Note: Confirm the EXACT AD or LDAP information to be used.
It can occur that the
values entered into ECS (see below) do not match the details on the AD or LDAP server, and this can generate an
invalid credentials error output for the domain user log-in attempts.
View and ensure the values in the AD or LDAP server.
Read the
ECS Admin guide section on Authentication Providers chapter and "Add an AD or LDAP authentication provider."
Section 1)
It is
mandatory to have the
authentication provider set up correctly.
The authentication provider is where the ECS connection to the AD or LDAP server is defined.
Section 2 and 3)
ECS can be set up to use the AD or LDAP users as object users or as management users to log in to the ECS UI.
For awareness, an AD or LDAP server gives ECS general error messages, that is invalid credentials. In the setup or troubleshooting, begin with minimizing the complexity of the possible issues and proceed in several steps.
- Go to the ECS UI > Authentication Provider and set up an Authentication Provider to 1 AD or LDAP server with one server url. Note, it is to minimize the complexity.
- In the server URL box, try and use LDAP instead of LDAPS for testing, if possible. As if LDAP does not work, then surely LDAPS will not either.
- Have a correct manager DN.
- Set the search base it an exact users folder, not a large search base, just this is to discount the LDAP timeout value being exceeded.
- As a search filter, select the correct type, the users attributes on the AD or LDAP server would show which to use. See below. Possible search filter options: sAMAccountName=%U, userPrincipalName=%u, uid=%U
- Note, a common question is what Authentication Provider type to use: AD, Keystone, or LDAP. The advice is that if the server is a Windows Active Directory, then use AD type. If a Linux openLDAP, use LDAP type. If the server is a Keystone, then use Keystone.
- Add the test user as a domain management user and test the login.
- Add the test user on ECS UI > users > management user > add
- The correct format would be username@domainname, ECS uses the @ symbol as to detect that it should look for a domain user as defined in the Authentication Provider.
- Not you must add users to the users list as to define their rights on ECS, that is admin or monitor user privileges.
- Test the user log-in.
- If unsuccessful in domain user logging in, examine and troubleshoot
- If successful, then change the search base to the main search base the users wants, that is the root location,
- If it then fails, the only change between a successful log-in and unsuccessful is a search base change, see KB 58587: ECS: Intermittent login failure of domain users due to AD/LDAP timeout value exceeded
- If successful then the domain groups can now be tested.
- If a user can log in, then a user group may be used as well.
- Be sure that the group and the users of the required group are within the search base scope.
- Best to test a test user like above to determine that the connection is working.
- Remove the test user of the group from the ECS management list and instead add the test group that the user belongs to, to the ECS management users list. That is like the steps above we are trying to minimizing possible troubleshooting. The only difference is now ECS is aware of the group and not the direct user.
- Be aware of KB 81219: ECS: LDAP login group supportability that is if you want to use groups you must be aware of this KB.
- With a management user or group able to log in, that is helpful to know as it is easier to troubleshoot domain management user set up than domain object user setup, so it is good to test.
- If a user then wants to use domain object and can prove to themselves that same domain users work as UI management user, then that is helpful to know, as if a user can work as a UI management user then they should work as an object user.
- For LDAPS (LDAP over SSL or TLS) certificates, see the admin guide and KB 183654: ECS: How to setup and accept all certificates over LDAPS on ECS
- It is advisable to confirm that the LDAP connections works and users can log in on LDAP, before looking into setup LDAPS.
- Note, a valid and complete certificate chain may be required.
- If using LDAPS, The server urls in the authentication provider must be in the FQDN format rather than the IP address, as to match the LDAPS certificates that would list the LDAP servers FQDN instead of the IP address.
The purpose of the steps that are listed is to discount possible issues by simplifying the issues down into steps to check.
Section 1: Authentication Provider
See the ECS Admin guide for all steps.
You can add authentication providers to ECS if you want users to be authenticated by systems external to ECS.
An authentication provider is a system that is external to ECS that can authenticate users on behalf of ECS.
ECS stores the information that allows it to connect to the authentication provider so that ECS can request authentication of a user.
In ECS, the following types of authentication provider are available:
- Active Directory (AD) authentication or Lightweight Directory Access Protocol (LDAP) authentication: Used to authenticate domain users that are assigned to management roles in ECS.
- Keystone: Used to authenticate OpenStack Swift object users.
