PowerVault ME5: Login Failure Using LDAP With Message "Unable to Authenticate Login, Try Again"
Summary: Authentication using LDAPS is available using PowerVault ME5 controller firmware ME5.1.1.0.5 and later.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Administrators need the following information to configure LDAP login on PowerVault ME5.
- Controller firmware ME5.1.1.0.5 or later
PowerVault ME5 controller firmware must be version ME5.1.1.0.5 or later. If the ME5 current controller firmware version is ME5.1.0.1.0, see KB article 207484, PowerVault ME5: Firmware update from ME5.1.0.1.0 to ME5.1.1.0.5 or above does not complete.
- Lightweight Directory Access Protocol (LDAPS) services provided from Windows Server 2016, 2019, or 2022 Active Directory for user authentication and authorization
The LDAP server must be an Active Directory server running Windows 2016, 2019, or 2022. The server must allow basic authentication using an LDAP over SSL (LDAPS) interface Port 636; that is, a TLS v1.2 connection. To properly configure LDAP, consult your Microsoft operating system documentation.
- LDAP server IP address or DNS name
Where using DNS, configure the PowerVault DNS settings to use the same DNS as used by the Microsoft active directory services to ensure correct hostname resolution. To configure DNS in the PowerVault manager, go to Settings > Network > DNS.
- Microsoft active directory searchbase distinguished name, user principle name, AND active directory groups that the user is a member of the same. Both the sAMAccountName and userPrincipalName attributes are populated when creating a new user object in Windows Server 2016, 2019 or 2022 active directory.
The LDAP searchbase field uses the DistinguishedName (DN) format. For example, ou=colo,dc=bigco2,dc=com,dc=local
PowerVault Manager uses the UserPrincipalName (UPN) to log in to LDAP, this takes the format username@domain.com. Active directory administrators can check that this attribute is set. Windows server administrators can use the Get-ADUser module in PowerShell to view the user details and group membership.
It is recommended that:
A user should only be a member of one group that exists in the storage system. A user that is a member of more than one LDAP group in the storage system could have permission or configuration parameter inconsistencies.
The LDAP user is in no more than 100 LDAP groups.
For example, viewing the UserPrincipleName and distinguishedName for a user called Tom:
PS > Get-ADUser -Identity Tom DistinguishedName : CN=Tom,CN=Users,DC=Liverpool,DC=Anfield,DC=Net Enabled : True GivenName : Tom Name : Tom Smith ObjectClass : user ObjectGUID : 6a2bda7c-eb1f-41b3-897e-00048053084a SamAccountName : Tom SID : S-1-5-21-2317057084-3148409499-2425250475-1248 Surname : Smith UserPrincipalName : tom_smith@liverpool.anfield.net
For example, viewing the group membership for the user Tom:
PS > Get-ADUser Tom -Properties Memberof
DistinguishedName : CN=Tom,CN=Users,DC=Liverpool,DC=Anfield,DC=Net
Enabled : True
GivenName : Tom
MemberOf : {CN=Liverpool_ME5_Admins,OU=Groups,DC=Liverpool,DC=Anfield,DC=Net, CN=ESX Admins,OU=Groups,DC=Liverpool,DC=Anfield,DC=Net, CN=Administrators,CN=Builtin,DC=Liverpool,DC=Anfield,DC=Net}
Name : Tom Smith
ObjectClass : user
ObjectGUID : 6a2bda7c-eb1f-41b3-897e-00048053084a
SamAccountName : Tom
SID : S-1-5-21-2317057084-3148409499-2425250475-1248
Surname : Smith
UserPrincipalName : tom_smith@liverpool.anfield.net
NOTE: The Active Directory Module for Windows PowerShell must be enabled or installed on the host for the Get-ADUser module to be available in PowerShell. See Microsoft documentation as the procedure to install this module varies with the version of PowerShell and windows host used.
From the example above:
- The searchbase for the sAMAccountName Tom is CN=Users,DC=Liverpool,DC=Anfield,DC=Net
- The userprinciplename is tom_smith@liverpool.anfield.net
- Tom is a member of the group Liverpool_ME5_Admins
Configuring LDAP in PowerVault Manager
- Go to the LDAP Users panel (Settings > Users > LDAP)
Figure 1: PowerVault Manager - LDAP configuration
- Set the User Group
Figure 2: PowerVault Manager - User groups
- Log in to PowerVault Manager and use UserPrincipalName (UPN), username@domain.com.
Figure 3: PowerVault Authentication Manager - Log in
- When logging in using an SSH client, use the format ssh tom_smith@liverpool.anfield.net@192.168.0.33. Some SSH clients may require using Domain username format. For example, ssh Anfield\\tom_smith@192.168.0.33
More information
User login, logout, and actions through all interfaces for both local and LDAP users is recorded in an audit log that is accessible from Maintenance > Support > Audit Log Activity.
For more information, see the Dell PowerVault ME5 Series Administrator's Guide under the section System concepts > LDAP. The administrator's guide is on Dell.com/support under the Documentation tab for your ME5 product.
LDAP authentication is not available in previous PowerVault ME4 generation products.
Affected Products
PowerVault ME5012, PowerVault ME5024, PowerVault ME5084Article Properties
Article Number: 000210840
Article Type: How To
Last Modified: 22 Nov 2023
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.