Dell PowerFlex v3.6.x User Roles and LDAP Usage Technical Notes

Syntax

scli --add_ldap_service --ldap_service_uri <URI> --ldap_base_dn <LDAP_DN> [--ldap_fqdn <FQDN>]
  [--ldap_service_name <LDAP_NAME>]
  [--username_dn_format <FORMAT>]
  [--search_filter_format <FORMAT>]
  [--authorizer_dn <USER_DN>]
  [--authorizer_password <PASSWORD> 

Parameters

--ldap_service_uri <URI>

URI of the LDAP service:

<LDAP_SCHEMA>://<LDAP_HOSTNAME>: [<PORT_NUMBER> ]

Where:

<LDAP_SCHEMA>

Defines the connection protocol:

• LDAPS: Secure LDAP connection (recommended)
• LDAP: non-secure LDAP connection

<LDAP_HOSTNAME>

LDAP hostname

<PORT_NUMBER>

LDAP service port (optional, default: 389 for LDAP and 636 for LDAPS)

This parameter must start with ldap:// or ldaps:// followed by the host name.

Example: ldaps://my.ldaphost.com:636

When using the global catalog, one should specify the port number of the global catalog. The standard ports for global catalog are 3268 (non-secure) and 3269 (secure).

NOTE:No extra validation is performed at this stage.

--ldap_base_dn <LDAP_DN>

Base Distinguished Name (DN) of users in the domain. Must be a valid DN containing the DC substring. For example, if a user corporate login is johnd@ecme.corp.com, the DC string would be DC=ecme, DC=corp, DC=com.

NOTE:Configuring multiple LDAP servers with the same base DN is not supported.

NOTE:On Active Directory Windows servers, use the dsquery tool to find LDAP Base DN information. To see available options, in the command line type dsquery /?

On Linux servers, from the command line, use ldapsearch. (ldapsearch may need to be installed.)

--ldap_fqdn <FQDN>

The FQDN is used to identify the LDAP service. By default it is derived from the base-DN, but there are cases that it must be defined explicitly.

If you want to support multiple FQDNs for one service, this parameter can contain a list of sub-strings in square brackets. For example: [us.,eu.,as.,]dell.ldap will include users with the following suffixes: us.dell.ldap, eu.dell.ldap, as.dell.ldap, dell.ldap.

--ldap_service_name <LDAP_NAME>

LDAP service name

--username_dn_format <FORMAT>

The username format in DN format (must contain [USER] as a place holder for the username)

--search_filter_format <FORMAT>

A search filter for the LDAP query. This is required only if it is different from the default. It must contain [USER] and [GROUP] as place holders for username and group-DN. Example: (&(objectClass=user)(sAMAccountName=[USER])(memberOf:1.2.840.113556.1.4.1941:=[GROUP]))

--authorizer_dn <USER_DN>

The authorizer username for groups search

--authorizer_password <PASSWORD>

Password of the authorizer user

Examples

scli --add_ldap_service --ldap_service_uri "ldaps://ldaps.ecme.com:636" --ldap_base_dn "OU=SIO_OU_1,DC=ldaps,DC=local"

where:

• ldaps://ldaps.ecme.com is the host name of the authentication server.
• 636 is the port number.
• OU=SIO_OU_1 is a specific organizational unit group defined in the Active Directory.
• DC=ldaps, DC=local are the domain component parts of the Base DN.

scli --add_ldap_service --ldap_service_uri ldaps://ldaps.ecme.com:3269 --ldap_base_dn ou=sio_ou_1,dc=ldaps,dc=ecme,dc=com --ldap_fqdn [na.,eu.,as.,]ldaps.ecme.com

where:

• The access will be to the global catalog through port 3269.
• ou=sio_ou_1 is a specific organizational unit group defined in the Active Directory.
• dc=ldaps,dc=ecme,dc=com are the domain component parts of the Base DN.
• The following FQDNs servers will be mapped to the same URI ldaps://ldaps.ecme.com(): ldaps://na.ldaps.ecme.com, ldaps://eu.ldaps.ecme.com, ldaps://as.ldaps.ecme.com, and ldaps://ldaps.ecme.com.