- Create the user or group in AD that contains the specific users that must log in ECS:
Note: The AD or LDAP server can be, for example, Windows or Linux. In this example, windows AD must be used, but a Linux OpenLDAP can be used instead with the correct details as filled out below.
Notice: The Authentication Provider page in ECS 3.4 is the same in ECS 3.2 or 3.3, a different background color is used.
- Navigation: Manage > Authentication
- Enter the Name and Description field and select the correct server type:
Note: An error message may occur if an incorrect type is attempted to be saved.
- Enter in the domains to be used.
Note: Enter each domain on a separate line, that is a multidomain forest setup. It should be pointed out that you can have multiple Authentication Providers for different separate domains or servers, if you want to.
- AD or LDAP server URL:
Note: The port can be omitted if the default port is used.
Ports:
The default port for LDAP is 389.
The default port for LDAPS is 636.
URL Format:
ldap://<Domain controller IP>:<port> Or ldaps://<Domain controller IP>:<port>
Note: You can specify one or more LDAP or LDAPS authentication providers. Place on different lines.
If the authentication provider supports a multidomain forest, use the global catalog server IP and always specify the port number.
The default port for LDAP is 3268. The default port for LDAPS is 3269.
Note, If using LDAPS, The server urls in the authentication provider must be in the FQDN format rather than the IP address, as to match the LDAPS certificates that would list the LDAP servers FQDN instead of the IP address.
- Changing or updating the Manager DN.
Note: it is Extremely Important to ensure that the Manager DN is correct, and that the Manager has the required authorization for the target users on the server.
Find and confirm on the AD or LDAP server:
For example: Manager DN: CN=Administrator,CN=Users,DC=nas2008test,DC=com
Must be the correct location of the Manager DN user on the AD or LDAP server.
The Manager DN:
This is the Active Directory Bind user account that ECS uses to connect to the Active Directory or LDAP server. This account is used to search Active Directory when an ECS administrator specifies a user for role assignment.
This user account must have "Read all inetOrgPerson information" in Active Directory. The InetOrgPerson object class is used in several non-Microsoft, LDAP, and X.500 directory services to represent people in an organization.
- Providers option
Note: Disable to add the server to ECS but not immediately use it for authentication. Disabled Providers do not have connectivity that is validated.
As it is important to test and validate the connection at this stage, have it enabled.
- Setting Group Attributes:
Note: This Indicates the Active Directory attribute that is used to identify and search for groups. Once set, it cannot be changed.
Default: CN
- Updating or changing the Group whitelisting
Note: For Active Directory, this value filters the group membership information that ECS retrieves about a user.
One or more group names as defined by the Authentication provider.
Multiple values and wildcards (for example MyGroup*, TopAdminUsers*) are allowed.
A blank value or Asterisk (*) makes ECS aware of all groups to which a user belongs.
By default, if no groups are added, users from any groups are accepted.
That is can be used to restrict user groups.
Blank or Asterisk value: No user groups restricted.
- Updating or changing the Search scope
Note: Searches for user-defined in the below search base. One Level (search for users one level under the search base) or Subtree (search the entire subtree under the search base). That is single level or hierarchical search options.
- Updating or changing the Search Base.
Note: It is Highly important that you review the following:
Folder location to begin the user search.
If a user is outside of the search base and search scope attempts to log in, an invalid credentials error is outputted.
Have all required AD or LDAP users be within the search base. And if the user wants to use user groups, have both the users and groups that are required within the search base.
ECS searches for the Users location, and then the Group location if required, confirm that the search base can find the users location, not just the Group location.
The group attribute can be defined in the "Group whitelisting."
Remember, you can have multiple Authentication Providers (with different search bases). Or you may change the search base as to include the required user location, that is change "CN=Users,DC=nas2008test,DC=com" to "DC=nas2008test,DC=com"
- Search Filter
Note: Indicates the string that is used to select subsets of users. Ex: userPrincipalName=%u
Not validated when added to the Authentication Provider. If alternate UPN suffix is AD configured, the Search Filter format value must be sAMAccountName=%U where %U is the username, and does not contain the domain name.
- Confirm the correct search filter that the users are to use:
Example:
If the AD server is configured for "userPrincipalName," "sAMAccountName" or "uid."
Check the AD or LDAP server to confirm, that is the LDIF file in an openLDAP server.
