Articles in this section

Joining Active Directory

Sara Levy
  • Updated
Follow

Important

Views exposed as SMB shares will work only if the cluster is joined to Active Directory with LDAP configuration of the same Active Directory server. This includes views that are exposed only to SMB and multiprotocol views that are exposed to both SMB and NFS.

Note

If you're using Active Directory as an authorization provider for NFS access without SMB, follow Connecting to an LDAP Server.

Prerequisites

  • Active Directory Windows 2008R2 or newer.

  • SRV locator resource records on the cluster's DNS server for the _ldap and _kerberos services of the Active Directory (AD) domain .

  • User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.

 

Joining Active Directory and Configuring LDAP via VAST Web UI

  1. In the VAST Web UI , click menu_button.png in the top left of the page to open the menu , select the Security page and then the Active Directory tab.

  2. Click the Add button (add_button.png) to create a new Active Directory record. Only one Active Directory record can be defined at one time.

  3. Complete the Active Directory fields for creating the machine object on the Active Directory domain:

    Field

    Description

    Domain Name (required)

    The fully qualified domain name (FQDN) of the Active Directory domain to join.

    Example: company-ad.com

    Machine Name (required)

    Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended to name the machine name the same as the cluster name for simplicity.

    Organizational Unit (required)

    The organizational unit (OU) in the Active Directory domain in which to create the machine object.

    Specify as a Distinguished Name (DN).

    For example: OU=Computers,DC=company-ad,DC=com

    Preferred DC list

    Leave this blank.

  4. Complete the LDAP fields to configure LDAP connection to the Active Directory server:

    Important

    If LDAP is already configured in the LDAP tab, the LDAP configuration in the LDAP tab must be correct for the same Active Directory domain that you configured in the Active Directory section. If not, you need to modify the LDAP configuration in the LDAP tab.

    In addition, in order to complete the Add Active Directory dialog, you need to reenter the same values in these fields as are used in the LDAP tab. Alternatively, you can cancel this action and join Active Directory via the VAST CLI.

    Field

    Description

    URI (required)

    The URI for LDAP connectivity to the Active Directory server in the format ldap://<server FQDN>.

    For example: ldap://company-ad.com.

    Port (required)

    The port to append to the URI. The standard default port for LDAP is 389.

    Authentication Method (required)

    The LDAP authentication method the Active Directory server uses to authenticate clients:

    • Anonymous. The AD server accepts queries without any authentication.

    • Simple. The AD server attempts to bind a specified user name to a matching AD user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.

    Base DN

    The entry in the Active Directory tree to use as a starting point for user queries.

    To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

    The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

    The following attributes can be specified:

    • cn: common name

    • ou: organizational unit

    • o: organization

    • c: country

    • dc: domain

    For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local

    To specify the full domain as your search base, you would enter: dc=mydomain,dc=local

    Bind DN (required)

    Enter the bind DN for authenticating to the AD server. The bind DN specifies the user with which VAST Cluster authenticates to the AD server.

    Format is as described for Search base beginning with a cn attribute component specifying the user object.

    For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

    Bind password (required)

    This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the AD server.

    Group Base DN (From VAST Cluster 3.0.1)

    The entry in the AD directory tree to use as a starting point for group queries. See Base DN.

    Use TLS (from VAST Cluster 2.2.0)

    Enable to use TLS to secure communication between VAST Cluster and the AD server.

    Important

    The VAST Cluster TLS client is configured with the TLS_REQCERT configuration parameter set to never, which means it does not request the server's TLS certificate and ignores any certificate received. On the TLS server, make sure that TLS_REQCERT is not set to demand since VAST Cluster cannot connect to a server with TLS_REQCERT set to demand.

    Verification of the server's TLS certificate will be added in a future release.

  5. Click Advanced-attribute mappings and specify any non default attribute names on the AD server to map to these LDAP defaults:

    Important

    If LDAP is already configured in the LDAP tab, the LDAP configuration in the LDAP tab must be correct for the same Active Directory domain that you configured in the Active Directory section. If not, you need to modify the LDAP configuration in the LDAP tab.

    In addition, in order to complete the Add Active Directory dialog, you need to reenter the same values in these fields as are used in the LDAP tab. Alternatively, you can cancel this action and join Active Directory via the VAST CLI.

