Articles in this section

Connecting to an LDAP Server

Sara Levy
  • Updated
Follow

If you wish to use of any LDAP-based directory server as an auth provider for NFS access, follow the instructions in this section for configuring an LDAP connection to that server.

Learn how LDAP is used for authorizing access to NFS files here.

Note

In order to avoid overtaxing your LDAP server resources, user entries are cached on retrieval, and your LDAP server is only queried periodically based on demand for new or aged entries. The default Time to Live (TTL) value for entries is 1800s.

Connecting to Your LDAP Server from the VAST Web UI

  1. From the menu (click menu_button.png ), select Security and then select the LDAP tab.

    One LDAP configuration record is displayed.

  2. Hover over the far right column and click the edit button (edit_button.png) to modify the LDAP configuration.

  3. Enter the details of your LDAP server:

    Field

    Description

    URI (required)

    The URI of the remote LDAP server in the format <scheme>://<address>.

    For example: ldap://company-ad.com.

    Port (required)

    The port of the remote LDAP server. Default value: 389.

    Authentication Method (required)

    The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:

    • Anonymous. The LDAP server accepts queries without any authentication.

    • Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.

    Base DN

    The entry in the LDAP directory tree to use as a starting point for user queries.

    To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

    The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

    The following attributes can be specified:

    • cn: common name

    • ou: organizational unit

    • o: organization

    • c: country

    • dc: domain

    For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local

    To specify the full domain as your search base, you would enter: dc=mydomain,dc=local

    Bind DN (required)

    Enter the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory.

    Format is as described for Base DN beginning with a cn attribute component specifying the user object.

    For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

    Bind password (required)

    This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.

    Group Base DN (From VAST Cluster 3.0.1)

    The entry in the LDAP directory tree to use as a starting point for group queries. See Base DN.

    Use TLS (from VAST Cluster 2.2.0)

    Enable to use TLS to secure communication between VAST Cluster and the LDAP server.

    Important

    The VAST Cluster TLS client is configured with the TLS_REQCERT configuration parameter set to never, which means it does not request the server's TLS certificate and ignores any certificate received. On the TLS server, make sure that TLS_REQCERT is not set to demand since VAST Cluster cannot connect to a server with TLS_REQCERT set to demand.

    Verification of the server's TLS certificate will be added in a future release.

  4. (From Version 1.2.4 ) Some LDAP servers, including Active Directory (AD), use attributes that are different from the default attribute set that VAST Cluster uses to query the LDAP server. You can specify a different attribute to query in place of the default attributes. To manage these attribute mappings, click Advanced-attribute mappings. The default attributes are prepopulated in the fields. Overwrite attributes as needed:

    Note

    VAST Cluster supports the RFC2307 LDAP schema.

    Advanced-Attribute Mappings Field

    Description

    Default (RFC2307 Compliant)

    AD Equivalent

    gidNumber

    The attribute that contains GIDs.

    gidNumber

    gidnumber

    uid

    The attribute that contains UIDs, which are used as login names.

    uid

    uid or cn or sAMAccountname

    uidNumber

    The attribute that contains UID numbers.

    uidNumber

    uidNumber

    memberUid

    The attribute that contains group members.

    memberUid

    memberUid

    posix Account

    The object class that defines a user.

    posixAccount

    user

    posix Group

    The object class that defines a group.

    posixGroup

    group

  5. Click Update.

    The LDAP server details are updated.

 

Integrating Your LDAP Server via CLI

To integrate an LDAP server, use the following CLI commands.

Tip

For full CLI command syntax, including arguments, enter the command at the CLI prompt, followed by ?.

Task

Command

Display the LDAP server configuration

ldap list

ldap show

Change the LDAP server configuration 

ldap modify
 
 

Related articles

Comments

0 comments

Please sign in to leave a comment.