Indicator of userPrincipalName (Example found in AD):
dn:CN=user1,CN=Users,DC=marketing,DC=example,DC=com
userPrincipalName: user1@marketing.example.com
memberOf: CN=marketing,CN=Users,DC=example,DC=com
Indicator of uid (Example found in openLDAP)
dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
Note: with sAMAccountName=%U, a user would still must log in as username@domain.com, as opposed to just the username.
This is to prevent conflict with nondomain user with the same username.
That is user1 > nondomain user login user1@nas2008test.com > domain user login
The domain value to be used should match the domain entry in the Authentication Provider for that user, that is nas2008test.com.
Not a users email, as they may not match, user@nas2008test.com vs user@emc.com.
The reason why sAMAccountName=%U uses a capital U and userPrincipalName=%u uses a lower case u:
By using 'U', it searches for ONLY the username, which is the purpose of sAMAccountName.
While userPrincipalName=%u examines the right-hand side of the user value as well, useful if user's domain differs from the domain name.
A customer AD or LDAP team should know which they use.
See external documents that are found online for more information about the differences.
Notice: Changes to an ECS Authentication Provider can take a few minutes to take effect. So wait 3-5 minutes between the log-in tests.
- Multidomain forest setup.
A Multidomain forest is where there are domains that are connected to each other, for example, a Parent and children domains.
Parent example: dell.com
Children domains example: amer.dell.com, emea.dell.com, apac.dell.com
1) A group may be in one of the domains and some of its users may be in other domains.
2) normally the domains are not visible to each other, but the parent domain can see all the children domains, therefore in setting up a multidomain forest connection, use the parent domain as the primary domain for the authentication provider.
Steps that are different:
A) Name the domain after the parent domain.
B) List all the domains of interest in the domains box of the authentication provider.
C) If the Authentication Provider supports a multidomain forest, use the global catalog server IP and always specify the port number. Default ports: LDAP: 3268, LDAPS: 3269
D) Set the search base to the root of the parent domain.
E) Note, the authentication provider name would be the primary identifier for the domain user usage. That is for this example, add users or groups like for example: group1@dell.com, not a subdomain like group1@amer.dell.com
See the section Management and object Users set up.
Section 2: Management and object Users set up
- Add the Group as the management User and choose the right roles:
Note: This is to create the required user group on the ECS side with the required rights.
You may create and test a single AD or LDAP user first, can be useful in troubleshooting.
Then, if the single user can log in with no issues, test the group management user.
Note: Nested Groups and their users can work, but are dependent on the Parent group working correctly. Test the Parent group first, by successfully logging in as a user in the Parent group, then consider a nested group.
System Admin (admin user) can also be a system monitor user (read-only access user). Admin rights override the monitor user rights.
- Test the login with the user in the group.
Note: If there is error message, examine the Notes section below.
Section 3: AD or LDAP users as object users set up
Keep in mind that creating a management user is useful to test the connection to the AD or LDAP and should be done before creating an AD or LDAP object user.
See the Admin guide
AND the data access guide.
- Add Domain users to a namespace for object user use:
You must add (assign) domain users into a namespace if you want these users to perform ECS object user operations. To access the ECS object store, object users and namespace Administrators must be assigned to a namespace. You can add an entire domain of users into a namespace, or you can add a subset of the domain users into a namespace by specifying a particular group or attribute that is associated with the domain.
A domain can provide users for multiple namespaces. For example, you might decide to add users such as the Accounts department in the "yourco.com" domain into Namespace1, and users such as the Finance department in the "yourco.com" domain into Namespace2. In this case, the "yourco.com" domain is providing users for two namespaces.
An entire domain, a particular set of users, or a particular user cannot be added into more than one namespace. For example, the "yourco.com" domain can be added into Namespace1, but the domain cannot also be added into Namespace2.
The following example shows that a System or namespace Administrator has added into a namespace a subset of users in the "yourco.com" domain; the users that have their Department attribute = Accounts in Active Directory. The System or namespace Administrator has added the users in the Accounts department from this domain into a namespace by using the Edit namespace page in the ECS Portal.
Figure 1. Adding a subset of domain users into a namespace using one AD attribute
Domain object users selected under the "domain" selection would be nonadmin object users with access rights to their own created buckets only.
Attributes are a subset option that can be removed by clicking "X."
The Attributes subset must match the Domain users Attributes on the AD server.
The following example shows a different example where the System or namespace Administrator is using more granularity in adding users into a namespace. In this case, the System or namespace Administrator has added the members in the "yourco.com" domain who belong to the Storage Admins group with the Department attribute = Accounts AND Region attribute = Pacific, OR belong to the Storage Admins group with the Department attribute = Finance.