    Advanced-Attribute Mappings Field

    Description

    Default (RFC2307 Compliant)

    AD Equivalent

    gidNumber

    The attribute that contains GIDs.

    gidNumber

    gidnumber

    uid

    The attribute that contains UIDs, which are used as login names.

    uid

    uid or cn or sAMAccountname

    uidNumber

    The attribute that contains UID numbers.

    uidNumber

    uidNumber

    memberUid

    The attribute that contains group members.

    memberUid

    memberUid

    posix Account

    The object class that defines a user.

    posixAccount

    user

    posix Group

    The object class that defines a group.

    posixGroup

    group

  6. Click Create.

    The record is now created and you can see it displayed. The JOINED status is displayed as NO because the cluster has not yet joined the AD server.

  7. Hover over the end of the record's row until the action buttons appear. Click the Join button (Activate_button.png) to join the Active Directory server.

  8. Supply a user name and password for an admin user with permission to join the Active Directory server. (These credentials are used only for a one time connection and not stored on the cluster.)

    This may take a few moments. When the cluster has joined the server, the status displayed in the JOINED column changes to YES.

 

Joining Active Directory via VAST CLI

  1. Run activedirectory create from the command line. This creates the record of the AD configuration.

    vcli: admin> activedirectory create --name My_AD --machine-account-name co-vcluster  --organizational-unit OU=Computers,DC=co-ad,DC=com --domain-name co-ad.com

  2. Run activedirectory list to identify the ID of the record:

    vcli: admin> activedirectory list
+----+--------+----------------------+----------------------------+-------------------+-------------+---------------+-------+
| ID | Name   | Machine Account Name |    Organizational Unit     | Preferred dc list | Domain Name | Enabled State | State |
+----+--------+----------------------+-----------------------------+------------------+-------------+---------------+-------+
| 2  | My_AD | co-vcluster           | OU=Computers,DC=co-ad,DC=com |                 | co-ad.com   | False          | N/A   |
+----+--------+----------------------+---------------------+-------------------+-------------+---------------+-------+

  3. Run activedirectory modify, specifying the ID, setting status to enabled to join the domain, and providing a user name of an AD Admin user with permission to join the AD domain:

    vcli admin> activedirectory modify --id 2 --enabled --admin-username USER

  4. Confirm that you wish to proceed:

    Are you sure you want to modify the Active directory? [y/N] y

  5. Enter the password for the AD admin user when prompted:

    Enter admin password:
Password:

Waiting ...

[2020-03-31 10:18:39] waiting for active directory My_AD enabled state to change to True ... /

Completed
vcli: admin>

  6. The status is now enabled:

    vcli: admin> activedirectory list
+----+--------+----------------------+----------------------------+-------------------+-------------+---------------+-------+
| ID | Name   | Machine Account Name |    Organizational Unit     | Preferred dc list | Domain Name | Enabled State | State |
+----+--------+----------------------+-----------------------------+------------------+-------------+---------------+-------+
| 2  | My_AD | co-vcluster           | OU=Computers,DC=co-ad,DC=com |                 | co-ad.com   | True          | N/A   |
+----+--------+----------------------+---------------------+-------------------+-------------+---------------+-------+

  7. Run ldap create to configure the LDAP connection to the same server:

    vcli: admin> ldap create --url ldap://mycompanyad.com --port 389 --binddn cn=admin,ou=users,dc=mycompanyad,dc=com --bindpw **** --searchbase ou=users,dc=mycompanyad,dc=com --group-searchbase ou=groups,dc=mycompanyad,dc=com --method simple --posix-account user --posix-group group --use-tls
 

Leaving Active Directory

When you leave AD, the cluster's machine account is deleted from the AD server.

If the AD server is not accessible to the cluster when you try to leave AD, the leave will fail. In that event, you can effectively force the cluster to leave AD by removing the AD configuration from the cluster. The machine account will remain on the AD server, where it can be manually deleted.

  • From the VAST Web UI, navigate to the Security page and the Active Directory tab, hover over the far right column of the grid and click the leave button: leave_button.png.

  • From the VAST CLI: Run the activedirectory modify command with the --disabled option.

 
 

Related articles

Comments

0 comments

Article is closed for comments.