Important
Views exposed as SMB shares will work only if the cluster is joined to Active Directory. This includes views that are exposed only to SMB and multiprotocol views that are exposed to both SMB and NFS.
Important
NFS4 ID mapping requires that the cluster is joined to Active Directory with LDAP attribute mappings set as directed below.
Note
If you're using Active Directory as an LDAP server for NFSv3 access, follow Connecting to an LDAP Server.
VAST Cluster leverages AD two ways:
-
Via direct AD queries using native AD APIs.
-
Via LDAP queries using LDAP APIs since AD is also an LDAP server. As such when you configure AD you are also implicitly configuring an LDAP provider.
Important
As part of the LDAP configuration (detailed below) you MUST map advanced LDAP attributes to the AD schema. This step is required in order for SMB access to work
As such, when you configure AD, the procedure includes configuring a binding to the LDAP domain of the Active Directory server.
-
Active Directory Windows 2008R2 or newer.
-
Active Directory server to join, with the DNS server of the VAST Cluster able to resolve the _ldap and _kerberos SRV records of the Active Directory (AD) domain.
-
User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.
-
From the left navigation menu, select User Management and then Active Directory.
-
Click Create Active Directory to create a new Active Directory record.
Only one Active Directory record can be defined at one time.
-
Complete the Active Directory fields for creating the machine object on the Active Directory domain:
Field
Description
Machine account name (required)
Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended to name the machine name the same as the cluster name for simplicity.
Organizational unit (required)
The organizational unit (OU) in the Active Directory domain in which to create the machine object.
Specify as a Distinguished Name (DN).
-
In the LDAP section of the dialog: if a binding to the LDAP domain of the Active Directory server was already configured on the cluster, select that existing LDAP configuration from the dropdown. Otherwise, select Create new ldap.
-
Complete the LDAP fields. These fields configure a binding to the LDAP domain of the Active Directory server:
-
Click Advanced-attribute mappings to make sure that the correct object class names will be used to query provider's entries and ensure that the user authorization process will find users and groups on the provider.
Do the following:
-
Select a template from the Templates for advanced setting dropdown. This fills the attribute mapping fields with a base set of values before you make any custom modifications:
-
AD. Fills all the attribute mapping fields with RFC2307BIS-compliant values, typically used in Active Directory.
-
OpenLDAP. Fills all the attribute mapping fields with RFC2307-compliant values, used by OpenLDAP and other LDAP-based providers.
-
Custom. Presents you with mostly empty fields to fill with customer values.
-
-
Check that the values are set correctly for your provider, and make changes as needed. Consult the following table for a description of each value you need to specify:
-
-
Click Create.
The record is now created and you can see it displayed. The JOINED status is displayed as NO because the cluster has not yet joined the AD server.
-
Click
to open the Actions menu for the configuration record and select Join to join the Active Directory server.
-
Supply a user name and password for an admin user with permission to join the Active Directory server. (These credentials are used only for a one time connection and not stored on the cluster.)
This may take a few moments. When the cluster has joined the server, the status displayed in the JOINED column changes to YES.
-
Run ldap create from the command line to configure a binding to the LDAP domain of the Active Directory server:
vcli: admin> ldap create --urls ldap://company-ad.com,ldap://company-ad2.com --port 389 --binddn cn=admin,ou=users,dc=mycompanyad,dc=com --bindpw **** --basedn ou=users,dc=mycompanyad,dc=com --group-searchbase ou=groups,dc=mycompanyad,dc=com --method simple --use-tls --domain-name co-ad.com --posix-templates AD
-
Run
ldap list
to identify the ID of the LDAP configuration record. -
Run
activedirectory create
from the command line, specifying the LDAP record. This creates the record of the AD configuration.vcli: admin> activedirectory create --ldap-id 2 --machine-account-name co-vcluster --organizational-unit OU=Computers,DC=co-ad,DC=com
-
Run
activedirectory list
to identify the ID of the record:vcli: admin> activedirectory list +----+----------------------+-----------------------------+----------+ | ID | Machine Account Name | Organizational Unit | State | +----+----------------------+-----------------------------+----------+ | 2 | co-vcluster | OU=Computers,DC=co-ad,DC=com| Disabled | +----+----------------------+-----------------------------+----------+
-
Run
activedirectory modify
, specifying the ID, setting status to enabled to join the domain, and providing a user name of an AD Admin user with permission to join the AD domain:vcli admin> activedirectory modify --id 2 --enabled --admin-username USER
-
Confirm that you wish to proceed:
Are you sure you want to modify the Active directory? [y/N] y
-
Enter the password for the AD admin user when prompted:
Enter admin password: Password: Waiting ... [2020-03-31 10:18:39] waiting for active directory My_AD enabled state to change to True ... / Completed vcli: admin>
-
The status is now enabled:
vcli: admin> activedirectory list +----+----------------------+-----------------------------+---------+ | ID | Machine Account Name | Organizational Unit | State | +----+----------------------+-----------------------------+---------+ | 2 | co-vcluster | OU=Computers,DC=co-ad,DC=com| Enabled | +----+----------------------+-----------------------------+---------+
When you leave AD, the cluster's machine account is deleted from the AD server.
If the AD server is not accessible to the cluster when you try to leave AD, the leave will fail. In that event, you can effectively force the cluster to leave AD by removing the AD configuration from the cluster. The machine account will remain on the AD server, where it can be manually deleted.
-
From the VAST Web UI: On the Active Directory tab, click
to open the Actions menu for the Active Directory configuration and select Leave.
-
From the VAST CLI: Run the activedirectory modify command with the
--disabled
option.
Comments
0 comments
Article is closed for comments.