emc.cyclone.contexts.security.authn.authProvider.CycShiroAuthProviderImpl|vert.x-eventloop-thread-2] [CycShiroAuthProviderImpl] LDAP domain name mismatch: user id attribute=sAMAccountName; domain from user input=asia; LDAP config=nsroot.com
If the user changes the login username to use the Full FQDN, login continues to fail as the input=aisa.nsroot.com and LDAP config=nsroot.com, domain names are mismatched.

Login with the short name continues to complain that "account is not found" after enabling the port 3268: 
Aug 08 06:13:12.932785 DE412123456722-A control-path[105947]: 2023-08-08 06:13:12.932 [] [ERROR] [com.emc.cyclone.contexts.security.authn.authProvider.CycShiroAuthProviderImpl|vert.x-worker-thread-3] [CycShiroAuthProviderImpl] LDAP account authentication failed for user: admin_pst@asia url:ldap://10.XX.XX.XX:3268  search exception:Ldap search error: account not found
Aug 08 06:13:12.935176 DE412123456722-A control-path[105947]: 2023-08-08 06:13:12.935 [] [ERROR] [com.emc.cyclone.contexts.security.authn.authProvider.CycShiroAuthProviderImpl|vert.x-eventloop-thread-2]  LDAP account authentication failed for user: admin_pst, error:Ldap search error: account not found

Oplossing

As the user AD is running on forest level, we must enable Global Catalog port 3268 to allow the system to run LDAP search in different domain names.

User can continue to use the same BindDN and LDAP domain.
LDAP domain is configured as "nsroot.com," and BindDN is bind_user@aisa.nsroot.com.

The Global Catalog must be checked on LDAP configuration.
LDAP user to login PST manager must be added under Settings > Users > LDAP (Full FQDN format admin_pst@aisa.nsroot.com)

User name in Full FQDN format can be used for login PST manager.
 
NOTE: The account name must be the value of the ID Attribute defined in Advanced Settings under Domain Settings on the Directory Services slide out panel.

For example:
  • When Global Catalog (forest-level authentication) is selected for configuring the PowerStore LDAP server, the default value for User ID Attribute under Advanced Settings is UserPrincipalName. The Account Name must be a UserPrincipalName which is unique, and the format is username@DomainName.com  <<<
  • When Global Catalog is not selected, the default value for the User ID Attribute under Advanced Settings is sAMAccountName. The Account Name must be an sAMAccountName.
If the customer AD is not running as forest, use default port 389 and log in with Full FQDN name.

Getroffen producten

PowerStore, PowerStore 1000X, PowerStore 1000T, PowerStore 1200T, PowerStore 3000X, PowerStore 3000T, PowerStore 3200T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T
Artikeleigenschappen
Artikelnummer: 000216698
Artikeltype: Solution
Laatst aangepast: 15 aug. 2023
Versie:  2
Vind antwoorden op uw vragen via andere Dell gebruikers
Support Services
Controleer of uw apparaat wordt gedekt door Support Services.