Articles in this section

Joining Active Directory (AD)

Sara Levy
  • Updated
Follow

Important

Views exposed as SMB shares will work only if the cluster is joined to Active Directory. This includes views that are exposed only to SMB and multiprotocol views that are exposed to both SMB and NFS.

Important

NFS4 ID mapping requires that the cluster is joined to Active Directory with LDAP attribute mappings set as directed below.

Note

If you're using Active Directory as an LDAP server for NFSv3 access, follow Connecting to an LDAP Server.

VAST Cluster leverages AD two ways:

  • Via direct AD queries using native AD APIs.

  • Via LDAP queries using LDAP APIs since AD is also an LDAP server. As such when you configure AD you are also implicitly configuring an LDAP provider.

    Important

    As part of the LDAP configuration (detailed below) you MUST map advanced LDAP attributes to the AD schema. This step is required in order for SMB access to work

As such, when you configure AD, the procedure includes configuring a binding to the LDAP domain of the Active Directory server.

Prerequisites for SMB Access

  • Active Directory Windows 2008R2 or newer.

  • Active Directory server to join, with the DNS server of the VAST Cluster able to resolve the _ldap and _kerberos SRV records of the Active Directory (AD) domain.

  • User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.

 

Joining Active Directory and Configuring LDAP via VAST Web UI

  1. From the left navigation menu, select User Management and then Active Directory.

  2. Click Create Active Directory to create a new Active Directory record.

    Only one Active Directory record can be defined at one time.

  3. Complete the Active Directory fields for creating the machine object on the Active Directory domain:

    Field

    Description

    Machine account name (required)

    Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended to name the machine name the same as the cluster name for simplicity.

    Organizational unit (required)

    The organizational unit (OU) in the Active Directory domain in which to create the machine object.

    Specify as a Distinguished Name (DN).

    For example: OU=Computers,DC=company-ad,DC=com

  4. In the LDAP section of the dialog: if a binding to the LDAP domain of the Active Directory server was already configured on the cluster, select that existing LDAP configuration from the dropdown. Otherwise, select Create new ldap.

  5. Complete the LDAP fields. These fields configure a binding to the LDAP domain of the Active Directory server:

    Field

    Description

    URI (required)

    Comma separated list of URIs of the Active Directory server's domain controllers (DCs). The order of listing defines the priority order. The DC with highest priority that has a good health status is used.

    Specify the URI of each DC in the format <scheme>://<address>. <address> can be either a DNS name or an IP address.

    Examples:

    • ldap://company-ad.com

    • ldap://company-ad.com,ldap://company-ad2.com

    • ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2

    Port (required)

    The port to append to the URI. Typical values: 389, 636.

    Domain name

    The fully qualified domain name (FQDN) of the Active Directory domain to join.

    Example: company-ad.com

    Authentication Method (required)

    The LDAP authentication method the Active Directory server uses to authenticate clients:

    • Anonymous. The AD server accepts queries without any authentication.

    • Simple. The AD server attempts to bind a specified user name to a matching AD user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.

    Base DN

    The entry in the Active Directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN.

    To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

    The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

    The following attributes can be specified:

    • cn: common name

    • ou: organizational unit

    • o: organization

    • c: country

    • dc: domain

    For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local

    To specify the full domain as your search base, you would enter: dc=mydomain,dc=local

    Bind DN (required if Authentication Method = SImple)

    Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain.

    Format is as described for Search base beginning with a cn attribute component specifying the user object.

    For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

    Bind password (required if Authentication Method = SImple)

    This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the AD server.

    Group Base DN

    The entry in the AD directory tree to use as a starting point for group queries. By default, the Base DN is used.

    Query Group Mode

    Sets the mode for querying a users' auxiliary group memberships, where applicable:

    Note

    Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the View Policy.

    • Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode.

    • RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions.

    • RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers.

    • None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.

    Use TLS

    Enable to use TLS to secure communication between VAST Cluster and the LDAP server.

    TLS Certificate

    If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

    If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. In this case, make sure that the TLS_REQCERT parameter on the LDAP server's TLS server is not set to demand. Otherwise, connection will fail.

  6. Click Advanced-attribute mappings to make sure that the correct object class names will be used to query provider's entries and ensure that the user authorization process will find users and groups on the provider.

    Do the following:

    1. Select a template from the Templates for advanced setting dropdown. This fills the attribute mapping fields with a base set of values before you make any custom modifications:

      • AD. Fills all the attribute mapping fields with RFC2307BIS-compliant values, typically used in Active Directory.

      • OpenLDAP. Fills all the attribute mapping fields with RFC2307-compliant values, used by OpenLDAP and other LDAP-based providers.

      • Custom. Presents you with mostly empty fields to fill with customer values.

