Unsolved
This post is more than 5 years old
4 Posts
1
8140
LDAP authentication on V-Plex
Dear engineers,
The objective, which is supposed to completed is to configure an LDAP authentication on V-Plex clusters, so the storage administrators will be able to use their domain accounts to log in.
Unfortunately we are facing an issue with matching the right attributes between the Vplex and the AD. The VPLEX LDAP service is expecting an attribute named 'msSFU30Uidnumber'. This attribute does not exist in the current version of MS Services for Unix (SFU), because MS has changed the name to 'uidnumber'. We don't want to add "old" attributes to our AD scheme, so we may need to implement a mapping table on the LDAP client of the VPLEX management Servers, but so far we are unable to find a guidance to achieve this.
I'll appreciate your help the following questions:
- Could you give and advice if such mapping table can be implemented and how?
- Can you propose some other workaround for solving the objective above?
PS: Our current software versions are:
Product version: 5.0.1.01.00.05
SMSv2: D10.60.0.71.0
Mgmt server base: D4_MSB_7
Mgmt server software: D10.60.0.97
Thanks in advance!
With best wishes,
Tsetso
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 4th, 2012 12:00
Hi Tsetso,
VPLEX can certainly handle this situation.
In order to configure a LDAP/AD we need to use the cli command “authentication directory-service configure”
We are aware that post Windows 2003 Microsoft changed the attribute names. To accommodate this the above command has a special options “[-c|--custom-attributes]”
Just use this additional command line options and it will prompt you to provide the mapping. This is also documented in the CLI Guide.
Thanks
Farooq
Tsetso
4 Posts
0
May 8th, 2012 07:00
Hello Farooq,
At first, many thanks for your responce!
We had set the custom-attributes, as it is described in the CLI guide and unfortunately the authentication is still not working...
The command that we had issued is, as follows:
############################
VPlexcli:/> authentication directory-service configure -i 53.121.xx.xx -b "dc=emea,dc=corpds,dc=net" -m "ou=usersadministrative,ou=de,dc=emea,dc=corpds,dc=net" -n "cn=sxxxvplex01,ou=unix,dc=emea,dc=corpds,dc=net" -d 2 -p -t 1 --server-name sxxxx202.emea.corpds.net -o 389 --custom-attributes
Enter sxxxvplex01's password:*****
Set value for posixAccount attribute [User]:
Set value for posixGroup attribute [Group]:
Set value for uid attribute [msSFU30Name]: samaccountname
Set value for uidNumber attribute [msSFU30UidNumber]: uidnumber
Set value for gidNumber attribute [msSFU30GidNumber]: gidnumber
Set value for loginShell attribute [msSFU30LoginShell]: loginshell
Set value for homeDirectory attribute [msSFU30HomeDirectory]:
unixhomedirectory
Connecting to authentication server (may take 3 minutes) ...
VPlexcli:/>
VPlexcli:/> authentication directory-service show
default-authentication-service: Native VPLEX
external-authentication-service: AD
ip: 53.121.xx.xx
base-dn: dc=emea,dc=corpds,dc=net
connection-type: TLS
mapped-principal: ['OU=UsersAdministrative,OU=de,DC=emea,DC=corpds,DC=net']
############################
Any other suggestions what could be wrong here? Thanks for your support!
Regards,
Tsetso
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 9th, 2012 06:00
Hi Tsetso,
I think the problem may be in the mapped principal
ou=usersadministrative,ou=de,dc=emea,dc=corpds,dc=net
I assume "usersadministrative" is a group. We expect this group to have atleast one user with all the unix attributes set to proper values. If the ldap queries do not find even a single user below this group will all complete attributes the authentication will not work.
Could you confirm if that has been done.
Thanks
Farooq
Tsetso
4 Posts
0
May 13th, 2012 23:00
Hi Farooq and all,
Yep, I can confirm the the Organizational unit, called "usersadministrative", has members in it. (OU name: usersadministrative\de\emea.corpds.net).
The thing, that is somehow blurry for me is: what should be the correct unix attributes and values? Could you advise me about that?
Thanks and kindest regards,
Tsetso
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 15th, 2012 04:00
Hi Tsetso,
From the command line output that you have specified, I see that VPLEX has validated the UNIX attributes provided by you successfully.
Set value for posixAccount attribute [User]:
Set value for posixGroup attribute [Group]:
Set value for uid attribute [msSFU30Name]: samaccountname
Set value for uidNumber attribute [msSFU30UidNumber]: uidnumber
Set value for gidNumber attribute [msSFU30GidNumber]: gidnumber
Set value for loginShell attribute [msSFU30LoginShell]: loginshell
Set value for homeDirectory attribute [msSFU30HomeDirectory]:
unixhomedirectory
For the members under "usersadministrative" Organizational unit who want to access VPLEX CLI, those members should have values set for these UNIX attributes.
The Active Directory administrator will be able to set values for these UNIX attributes.
The ‘samaccountname’ should be the user-id with which the user will login to the system. This will be already present for the user.
The ‘uidnumber’ should be a unique integer number to represent the user.
The ‘gidnumber’ should be a unique integer number to represent the group under which the user belongs to.
The ‘loginshell’ should be the shell which user would get after successful authentication. VPLEX by default will override the shell to “bash” shell.
The ‘unixhomedirectory’ should be the user’s home directory in UNIX-style format.
Thanks,
Vinay
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
May 25th, 2012 06:00
Hi Tsetso,
Has the problem been solved? Were you able to authenticate against the AD server?
Thanks
Farooq
Tsetso
4 Posts
0
May 29th, 2012 15:00
Hi there,
Finally the LDAP problem was resolved. The issue, that was causing it, was that the AD account of the V-plex (In the current example "cn=sxxxvplex01"). You MUST mark the AD-VPlex entry "password never expires" and from now on, it would be okay.
Thanks for your support here and I hope this post will be usefull for you!
Cheers,
Tsetso
SW5
18 Posts
0
October 4th, 2012 08:00
Hi,
in this example "useradministrative" is used as mapprincipal. You assumed that this is a group, not an ou. Does this mean, it can be a group and need not to be an OU? Documentation is only for using OU.
Thanks
Stefan