VAST Cluster leverages Active Directory (AD) two ways:
Via direct AD queries using native AD APIs.
Via LDAP queries using LDAP APIs since AD is also an LDAP server.
Configuring a connection to Active Directory can therefore include either of the following:
Configuring LDAP connectivity to Active Directory, as for configuring LDAP connectivity to any other LDAP-based directory server. This is relevant in the case where you are using Active Directory to authorize file and directory access via NFSv3. (It is also theoretically relevant for NFSv4.1 access if, atypically, NFSv4.1 were used without Kerberos authentication or ID mapping.)
Both LDAP connectivity to Active Directory and the AD domain join process, in which the VAST Cluster is added to an AD domain as a new directory object. The AD domain join is required for enabling SMB access to the cluster. Similarly, in order to enable NFSv4.1 access with Kerberos authentication or with ID mapping, AD domain join is required.
Active Directory running on Windows Server 2008R2 or newer.
A domain name served by Active Directory, and a DNS setup to resolve the domain name.
User credentials for an admin user with permission to create and modify machine accounts within the Organizational Unit (OU) in the Active Directory domain to which you want to add the new machine object for the cluster.
Views exposed as SMB shares work only if the cluster is joined to Active Directory. This includes views that are exposed only to SMB and multiprotocol views that are exposed to both SMB and NFS.
As part of the LDAP configuration, you must map LDAP attributes to the AD schema. This step is required for SMB access to work.
Typically, NFSv4.1 access is used with Kerberos authentication and ID mapping. Kerberos and NFS4 ID mapping require that the cluster is joined to Active Directory. When configuring LDAP connectivity in this case, be sure to set advanced attribute mappings as required for NFS4 ID mapping.
If you're using Active Directory as an LDAP server for NFSv3 access, follow Connecting to an LDAP Server.
VAST Cluster supports client user access from multiple automatically discovered Active Directory (AD) domains, with automatic discovery of domain controllers (DCs).
Auto-discovery is an optional setting that you can enable or disable in the LDAP configuration for Active Directory.
When auto-discovery is enabled, VAST Cluster automatically discovers all domains and domain controllers in the AD forest. When the cluster queries AD for users and groups, all discovered domains are queried. After initial discovery is complete, you can view the discovered AD objects, including AD global catalog servers. The information is updated periodically, with indication of the time to the next refresh of the global catalog that is currently used by the cluster.
You can choose whether to use LDAP over TLS (LDAPS) for AD domain auto-discovery. If set to use LDAPS, VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.
When auto-discovery is disabled, VAST Cluster contacts only manually configured domain controllers and does not process requests from users in other domains in the AD forest. You have to specify LDAP URIs and the search base DN in the LDAP configuration for Active Directory.
From the left navigation menu, select User Management and then Active Directory.
Click Create Active Directory to create a new Active Directory record.
Only one Active Directory record can be defined at a time.
Complete the Active Directory fields for creating the machine object on the Active Directory domain:
Machine account name (required)
Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended to name the machine name the same as the cluster name for simplicity.
Organizational unit (required)
The organizational unit (OU) in the Active Directory domain in which to create the machine object.
Specify as a Distinguished Name (DN).
Preferred DC List
This field is available only if Auto-discovery is disabled.
Specify a comma-separated list of preferred domain controllers (DCs).
You can include IPs or host names in the list.
In the LDAP section of the dialog, if LDAP connectivity to Active Directory has already been configured on the cluster, select the existing LDAP configuration from the dropdown list. Otherwise, select Create new ldap.
Complete the LDAP fields to configure LDAP connectivity to Active Directory:
URLs (required if Auto-discovery is off)
This field is available only if Auto-discovery is disabled.
Enter a comma-separated list of URIs of the AD domain's domain controllers (DCs). The order of listing defines the priority order. The DC with highest priority that has a good health status is used.
Specify the URI of each DC in the format
<address>can be either a DNS name or an IP address.
When enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the Active Directory forest. For more information, see AD Domain Auto-Discovery.
When disabled, the LDAP URI ( URLs ) and search base DN ( Base DN ) fields must be specified manually. VAST Cluster contacts only the domain controller configured in the URLs field and does not process requests from users in other domains in the Active Directory forest.
The port to append to the URI.
389for LDAP (with or without TLS),
Enables or disables use of LDAP over TLS (LDAPS) if Auto-discovery is enabled.
When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.
The fully qualified domain name (FQDN) of the Active Directory domain to join.
Authentication method (required)
The LDAP authentication method that the AD domain controller uses to authenticate clients:
Anonymous. The AD domain controller accepts queries without any authentication.
Simple. The AD domain controller attempts to bind a specified user name to a matching AD user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password.
This field is available only if Auto-discovery is disabled.
The entry in the Active Directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN.
To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.
The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.
The following attributes can be specified:
cn: common name
ou: organizational unit
For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter:
To specify the full domain as your search base, you would enter:
Bind DN (required if Authentication method is set to Simple)
Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain.
Format is as described for Search base beginning with a cn attribute component specifying the user object.
cn=admin,ou=users,dc=mydomain,dc=localspecifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
Bind password (required if Authentication method is set to Simple)
This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the AD domain controller.
Query Group Mode
Sets the mode for querying a users' auxiliary group memberships, where applicable:
Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the View Policy.
Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode.
RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions.
RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers.