Figure 2. Adding a subset of domain users into a namespace using multiple AD attributes
- Domain user to create a secret key as per the ECS Data access guide
A domain user creates an object user account by creating a new secret key using the self-service API provided by the self-service API.
The ECS Management REST API provides the ability to allow authenticated domain users to request a secret key to enable them to access the object store. The ECS API Reference can be used where you want to create a custom client to perform certain ECS management operations. For simple operations, domain users can use curl or a browser-based HTTP client to run the API to create a secret key.
See the Data access guide section: Create an S3 secret key: self-service.
A domain user can be created as an object user as on the UI like normal object user creation.
A user can create a domain object user using the self-service API. Each domain user would require a secret key, domain object groups cannot be used.
The self-service API allows valid domain users to create secret keys without a UI admin user creating each object user individually.
It is mandatory that a namespace be associated to the domain user or group beforehand or an invalid error would occur when attempting the self-service API commands.
First test the connection of the domain user to ECS:
user@device:~$ curl -ik -u TestUser@TestDomain.com https://10.xxx.xxx.xxx:4443/login
Enter host password for user 'TestUser@TestDomain.com':
HTTP/1.1 200 OK
Date: Thu, 09 Apr 2020 14:30:04 GMT
Content-Type: application/xml
Content-Length: 106
Connection: keep-alive
X-SDS-AUTH-TOKEN: BAAcYnJ_token_NlU0PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOmJhOGQ3ZTkzLTMyMGYtNDNmNy05Y2FkLWM4YWQzMWFiMzY1MAIADTE1ODYzNjE0Mjg5MTADAC51cm46VG9rZW46NGE3M2Q5ODYtODQ3My00ZjYxLTkwYWQtMzg5NTcyNmRmZGM3AgAC0A8=
X-SDS-AUTH-USERNAME: TestUser@TestDomain.com
X-SDS-AUTH-MAX-AGE: 28800
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><loggedIn><user>TestUser@TestDomain.com</user></loggedIn>
Create a secret key for the user
user@device:~$ curl -ks -H "X-SDS-AUTH-TOKEN: BAAcYnJ_token_NlU0PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOmJhOGQ3ZTkzLTMyMGYtNDNmNy05Y2FkLWM4YWQzMWFiMzY1MAIADTE1ODYzNjE0Mjg5MTADAC51cm46VG9rZW46NGE3M2Q5ODYtODQ3My00ZjYxLTkwYWQtMzg5NTcyNmRmZGM3AgAC0A8=" https://10.xxx.xxx.xxx:4443/object/secret-keys | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_secret_keys>
<secret_key_1/>
<secret_key_1_exist>false</secret_key_1_exist>
<secret_key_2/>
<secret_key_2_exist>false</secret_key_2_exist>
<key_timestamp_1/>
<key_timestamp_2/>
</user_secret_keys>
Use the token to create valid domain object user, and examine:
user@device:~$ curl -ks -H "X-SDS-AUTH-TOKEN: BAAcYnJ_token_NlU0PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOmJhOGQ3ZTkzLTMyMGYtNDNmNy05Y2FkLWM4YWQzMWFiMzY1MAIADTE1ODYzNjE0Mjg5MTADAC51cm46VG9rZW46NGE3M2Q5ODYtODQ3My00ZjYxLTkwYWQtMzg5NTcyNmRmZGM3AgAC0A8=" -H "Content-Type:application/json" -X POST -d "{}" https://10.xxx.xxx.xxx:4443/object/secret-keys | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_secret_key>
<link rel="self" href="/object/user-secret-keys/TestUser@TestDomain.com"/>
<secret_key>6C7fW_Secret_Key_COl38yzAHIRorJ3oiK</secret_key>
<key_expiry_timestamp/>
<key_timestamp>2020-04-09 14:44:27.431</key_timestamp>
</user_secret_key>
A domain user should now be able to use applications like S3 browser to use the namespace like normal object users.
User login error:
"Access is denied due to invalid or expired credentials."
Example from ECS 3.2/3.3 UI:
Example from 3.4 ECS UI:
Possible reasons:
- User or Password is incorrect.
- User not found, and user not found may be due to an incorrect search base in the authentication provider for that user.
- Changes to an ECS Authentication Provider can take a few minutes to take effect, and the corrected Authentication Provider is still updating the connection to AD or LDAP.
