The LDAP server must be an Active Directory server running Windows 2016, 2019, or 2022. The server must allow basic authentication using an LDAP over SSL (LDAPS) interface Port 636; that is, a TLS v1.2 connection. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA as this is not enabled by default. Visit
https://social.technet.microsoft.com/ for articles related to this.
The client storage system allows one primary server and port and an alternate server and port to be configured. At login, the storage system will only connect over TLS. If the storage system cannot connect to the primary server it will automatically try the alternate server. The storage system will only connect to a single Active Directory forest.
The client will look at the common name (CN) for the LDAP group's distinguished name (DN). The group can be part of any organizational unit (OU) or Active Directory forest as long as the CN value matches the client's group name.
For example, assume domain
bigco2.com.local includes OU
colo, in which user
alice is a member of group
ArrayAdmins in the same OU. The group's DN is:
cn=ArrayAdmins,ou=colo,dc=bigco2,dc=com,dc=local
When the
PowerVault LDAP client performs a search on the server, it will query the
UserObject that represents user
alice. The client will limit the response to a maximum of 100 groups to be read from the server. The first group found that matches a group created on the storage system will be used to authenticate user
alice. The client will timeout if it has not received a response in 20 seconds.
In the above example, the user group
ArrayAdmins has been created on the storage system. When the user
alice attempts to log in to the storage system either through the
PowerVault Manager or the CLI, the group from Active Directory matches the storage system user group and
alice is granted access.
It is recommended that:
A user should only be a member of one group that exists in the storage system. A user that is a member of more than one LDAP group in the storage system could have permission or configuration parameter inconsistencies.
The LDAP user be in no more than 100 LDAP groups.
The following example shows the data to enter in the LDAP Configuration panel to configure a storage system to accomplish the above.
Configure the storage system to connect to the primary LDAP server and an alternate LDAP server. IP addresses or Fully Qualified Domain Name (FQDN) may be used. For this example, the primary connection is configured at 10.235.217.52 using standard TLS port 636. The alternate connection is configured at 10.235.217.51 using the same port. If the primary connection fails, the system will try the alternate connection. If the alternate connection fails, authentication will fail. The user search base defines the domain and OU.
Access the LDAP Settings section via
Settings > Users > LDAP.
Select the
Enable LDAP check box.
In the
User Search Base field, enter
ou=colo,dc=bigco2,dc=com,dc=local.
In the
Server field, enter
10.235.217.52.
In the
Port field, enter
636.
In the
Alternate Server field, enter
10.235.217.51.
In the
Alternate Port field, enter
636.
Select
Set LDAP.
Create an LDAP user group named
ArrayAdmins (matching the group name on the LDAP server) with the Standard role and access to the
PowerVault Manager and CLI interfaces.
Click
Add New User Group.
In the
User Group Name field, enter
ArrayAdmins.
Select
WBI and
CLI to define the interfaces.
Select
Standard and
Monitor to define the roles.
Select the temperature preference and timeout options.
Select
Create User Group. When user
alice attempts an SSH login to the storage system, the system connects to the configured LDAP server using the supplied credentials to perform authentication.
There are two login formats that the storage system allows when connecting to an Active Directory LDAP server. When using SSH, two backslashes may be required for certain clients, such as the OpenSSH client.
Email-address format. For example:
ssh alice@bigoc2.com.local@10.235.212.161
Domain\username format. For example:
ssh bigco2\\alice@10.235.212.161
Using the domain\username format has this restriction: the username can contain no more than 20 characters to be backward-compatible with Windows clients before Windows 2000. For more information about restrictions for these attributes, see Microsoft Active Directory documentation.
NOTE By default when creating a new user object in Windows Server 2016 or 2019, both the
sAMAccountName and
userPrincipalName attributes are populated.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\