    2. Check that the values are set correctly for your provider, and make changes as needed. Consult the following table for a description of each value you need to specify:

      Advanced-Attribute Mappings Field

      Description

      Default (RFC2307 Compliant)

      AD Equivalent

      gidNumber

      The attribute of a group entry that contains the GID number of a group.

      gidNumber

      gidnumber

      uid

      The attribute of a user entry that contains the user name.

      uid

      sAMAccountname (common, use unless you know otherwise). Also can be uid (rare) or cn (rare).

      uidNumber

      The attribute of a user entry that contains the UID number.

      uidNumber

      uidNumber

      memberUid

      The attribute of the group entry that contains names of group members.

      memberUid

      member

      posix Account

      The object class that defines a user entry.

      posixAccount

      user

      posix Group

      The object class that defines a group entry.

      posixGroup

      group

      Match User

      The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.

      Equal to the setting for uid.

      		  

      Username Property Name

      The attribute to use when querying a provider for a user when the query is initiated by a VMS user.

      name

      		  

      user login name

      Applicable only for Active Directory and only for NFSv4 with client-enabled ID matching. This field specifies the attribute used to query AD for the user login name for NFS4 ID mapping.

      On NDU, this value is set to sAMAccountname for Active Directory configurations.

      uid

      sAMAccountname

      group login name

      Applicable only for Active Directory and only for NFSv4 with client-enabled ID matching. This field specifies the attribute used to query AD for the group login name for NFS4 ID mapping.

      On NDU, this value is set to sAMAccountname for Active Directory configurations.

      cn

      sAMAccountname

  7. Click Create.

    The record is now created and you can see it displayed. The JOINED status is displayed as NO because the cluster has not yet joined the AD server.

  8. Click Actions_Button.png to open the Actions menu for the configuration record and select Join to join the Active Directory server.

  9. Supply a user name and password for an admin user with permission to join the Active Directory server. (These credentials are used only for a one time connection and not stored on the cluster.)

    This may take a few moments. When the cluster has joined the server, the status displayed in the JOINED column changes to YES.

 

Joining Active Directory via VAST CLI

  1. Run ldap create from the command line to configure a binding to the LDAP domain of the Active Directory server:

    vcli: admin> ldap create --urls ldap://company-ad.com,ldap://company-ad2.com --port 389 --binddn cn=admin,ou=users,dc=mycompanyad,dc=com --bindpw **** --basedn ou=users,dc=mycompanyad,dc=com --group-searchbase ou=groups,dc=mycompanyad,dc=com --method simple --use-tls --domain-name co-ad.com --posix-templates AD

  2. Run ldap list to identify the ID of the LDAP configuration record.

  3. Run activedirectory create from the command line, specifying the LDAP record. This creates the record of the AD configuration.

    vcli: admin> activedirectory create --ldap-id 2 --machine-account-name co-vcluster  --organizational-unit OU=Computers,DC=co-ad,DC=com

  4. Run activedirectory list to identify the ID of the record:

    vcli: admin> activedirectory list
+----+----------------------+-----------------------------+----------+
| ID | Machine Account Name | Organizational Unit         | State    |
+----+----------------------+-----------------------------+----------+
| 2  | co-vcluster          | OU=Computers,DC=co-ad,DC=com| Disabled |
+----+----------------------+-----------------------------+----------+

  5. Run activedirectory modify, specifying the ID, setting status to enabled to join the domain, and providing a user name of an AD Admin user with permission to join the AD domain:

    vcli admin> activedirectory modify --id 2 --enabled --admin-username USER

  6. Confirm that you wish to proceed:

    Are you sure you want to modify the Active directory? [y/N] y

  7. Enter the password for the AD admin user when prompted:

    Enter admin password:
Password:

Waiting ...

[2020-03-31 10:18:39] waiting for active directory My_AD enabled state to change to True ... /

Completed
vcli: admin>

  8. The status is now enabled:

    vcli: admin> activedirectory list
+----+----------------------+-----------------------------+---------+
| ID | Machine Account Name | Organizational Unit         | State   |
+----+----------------------+-----------------------------+---------+
| 2  | co-vcluster          | OU=Computers,DC=co-ad,DC=com| Enabled |
+----+----------------------+-----------------------------+---------+
 

Leaving Active Directory

When you leave AD, the cluster's machine account is deleted from the AD server.

If the AD server is not accessible to the cluster when you try to leave AD, the leave will fail. In that event, you can effectively force the cluster to leave AD by removing the AD configuration from the cluster. The machine account will remain on the AD server, where it can be manually deleted.

  • From the VAST Web UI: On the Active Directory tab, click Actions_Button.png to open the Actions menu for the Active Directory configuration and select Leave.

  • From the VAST CLI: Run the activedirectory modify command with the --disabled option.

 
 

Related articles

Comments

0 comments

Article is closed for comments.