Articles in this section

Connecting to an LDAP Server

Sara Levy
  • Updated
Follow

Connecting to Your LDAP Server via VAST Web UI

Note

Use this procedure to configure a connection to an LDAP-based directory server to use the server as an authorization provider for NFS access. This can be an Active Directory domain controller. However, if you are using this Active Directory domain controller to authenticate and authorize SMB users, the cluster needs to join the Active Directory domain and you should follow the complete joining procedure instead: see Joining Active Directory.

  1. From the left navigation menu, select User Management and then LDAP.

  2. Click + Create LDAP to create a LDAP configuration, or click ActionsButtonGUI2.png to open the Actions menu for an existing LDAP configuration and select Edit.

  3. Enter the details of your LDAP server:

    Field

    Description

    URLs (required if Auto-discovery is off)

    This field is available only if Auto-discovery is disabled.

    Enter a comma-separated list of URIs of LDAP servers (Domain Controllers (DCs) in Active Directory). The order of listing defines the priority order. The URI with highest priority that has a good health status is used.

    Specify each URI in the format <scheme>://<address>. <address> can be either a DNS name or an IP address.

    Examples:

    • ldap://company-ad.com

    • ldaps://company-ad.com

    • ldap://company-ad.com,ldap://company-ad2.com

    • ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2

    Auto-discovery

    When enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the Active Directory forest. For more information, see AD Domain Auto-Discovery.

    When disabled, the LDAP URI ( URLs ) and search base DN ( Base DN ) fields must be specified manually. VAST Cluster contacts only the domain controller configured in the URLs field and does not process requests from users in other domains in the Active Directory forest.

    Port (required)

    The port of the remote LDAP server.

    Recommended values: 389 for LDAP (with or without TLS), 636 for LDAPS.

    Note

    The recommended values are required if Auto-discovery and Use TLS are enabled. Failing to set the recommended port value can cause LDAP to disconnect.

    Use LDAPS

    Enables or disables use of LDAP over TLS (LDAPS) if Auto-discovery is enabled.

    When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.

    Domain name

    The fully qualified domain name (FQDN) of the domain to join.

    Example: company-ad.com

    Authentication method (required)

    The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. Set the method according to how the LDAP server is configured to authenticate clients. The following options are available:

    • Anonymous. The LDAP server accepts queries without any authentication.

    • Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. If this method is selected, you have to set Bind DN and Bind password.

    Base DN

    This field is available only if Auto-discovery is disabled.

    The entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN.

    To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster.

    The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain.

    The following attributes can be specified:

    • cn: common name

    • ou: organizational unit

    • o: organization

    • c: country

    • dc: domain

    For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: ou=users,dc=mydomain,dc=local

    To specify the full domain as your search base, you would enter: dc=mydomain,dc=local

    Bind DN (required if Authentication method is set to Simple)

    Enter the bind DN for authenticating to the LDAP domain. The bind DN specifies the user with which VAST Cluster authenticates to the LDAP directory. You can specify any user account that has read access to the domain.

    Format is as described for Base DN beginning with a cn attribute component specifying the user object.

    For example, cn=admin,ou=users,dc=mydomain,dc=local specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.

    Bind password (required if Authentication method is set to SImple)

    This field appears if Simple is selected in the Method field. This is the password used with the Bind DN to authenticate to the LDAP server.

    Query group mode

    Sets the mode for querying a users' auxiliary group memberships, where applicable:

    Note

    Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the view policy.

    • Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode.

    • RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions.

    • RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers.

    • None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.

    Use TLS

    Enable to use TLS (STARTTLS) to secure communication between VAST Cluster and the LDAP server.

    When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.

    TLS certificate

    If Use TLS is enabled, use this field to provide a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

    If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received.

    Important

    Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (TLSVerifyClient should be set to never). Otherwise, connections will fail.

    VMS Auth Provider

    When enabled, this LDAP configuration is the one that is used for VMS authentication.

    Note

    Only two LDAP configurations are allowed, one with Active Directory (AD) and the other without AD.

    Posix attribute source

    Determines domains from which VAST Cluster queries POSIX attributes. Options include:

    • Joined domain. The domain which VAST Cluster has joined.

