This topic provides a high-level overview of the CLI commands and special considerations to take into account when configuring LDAP authentication on the MDM. For the specific command syntax, including command parameters, for your LDAP configuration, refer to the relevant tasks immediately following this topic.
Add the LDAP server as a service
Add the LDAP server as a service using the
--add_ldap_service command.
Assign the LDAP groups to roles
After the LDAP service is configured, use the
--assign_ldap_groups_to_roles command to map the LDAP groups to
PowerFlex user roles. Assign an LDAP group to each
PowerFlex role. The same LDAP group can be assigned to multiple roles. For an explanation of the different user roles, see
PowerFlex authentication and user roles.
The following considerations should be made when assigning groups to roles when LDAP authentication is used:
If you want LDAP users to be able to use the
PowerFlex GUI or query the system, you must assign an LDAP group to the Monitor role.
An LDAP user defined as an Administrator is limited to Administrator operations, such as adding users, but cannot invoke any Configure commands. To overcome this limitation, assign an LDAP group to both the Administrator and Configure roles.
If the LDAP user will run NDU (non-disruptive upgrade), assign the user at a minimum to both the Monitor and BackendConfigure user roles.
NOTE:If an LDAP user role is changed, users must log out of
PowerFlex and log back in with the updated permissions.
Set the user authentication method
After the LDAP service is set and groups are assigned, use the
--set_user_authentication_method command to specify the authentication method with which
PowerFlex will authenticate the users.
You may restrict users to only the local domain (native authentication) or to LDAP authentication only, or you can configure the MDM to allow both types of users. This decision should be made at the discretion of the system administrator, and is usually dictated by the security policy of the organization.
NOTE:After the authentication method is set exclusively to LDAP, it cannot be changed easily back to native authentication. In cases where access to the LDAP server is not possible and the authentication method must be changed back to native, see the "Reset the admin user password" procedure described in
Configure and Customize Dell PowerFlex
Log in to the system
After configuring the system parameters, you may log in to the system using the
scli --login command.
When logging in as a local user, the command must include a user name. When using LDAP, the command should also include the relevant LDAP domain and the LDAP authentication parameter.
Example for local login using native authentication: