Dell PowerVault ME5 Series Administrator's Guide

LDAP server/client details

The LDAP server must be an Active Directory server running Windows 2016, 2019, or 2022. The server must allow basic authentication using an LDAP over SSL (LDAPS) interface Port 636; that is, a TLS v1.2 connection. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA as this is not enabled by default. Visit https://social.technet.microsoft.com/ for articles related to this.

The client storage system allows one primary server and port and an alternate server and port to be configured. At login, the storage system will only connect over TLS. If the storage system cannot connect to the primary server it will automatically try the alternate server. The storage system will only connect to a single Active Directory forest.

The client will look at the common name (CN) for the LDAP group's distinguished name (DN). The group can be part of any organizational unit (OU) or Active Directory forest as long as the CN value matches the client's group name.

For example, assume domain bigco2.com.local includes OU colo, in which user alice is a member of group ArrayAdmins in the same OU. The group's DN is: cn=ArrayAdmins,ou=colo,dc=bigco2,dc=com,dc=local

When the PowerVault LDAP client performs a search on the server, it will query the UserObject that represents user alice. The client will limit the response to a maximum of 100 groups to be read from the server. The first group found that matches a group created on the storage system will be used to authenticate user alice. The client will timeout if it has not received a response in 20 seconds.

In the above example, the user group ArrayAdmins has been created on the storage system. When the user alice attempts to log in to the storage system either through the PowerVault Manager or the CLI, the group from Active Directory matches the storage system user group and alice is granted access.

It is recommended that:

• A user should only be a member of one group that exists in the storage system. A user that is a member of more than one LDAP group in the storage system could have permission or configuration parameter inconsistencies.
• The LDAP user be in no more than 100 LDAP groups.

The following example shows the data to enter in the LDAP Configuration panel to configure a storage system to accomplish the above.

1. Configure the storage system to connect to the primary LDAP server and an alternate LDAP server. IP addresses or Fully Qualified Domain Name (FQDN) may be used. For this example, the primary connection is configured at 10.235.217.52 using standard TLS port 636. The alternate connection is configured at 10.235.217.51 using the same port. If the primary connection fails, the system will try the alternate connection. If the alternate connection fails, authentication will fail. The user search base defines the domain and OU.
   1. Access the LDAP Settings section via Settings > Users > LDAP.
   2. Select the Enable LDAP check box.
   3. In the User Search Base field, enter ou=colo,dc=bigco2,dc=com,dc=local.
   4. In the Server field, enter 10.235.217.52.
   5. In the Port field, enter 636.
   6. In the Alternate Server field, enter 10.235.217.51.
   7. In the Alternate Port field, enter 636.
   8. Select Set LDAP.
2. Create an LDAP user group named ArrayAdmins (matching the group name on the LDAP server) with the Standard role and access to the PowerVault Manager and CLI interfaces.
   1. Click Add New User Group.
   2. In the User Group Name field, enter ArrayAdmins.
   3. Select WBI and CLI to define the interfaces.
   4. Select Standard and Monitor to define the roles.
   5. Select the temperature preference and timeout options.
   6. Select Create User Group. When user alice attempts an SSH login to the storage system, the system connects to the configured LDAP server using the supplied credentials to perform authentication.

There are two login formats that the storage system allows when connecting to an Active Directory LDAP server. When using SSH, two backslashes may be required for certain clients, such as the OpenSSH client.

• Email-address format. For example:

  ssh alice@bigoc2.com.local@10.235.212.161

• Domain\username format. For example:

  ssh bigco2\\alice@10.235.212.161

Using the domain\username format has this restriction: the username can contain no more than 20 characters to be backward-compatible with Windows clients before Windows 2000. For more information about restrictions for these attributes, see Microsoft Active Directory documentation.