VAST Cluster supports the use of an LDAP-based directory service as an authorization provider on a per-view basis. Views are locations in the VAST Cluster's file system that can be exposed to either NFS or SMB (S3 access is also supported, but not through views).
To use an LDAP based directory service, you need to configure the connection to the LDAP server and to enable the user of an authorization provider for those views that you want to be authorized by the LDAP service.
A single cluster can be connected to a single LDAP server or NIS.
If one or more view(s) on the VAST Cluster are exposed to SMB, you must use Active Directory and not any other LDAP-based directory server. In this case, follow Joining Active Directory to configure the LDAP connection as well as creating a machine object on the Active Directory domain.
If views are only exposed to NFS and not to SMB, either Active Directory or another LDAP server can be used and only the LDAP connection needs to be configured. Follow the procedure in Connecting to Your LDAP Server from the VAST Web UI or Integrating Your LDAP Server via CLI.
From VAST Cluster 3.2, VAST Cluster supports the RFC2307bis LDAP schema as well as the RFC2307 LDAP schema. This means that if you're using Active Directory, group memberships on your Active Directory server can be marked either by a memberUid entry in each group that contains the user or by a memberOf entry in the user entry for each group that contains the user. This is known as "nested groups".
For SMB usage, nested groups are supported from VAST Cluster 3.0.1.
Previous to VAST Cluster 3.2, for NFS access, RFC2307 is supported and RFC2307bis is not supported. Therefore, if you have a version of VAST Cluster prior to 3.2.0, and you are considering connecting an Active Directory server for NFS access, beware that group memberships marked by memberOf entries will not be recognized. Groups marked by memberUid entries in the user entry are supported.
For details of how any LDAP server is used for authorizing access to NFS files, see File Permissions Authorization for NFS Exports.
For details of how Active Directory is used for authorizing SMB access and authenticating SMB users (supported from VAST Cluster 3.0.1), see File Permissions Authorization for SMB Shares.
In order to avoid overtaxing the LDAP server resources, user entries are cached on retrieval, and your LDAP server is only queried periodically based on demand for new or aged entries. The default Time to Live (TTL) value for entries is 1800s.
Multiple DCs are supported from VAST Cluster 3.2. You can choose the priority order of the DCs that you specify. The access protocol (NFS or SMB) checks the health status of all specified DCs and uses the DC that has the highest priority of all those with good health status.
Use this procedure to configure a connection to any LDAP-based server (including Active Directory) to use the server as an authorization provider for NFS access. If you need to join an Active Directory server for SMB or multiprotocol (SMB + NFS) access, follow Joining Active Directory instead.
From the left navigation menu, select User Management and then LDAP.
If no LDAP configuration is displayed, click Create Ldap to create one. If an LDAP configuration record is already displayed, click to open the Actions menu for the existing LDAP configuration and select Edit.
Enter the details of your LDAP server:
Comma separated list of URIs of the LDAP server's domain controllers (DCs). The order of listing defines the priority order. The DC with highest priority that has a good health status is used.
Specify the URI of each DC in the format
<address>can be either a DNS name or an IP address.
The port of the remote LDAP server. Default value:
Authentication Method (required)
The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:
Anonymous. The LDAP server accepts queries without any authentication.
Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.
The entry in the LDAP directory tree to use as a starting point for user queries.
To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.
The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.
The following attributes can be specified:
cn: common name
ou: organizational unit
For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter:
To specify the full domain as your search base, you would enter:
Bind DN (required)
Enter the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory.
Format is as described for Base DN beginning with a cn attribute component specifying the user object.
cn=admin,ou=users,dc=mydomain,dc=localspecifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
Bind password (required)
This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.
Group Base DN
The entry in the LDAP directory tree to use as a starting point for group queries. See Base DN.
Enable to use TLS to secure communication between VAST Cluster and the LDAP server.
If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.
If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. In this case, make sure that the
TLS_REQCERTparameter on the LDAP server's TLS server is not set to
demand. Otherwise, connection will fail.
Some LDAP servers, including Active Directory (AD), use attributes that are different from the default attribute set that VAST Cluster uses to query the LDAP server. You can specify a different attribute to query in place of the default attributes. To manage these attribute mappings, click Advanced-attribute mappings. The default attributes are prepopulated in the fields. Overwrite attributes as needed:
VAST Cluster supports the RFC2307 LDAP schema.
Advanced-Attribute Mappings Field
Default (RFC2307 Compliant)
The attribute that contains GIDs.
The attribute that contains UIDs, which are used as login names.
sAMAccountname(common, use unless you know otherwise). Also can be
The attribute that contains UID numbers.
The attribute that contains group members.
The object class that defines a user.
The object class that defines a group.
The LDAP server details are updated.
To integrate an LDAP server, use the following CLI commands.
For full CLI command syntax, including arguments, enter the command at the CLI prompt in the <command> <subcommand> format provided in the table, followed by ?.
Display the LDAP server configuration
Change the LDAP server configuration
To display details of a configured LDAP connection:
From the VAST Web UI, select the LDAP tab in the User Management page.
From the VAST CLI, run
ldap list. or
The state of the LDAP connection reflects the health status of the configured DCs as follows:
Connected: All DCs are connected.
Failed: All DCs have failed.
Degraded: Some DCs have failed and at least one DC is connected. The URIs of the failed DCs are reported by an alarm.