Articles in this section

Connecting to an LDAP Server

Sara Levy
  • Updated
Follow
Connecting to Your LDAP Server from the VAST Web UI

Note

Use this procedure to configure a connection to an LDAP-based directory server to use the server as an authorization provider for NFS access. This can be an Active Directory server. However, if you are using the same Active Directory server to authenticate and authorize SMB users, you need to join the Active Directory service and you should follow the complete joining procedure instead: see Joining Active Directory (AD).

  1. From the left navigation menu, select User Management and then LDAP.

  2. If no LDAP configuration is displayed, click Create LDAP to create one. If an LDAP configuration record is already displayed, click ActionsButtonGUI2.png to open the Actions menu for the existing LDAP configuration and select Edit.

  3. Enter the details of your LDAP server:

    Field

    Description

    URI (required)

    Comma separated list of URIs of LDAP servers (Domain Controllers (DCs) in Active Directory). The order of listing defines the priority order. The URI with highest priority that has a good health status is used.

    Specify each URI in the format <scheme>://<address>. <address> can be either a DNS name or an IP address.

    Examples:

    • ldap://company-ad.com

    • ldap://company-ad.com,ldap://company-ad2.com

    • ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2

    Port (required)

    The port of the remote LDAP server. Typical values: 389, 636.

    Authentication Method (required)

    The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:

    • Anonymous. The LDAP server accepts queries without any authentication.

    • Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.

    Base DN

    The entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN.

    To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

    The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

    The following attributes can be specified:

    • cn: common name

    • ou: organizational unit

    • o: organization

    • c: country

    • dc: domain

    For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local

    To specify the full domain as your search base, you would enter: dc=mydomain,dc=local

    Bind DN (required if Authentication Method = SImple)

    Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain.

    Format is as described for Base DN beginning with a cn attribute component specifying the user object.

    For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

    Bind password (required if Authentication Method = SImple)

    This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.

    Group Base DN

    (Optional) The entry in the LDAP directory tree to use as a starting point for group queries. By default, the Base DN is used.

    Use TLS

    Enable to use TLS to secure communication between VAST Cluster and the LDAP server.

    TLS Certificate

    If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

    If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. In this case, make sure that the TLS_REQCERT parameter on the LDAP server's TLS server is not set to demand. Otherwise, connection will fail.

  4. Some LDAP servers, including Active Directory (AD), use attributes that are different from the default attribute set that VAST Cluster uses to query the LDAP server. You can specify a different attribute to query in place of the default attributes. To manage these attribute mappings, click Advanced-attribute mappings. The default attributes are prepopulated in the fields.

    Overwrite attributes as needed:

    Note

    VAST Cluster supports the RFC2307 LDAP schema.

    Advanced-Attribute Mappings Field

    Description

    Default (RFC2307 Compliant)

    AD Equivalent

    gidNumber

    The attribute of a group entry that contains the GID number of a group.

    gidNumber

    gidnumber

    uid

    The attribute of a user entry that contains the user name.

    uid

    sAMAccountname (common, use unless you know otherwise). Also can be uid (rare) or cn (rare).

    uidNumber

    The attribute of a user entry that contains the UID number.

    uidNumber

    uidNumber

    memberUid

    The attribute of the group entry that contains names of group members.

    memberUid

    memberUID

    posix Account

    The object class that defines a user entry.

    posixAccount

    user

    posix Group

    The object class that defines a group entry.

    posixGroup

    group

    Match User

    The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.

    Equal to the setting for uid.

  5. Click Create or Update.

    The LDAP client configuration is created/updated.

Integrating Your LDAP Server via CLI

To integrate an LDAP server, use the following CLI commands.

Tip

For full CLI command syntax, including arguments, enter the command at the CLI prompt in the <command> <subcommand> format provided in the table, followed by ?.

Task

Command

Display the LDAP server configuration

ldap list

ldap show

Change the LDAP server configuration 

ldap modify
Monitoring LDAP Status

To display details of a configured LDAP connection:

  • From the VAST Web UI, select the LDAP tab in the User Management page.

  • From the VAST CLI, run ldap list. or ldap show.

The state of the LDAP connection reflects the health status of the configured DCs as follows:

  • Connected: All DCs are connected.

  • Failed: All DCs have failed.

  • Degraded: Some DCs have failed and at least one DC is connected. The URIs of the failed DCs are reported by an alarm.

Comments

0 comments

Article is closed for comments.