None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
Enable to use TLS to secure communication between VAST Cluster and the LDAP server.
When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.
If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.
If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received.
Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (
TLSVerifyClientshould be set to
never). Otherwise, connections will fail.
Click Advanced-attribute mappings to make sure that the correct object class names will be used to query provider's entries and ensure that the user authorization process will find users and groups on the provider.
Do the following:
Select a template from the Templates for advanced setting dropdown. This fills the attribute mapping fields with a base set of values before you make any custom modifications:
AD. Fills all the attribute mapping fields with RFC2307BIS-compliant values, typically used in Active Directory.
OpenLDAP. Fills all the attribute mapping fields with RFC2307-compliant values, used by OpenLDAP and other LDAP-based providers.
Custom. Presents you with mostly empty fields to fill with customer values.
In the Group base DN field, specify the entry in the AD directory tree to use as a starting point for group queries. By default, the Base DN is used.
Check that the values are set correctly for your provider, and make changes as needed. Consult the following table for a description of each value you need to specify:
The record is now created and you can see it displayed. The JOINED status is displayed as NO because the cluster has not yet joined the AD domain.
Click to open the Actions menu for the configuration record and select Join to join the AD domain.
Supply a user name and password for an admin user with permission to join the AD domain. (These credentials are used only for a one time connection and not stored on the cluster.)
This may take a few moments. When the cluster has joined the AD domain, the status displayed in the JOINED column changes to YES.
ldap createto configure LDAP connectivity to Active Directory.
If you are going to enable AD domain auto-discovery, specify a single URI in the
--urlparameter. Also note that the auto-discovery feature cannot be enabled right on the initial
ldap createcommand. It must be enabled with an
ldap modifycommand after the Active Directory configuration is created (as a last step in this procedure).
vcli: admin> ldap create --urls ldap://company-ad.com,ldap://company-ad2.com --port 389 --binddn cn=admin,ou=users,dc=mycompanyad,dc=com --bindpw **** --basedn ou=users,dc=mycompanyad,dc=com --group-searchbase ou=groups,dc=mycompanyad,dc=com --method simple --use-tls --domain-name co-ad.com --posix-templates AD
An LDAP configuration record is created.
ldap listto find out the ID of the newly created LDAP configuration record. in this example, the ID is 2.
activedirectory createwith the LDAP configuration record ID specified on the
vcli: admin> activedirectory create --ldap-id 2 --machine-account-name co-vcluster --organizational-unit OU=Computers,DC=co-ad,DC=com
An AD configuration record is created.
activedirectory listto find out the ID of the AD configuration record. In this example, the ID is 3.
activedirectory modifywith the AD configuration record ID specified on the
--idparameter. Add the
--enabledoption to join the AD domain. Specify
--admin-usernameand provide a user name of an AD admin user with permission to join the AD domain:
vcli admin> activedirectory modify --id 3 --enabled --admin-username USER
Confirm that you wish to proceed:
Are you sure you want to modify the Active directory? [y/N] y
Enter the password for the AD admin user when prompted:
Enter admin password: Password: Waiting ... [2022-03-31 10:18:39] waiting for active directory My_AD enabled state to change to True ... / Completed vcli: admin>
activedirectory listagain and verify that the Active Directory configuration state is now
If you want to enable AD domain auto-discovery, run
ldap modifywith the LDAP configuration record ID specified on the
--ldap-idparameter. Add the
--enable-auto-discoveryoption and specify the AD POSIX template:
vcli: admin> ldap modify --ldap-id 2 --enable-auto-discovery --posix-templates AD
When AD domain auto-discovery is enabled, you can view the discovered AD topology as follows:
To view automatically discovered AD domains:
Via VAST Web UI: On the Active Directory tab, click to open the Actions menu for the Active Directory configuration and select Show AD Domains.
Via VAST CLI: Run the
The display lists each of the discovered AD domains in the AD forest with indication of its fully qualified domain name (FQDN), search base DN, and security identifier (SID).
To view automatically discovered domain controllers (DC) of the AD domain that the cluster has joined:
Via VAST Web UI: On the Active Directory tab, click to open the Actions menu for the Active Directory configuration and select Show Joined Domain DCs.
Via VAST CLI: Run the
The display lists each of the discovered DCs in the cluster's joined domain with indication of its URI, status (such as HEALTHY or FAILED), and whether it is on the same AD site as the cluster.
To view automatically discovered AD global catalog (GC) servers:
Via VAST Web UI: On the Active Directory tab, click to open the Actions menu for the Active Directory configuration and select Show AD Global Catalog.
Via VAST CLI: Run the
The display shows the URI of the AD global catalog (GC) server that is currently used by the cluster and the time to the next global catalog refresh (in seconds). Following is a list of other discovered GC servers, each with indication of its URI, status (such as HEALTHY or FAILED), and whether it is on the same AD site as the cluster.
When you leave an AD domain, the cluster's machine account is deleted from the AD domain controller.
If the AD domain controller is not accessible to the cluster when you try to leave the AD domain, the leave will fail. In this case, you can effectively force the cluster to leave the AD domain by removing the AD configuration from the cluster. The machine account will remain on the AD domain controller, where it can be manually deleted.
Via VAST Web UI: On the Active Directory tab, click to open the Actions menu for the Active Directory configuration and select Leave.
Via VAST CLI: Run the activedirectory modify command with the
Article is closed for comments.