LDAP authentication on V-Plex

Hi Tsetso,

VPLEX can certainly handle this situation.

In order to configure a LDAP/AD we need to use the cli command “authentication directory-service configure”

We are aware that post Windows 2003 Microsoft changed the attribute names. To accommodate this the above command has a special options “[-c|--custom-attributes]”

Just use this additional command line options and it will prompt you to provide the mapping. This is also documented in the CLI Guide.

Thanks

Farooq

Hello Farooq,

At first, many thanks for your responce!

We had set the custom-attributes, as it is described in the CLI guide and unfortunately the authentication is still not working...

The command that we had issued is, as follows:

############################

VPlexcli:/> authentication directory-service configure -i 53.121.xx.xx -b "dc=emea,dc=corpds,dc=net" -m "ou=usersadministrative,ou=de,dc=emea,dc=corpds,dc=net" -n "cn=sxxxvplex01,ou=unix,dc=emea,dc=corpds,dc=net" -d 2 -p -t 1 --server-name sxxxx202.emea.corpds.net -o 389 --custom-attributes

Enter sxxxvplex01's password:*****

Set value for posixAccount attribute [User]:

Set value for posixGroup attribute [Group]:

Set value for uid attribute [msSFU30Name]: samaccountname

Set value for uidNumber attribute [msSFU30UidNumber]: uidnumber

Set value for gidNumber attribute [msSFU30GidNumber]: gidnumber

Set value for loginShell attribute [msSFU30LoginShell]: loginshell

Set value for homeDirectory attribute [msSFU30HomeDirectory]:

unixhomedirectory

Connecting to authentication server (may take 3 minutes) ...

VPlexcli:/>

VPlexcli:/> authentication directory-service show

default-authentication-service: Native VPLEX

external-authentication-service: AD

ip: 53.121.xx.xx

base-dn: dc=emea,dc=corpds,dc=net

connection-type: TLS

mapped-principal: ['OU=UsersAdministrative,OU=de,DC=emea,DC=corpds,DC=net']

############################

Any other suggestions what could be wrong here? Thanks for your support!

Regards,

Tsetso

Hi Tsetso,

I think the problem may be in the mapped principal

ou=usersadministrative,ou=de,dc=emea,dc=corpds,dc=net

I assume "usersadministrative" is a group. We expect this group to have atleast one user with all the unix attributes set to proper values. If the ldap queries do not find even a single user below this group will all complete attributes the authentication will not work.

Could you confirm if that has been done.

Thanks

Farooq

Hi Farooq and all,

Yep, I can confirm the the Organizational unit, called "usersadministrative", has members in it. (OU name: usersadministrative\de\emea.corpds.net).

The thing, that is somehow blurry for me is: what should be the correct unix attributes and values? Could you advise me about that?

Thanks and kindest regards,

Tsetso

Hi Tsetso,

From the command line output that you have specified, I see that VPLEX has validated the UNIX attributes provided by you successfully.

Set value for posixAccount attribute [User]:

Set value for posixGroup attribute [Group]:

Set value for uid attribute [msSFU30Name]: samaccountname

Set value for uidNumber attribute [msSFU30UidNumber]: uidnumber

Set value for gidNumber attribute [msSFU30GidNumber]: gidnumber

Set value for loginShell attribute [msSFU30LoginShell]: loginshell

Set value for homeDirectory attribute [msSFU30HomeDirectory]:

unixhomedirectory

For the members under "usersadministrative" Organizational unit who want to access VPLEX CLI, those members should have values set for these UNIX attributes.

The Active Directory administrator will be able to set values for these UNIX attributes.

The ‘samaccountname’ should be the user-id with which the user will login to the system. This will be already present for the user.

The ‘uidnumber’ should be a unique integer number to represent the user.

The ‘gidnumber’ should be a unique integer number to represent the group under which the user belongs to.

The ‘loginshell’ should be the shell which user would get after successful authentication. VPLEX by default will override the shell to “bash” shell.

The ‘unixhomedirectory’ should be the user’s home directory in UNIX-style format.

Thanks,

Vinay

Hi Tsetso,

Has the problem been solved? Were you able to authenticate against the AD server?

Thanks

Farooq

Hi there,

Finally the LDAP problem was resolved. The issue, that was causing it, was that the AD account of the V-plex (In the current example "cn=sxxxvplex01"). You MUST mark the AD-VPlex entry "password never expires" and from now on, it would be okay.

Thanks for your support here and I hope this post will be usefull for you!

Cheers,

Tsetso

Hi,

in this example "useradministrative" is used as mapprincipal. You assumed that this is a group, not an ou. Does this mean, it can be a group and need not to be an OU? Documentation is only for using OU.

Thanks

Stefan