- User AD parameter "User must change password at next login" is active for that user. Note, ECS cannot change the domain users password on the AD or LDAP server therefore this causes an error, as the AD or LDAP server tries to enforce the parameter. Either change the password on a different application, or clear the parameter checkbox.
-
sAMAccountName type user is missing the correct domain value that is username@domain.
-
You may have set the search base to:
CN=Groups,DC=CAS,DC=EMC,DC=com
While the user location is:
CN=Users,DC=CAS,DC=EMC,DC=com
Set the search base to a location that can find the required users and the required group in the search scope:
DC=CAS,DC=EMC,DC=com
The search base is to find the users and the group they are in, not just the groups that the users are in. Group membership can be filtered out for in the search, using the group white listing option.
On attempting to create an authentication provider an error may occur:
"Error 1008 (http:400): invalid parameter"
"Connection to the LDAP server succeeded, but the Manager DN CN=Users,DC=CAS,DC=EMC,DC=com or its password failed to authenticate"
Double check that the Manager DN:
- Is set to the exact correct user location, that is CN=Administrator,CN=Users,DC=CAS,DC=EMC,DC=com not CN=Users,DC=CAS,DC=EMC,DC=com
- Password is correct.
- The user has the required authorization to be the Manager DN user.
On attempting to create an authentication provider an error may occur:
"Error 7000 (http: 500): An error occurred in the API Service. An error occurred in the API service. Cause: error creating auth provider."
In cases of new VDC set-ups, if the AD or LDAP Authentication Provider is attempted to be added before the VDC has a Replication Groups. The above error message can occur.
Possible cause:
Replication Group must be created before configure authentication provider.
As AD or LDAP users can be used as management or object users.
And Object users require a Replication Group to work, therefore adding an Authentication Provider may error due to the Replication Group check failing.
ECS support may find in the objcontrolsvc.log logs at the time of the authentication provider attempt:
command type REQUEST_AUTHPROVIDER_CREATE failed with error code ERROR_RG_NOT_FOUND and message 'replication group urn:storageos:ReplicationGroupInfo:00000000-0000-0000-0000-000000000000:global not found'
If so, add a Replication Groups to the VDC and then retry adding an Authentication Provider.
If a user has changed the LDAP server, while the FQDN of the new LDAP server matches the FQDN of the old LDAP server.
The current LDAP SSL certificate may point to the old LDAP server, therefore the LDAP SSL certificate must be replaced with an updated LDAP SSL certificate.
Possible error message:
Review that the certificate issued and ensure that FQDN matches exactly the URL used in the ECS UI. Alternatively review the Subject Alternative Names matches exactly from the certificate:
Command:
sudo openssl s_client -connect :636 < /dev/null | openssl x509 -noout -text | grep DNS:
Example:
node1:~ # sudo openssl s_client -connect XXX.XXX.XXX:636 < /dev/null| openssl x509 -noout -text | grep DNS:
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
DNS:FQDN.LDAPS1.LOCAL
node1:~ # sudo openssl s_client -connect XXX.XXX.XXX:636| openssl x509 -noout -text | grep DNS:
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
DNS:FQDN.LDAPS.LOCAL
Review your LDAPS certificate on ECS matches, if not, it may be that a new, correct certificate would be required for ECS.
A user may look into opening an SR with ECS support for assistance, if that is the case.
If there is an issue, support requires you to confirm beforehand:
- Has the Authentication Provider fields been correctly filled out by the user?
-
Has the Management User been created?
-
Are the test user and password entered correctly on the ECS log-in?
-
Are they able to log in with other user from a domain?
-
Is this the first time set up of the AD or LDAP on the ECS?
-
If not a new AD or LDAP set up on ECS, have they ever been able to log in with these credentials? If so, identify if there were any changes which would affect authorization?
If ECS support is required to assist:
Have all the required details on hand for support, including a test user details for the required domain.
Support may require a Web Ex session and for the user to show support both the AD or LDAP server and the ECS details. Support may require the user to enter a test user credential.
This content is translated in 15 different languages:
https://downloads.dell.com/TranslatedPDF/CS_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/DA_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/DE_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/ES-XL_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/FI_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/FR_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/IT_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/JA_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/KO_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/NL_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/NO-NO_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/PL_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/PT-BR_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/RU_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/SV_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/TR_KB539370.pdf |
https://downloads.dell.com/TranslatedPDF/ZH-CN_KB539370.pdf |