If you use an LDAP based directory service for storing user entries with group memberships, you can configure VAST Cluster to connect to your LDAP server as a client and query user information. Learn about how this can be used for authorizing access to NFS files here.
In order to avoid overtaxing your LDAP server resources, user entries are cached on retrieval, and your LDAP server is only queried periodically based on demand for new or aged entries. The default Time to Live (TTL) value for entries is 1800s.
From the menu (click ), select Security and then select the LDAP tab.
Click the (only) row in the grid to edit the server details:
The URI of the remote LDAP server in the format
The port of the remote LDAP server. Default value:
The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:
Anonymous. The LDAP server accepts queries without any authentication.
Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.
The search base is the base DN (distinguished name). It specifies an entry in the LDAP directory tree to use as a starting point for queries.
To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.
The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.
The following attributes can be specified:
cn: common name
ou: organizational unit
For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter:
To specify the full domain as your search base, you would enter:
Enter the bind DN for authenticating to the LDAP server. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory.
Format is as described for Search base beginning with a cn attribute component specifying the user object.
cn=admin,ou=users,dc=mydomain,dc=localspecifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.
(Version 1.2.4 onwards) If you're using Active Directory (AD), some of the user entry attributes might have different names to their LDAP equivalents. To manage AD attribute mappings, click Advanced-attribute mappings and then enter the AD attribute name you need to map to each LDAP attribute. Each field name is the LDAP attribute name. Fields are provided for the following LDAP attribute names: gidNumber, uidNumber, uid, and memberID.
The LDAP server details are updated.
To integrate an LDAP server, use the following CLI commands.
For full CLI command syntax, including arguments, enter the command at the CLI prompt, followed by ?.