Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell PowerFlex v3.6.x User Roles and LDAP Usage Technical Notes

PDF

Configure LDAP nodes on the server

Use the following task to prepare Ubantu-based PowerFlex servera for use with LDAP.

Prerequisites

Ensure the following:

  • The OpenLDAP package is installed.
  • Each LDAP server has a separate base DN.

Steps

  1. On the PowerFlex component host (MDM, Gateway or LIA), ensure that it is possible to establish a TCP connection to the LDAP server's address.
  2. Run the following command, and wait until the operation is finished: 
    sudo apt-get update
  3. Run: 
    sudo apt-get install openssh-client ldap-utils
  4. In the OpenLDAP client configuration file, /etc/ldap/ldap.conf, find the value of the TLS_CACERTDIR parameter and write down the path. For non-secure LDAP, skip this step and jump to step 8.
  5. Import the certificate files from the LDAP server to the certificate directory, <TLS_CACERTDIR>, configured in the LDAP client configuration file, /etc/ldap/ldap.conf.For non-secure LDAP, skip this step and jump to step 8.
    NOTE:The method of CA certificate import for the OpenLDAP client may differ based on your organization's security guidelines. Consult your security administrator for steps to import the CA certificates for use with LDAP client.
  6. Run: 
    openssl rehash /etc/ssl/certs
    NOTE:For non-secure LDAP, skip this step and jump to step 8.
  7. Run the following command and wait until the operation is finished: 
    sudo update-ca-certificates
    NOTE:For non-secure LDAP, skip to the next step.
  8. Add the following lines to the /etc/ldap/ldap.conf file and ensure that all the other lines are commented out:
    URI ldaps://example.ldaps.local/

    or

    URI ldap://server.example.com/

    The file contents should be similar to the following example: 

    #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example,dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

# TLS certificates (needed for GnuTLS)
# TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
URI ldaps://example.ldaps.local/
  9. For each LDAP server's certificates, test that each certificate is valid. 
    sudo openssl s_client -connect example.ldaps.local:636 -CAfile /etc/ssl/certs/scaleio.cer < /dev/null

    Output similar to the following appear. Confirm that the "Verify return code" line reads "0 (ok)". 

    CONNECTED(00000003)
depth=1 DC = local, DC = ldaps, CN = ldaps-example-CA
verify return:1
depth=0 CN = example.ldaps.local
verify return:1
. . .
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit

Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 000E0000A293DA7B903083F8BCB2737F2C10A98D298BD0E963B73E9EBAA4930C
    Session-ID-ctx:
    Master-Key: 2242522F8B151725BDED1DC92264F461F4487DAAEC8DB6F5EA4959A42D4DABD4105534110229870FC8B6333B4443E891
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1455035763
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\