URLs (required)
|
Comma separated list of URIs of LDAP servers (Domain Controllers (DCs) in Active Directory). The order of listing defines the priority order. The URI with highest priority that has a good health status is used.
Specify each URI in the format <scheme>://<address> . <address> can be either a DNS name or an IP address.
Examples:
-
ldap://company-ad.com
-
ldap://company-ad.com,ldap://company-ad2.com
-
ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2
|
Port (required)
|
The port of the remote LDAP server. Typical values: 389 , 636 .
|
Domain name
|
The fully qualified domain name (FQDN) of the domain to join.
Example: company-ad.com
|
Authentication Method (required)
|
The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:
-
Anonymous. The LDAP server accepts queries without any authentication.
-
Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.
|
Base DN
|
The entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN.
To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.
The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.
The following attributes can be specified:
-
cn: common name
-
ou: organizational unit
-
o: organization
-
c: country
-
dc: domain
For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local
To specify the full domain as your search base, you would enter: dc=mydomain,dc=local
|
Bind DN (required if Authentication Method = SImple)
|
Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain.
Format is as described for Base DN beginning with a cn attribute component specifying the user object.
For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
|
Bind password (required if Authentication Method = SImple)
|
This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.
|
Group Base DN
|
(Optional) The entry in the LDAP directory tree to use as a starting point for group queries. By default, the Base DN is used.
|
Query Group Mode
|
Sets the mode for querying a users' auxiliary group memberships, where applicable:
Note
Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the View Policy.
-
Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode.
-
RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions.
-
RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers.
-
None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
|
Use TLS
|
Enable to use TLS to secure communication between VAST Cluster and the LDAP server.
|
TLS Certificate
|
If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.
If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. In this case, make sure that the TLS_REQCERT parameter on the LDAP server's TLS server is not set to demand . Otherwise, connection will fail.
|
Comments
0 comments
Article is closed for comments.