    • All domains. All domains in the Active Directory forest.

    • Specific domains. One or more domains specified in Domains with posix attributes.

    • GC. All domains included in the Active Directory global catalog. When this option is chosen, the global catalog must be configured with POSIX attributes.

    Note

    This option is available when modifying an existing LDAP configuration. It cannot be set when creating a LDAP configuration.

    Domains with posix attributes

    Lists the specific domains when Posix attribute source is set to Specific domains.

    Note

    This option is available when modifying an existing LDAP configuration. It cannot be set when creating a LDAP configuration.

    Reverse lookup

    Enables reverse lookup for LDAP netgroups. By default, this option is disabled.

  4. Click Advanced-attribute mappings to make sure that the correct object class names will be used to query provider's entries and ensure that the user authorization process will find users and groups on the provider.

    Do the following:

    1. Select a template from the Templates for advanced setting dropdown. This fills the attribute mapping fields with a base set of values before you make any custom modifications:

      • AD. Fills all the attribute mapping fields with RFC2307BIS-compliant values, typically used in Active Directory.

        Note

        This value is required to enable SMB access to the cluster.

      • OpenLDAP. Fills all the attribute mapping fields with RFC2307-compliant values, used by OpenLDAP and other LDAP-based providers.

      • Custom. Presents you with mostly empty fields to fill with custom values.

    2. In the Group base DN field, specify the entry in the AD directory tree to use as a starting point for group queries. By default, the Base DN is used.

    3. Check that the values are set correctly for your provider, and make changes as needed. Consult the following table for a description of each value you need to specify:

      Field

      Description

      Default (RFC2307 Compliant)

      AD Equivalent

      gidNumber

      The attribute of a group entry that contains the GID number of a group.

      gidNumber

      gidNumber

      uid

      The attribute of a user entry that contains the user name.

      uid

      sAMAccountName (common, use unless you know otherwise). Also can be uid (rare) or cn (rare).

      uidNumber

      The attribute of a user entry that contains the UID number.

      uidNumber

      uidNumber

      memberUid

      The attribute of the group entry that contains names of group members.

      memberUID

      member

      PosixAccount

      The object class that defines a user entry.

      posixAccount

      user

      PosixGroup

      The object class that defines a group entry.

      posixGroup

      group

      Match User

      The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.

      uid

      sAMAccountName

      Username Property Name

      The attribute to use when querying a provider for a user when the query is initiated by a VMS user.

      cn

      name

      user login name

      Applicable only for Active Directory and only for NFSv4 with client-enabled ID matching. This field specifies the attribute used to query AD for the user login name for NFS4 ID mapping.

      On NDU, this value is set to sAMAccountname for Active Directory configurations.

      uid

      sAMAccountName

      group login name

      Applicable only for Active Directory and only for NFSv4 with client-enabled ID matching. This field specifies the attribute used to query AD for the group login name for NFS4 ID mapping.

      On NDU, this value is set to sAMAccountname for Active Directory configurations.

      cn

      sAMAccountName

      uid member value property name

      Specifies the attribute which represents the value of the LDAP group's member property.

      uid

      sAMAccountName

      mail property name

      The attribute to use for the user's email address.

      		    

  5. Click Create or Update.

    The LDAP client configuration is created/updated.

 

Connecting to Your LDAP Server via VAST CLI

To connect to an LDAP server, use the following CLI commands.

Tip

For full CLI command syntax, including VAST arguments, enter the command at the CLI prompt in the <command> <subcommand> format provided in the table, followed by ?.

Task

Command

Display the LDAP server configuration

ldap list

ldap show

Add an LDAP configuration

ldap create

Change the LDAP server configuration 

ldap modify
 

Monitoring LDAP Status

To display details of a configured LDAP connection:

  • From the VAST Web UI, select the LDAP tab in the User Management page.

  • From the VAST CLI, run ldap list. or ldap show.

The state of the LDAP connection reflects the health status of the configured DCs as follows:

  • Connected: All DCs are connected.

  • Failed: All DCs have failed.

  • Degraded: Some DCs have failed and at least one DC is connected. The URIs of the failed DCs are reported by an alarm.

 
 

Related articles

Comments

0 comments

Article is closed for comments.