- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Active Directory Users & Computers
Active Directory user and group accounts can be managed with the Active Directory Users & Computers (ADUC) MMC Snap-in. This snap-in is installed automatically on every Windows domain controller. You access this tool from .
About this task
Information required to connect to an Active Directory directory server lists the information you need for a successful connection to Active Directory.
| Required connection information | Your values |
|---|---|
| Fully-qualified domain name (also known as the base distinguished name) | |
| Primary domain controller/directory server IP address or hostname | |
| Secondary domain controller/directory server IP address or hostname | |
| Account name (also known as the bind distinguished name) |
Steps
- Open ADUC and (if necessary) connect to the domain. Right-click the domain name, and then select Find from the menu.
- Identify a domain user who will be a VNX for file user. To locate the user profile, type the user's name in the Find field and click Find Now.
- Add the X.500 path to the displayed user information by selecting .
- Select X500 Distinguished Name from the Columns available field and click Add.
- The Find window now displays the X.500 distinguished name of this user. The X.500 distinguished name contains the user’s name (CN=Joe Muggs) and the path to the container in the directory structure where this user is located: CN=Users,DC=derbycity,DC=local. Record the path.
-
Verify that all other VNX for file users use the same path by either:
- Repeating the Find for all VNX for file user accounts
or
- Navigating to that area of the directory in ADUC, and locating all VNX for file user accounts
- Repeating the Find for all VNX for file user accounts
-
Repeat steps 1 through 6 to find the path to the container in the directory structure where the groups are located.
If the user and group paths are both CN=Users,DC=<domain component>,DC=<domain component>[, DC=<domain component>…] (for example CN=Users,DC=derbycity,DC=local), you can use the Default Active Directory option in the Unisphere Manage LDAP Domain view. This option assumes that the users and groups are located in the default container (CN=Users), so you do not have to specify the user or group search path.
- Users might not be in the default container (CN=Users). They may instead be located in other containers or organizational units within the directory, for example VNX for File Users. In this case, you need to use the Custom Active Directory option in the Unisphere Manage LDAP Domain view and manually enter the search paths.
- Groups might not be in the default container (CN=Users), and they do not have to be located with the users. They may instead be located within other containers or organizational units within the directory.
-
The LDAP user and group search begins with the path specified, and searches that container and all containers below it. If VNX for file users and groups are not located within the same container or organizational unit, you must use the intersection (common parts) of their collective paths when you specify the user and group search paths. In some cases, this may need to be the root of the domain. For example, assume that VNX for file users are stored in the following two Active Directory locations:
- Path 1: CN=Users,DC=derbycity,DC=local
- Path 2: OU=VNX Users,OU=EMC VNX,DC=derbycity,DC=local
In order for VNX for file to find all users, you need to use the intersection of the two paths as your search path, that is, the domain root DC=derbycity,DC=local. Type this value in the User Search Path field in the Unisphere Manage LDAP Domain view.
-
Use the
Find window again to determine the full X.500 path of the account you will use to connect the VNX for file Control Station to the directory. In this case you should not remove the username from the path because you are specifying the path to an individual account.
- If you are using the Default Active Directory option in the Unisphere Manage LDAP Domain view, type only the account name, for example VNX LDAP Binding, in the Account Name field. You do not need to provide the X.500 syntax because the VNX for file software constructs the full X.500 path.
- If you are using the Custom Active Directory option in Manage LDAP Domain, then type the full X.500 path in the Distinguished Name field.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\