HPE Storage Users Group

A Storage Administrator Community




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: 3PAR LDAP & Kerberos
PostPosted: Fri Feb 20, 2015 10:14 am 

Joined: Fri Feb 20, 2015 6:56 am
Posts: 1
Hello everybody,
I've already read posts how 3PAR doesn't really support multi-domain AD authentication, cannot have more LDAP configs, maybe in next version, but I still have a question:

In our environment, we have 3 domains, we'll call them TOP.com, CHILD1.TOP.com and CHILD2.TOP.com. We have the LDAP configuration set to talk to CHILD1 domain, administrator's account in CHILD1 domain, administrators group in CHILD1 too, all the same.

So far we've found that we can change the LDAP port in CLI, so instead of port 389 (or 636 with SSL) we can use port 3268 (or 3269 with SSL), using setauthparam ldap-port PORT_NUMBER command. Then you change the Accounts DN value to DC=TOP,DC=com and the LDAP search will go from top down to both child domains. You can even have the administrators group in CHILD2 domain, the account will still be found, authenticated and assigned thru super-map to the super role.

In case of administrator, who is a CHILD2 domain member, this will not work. Kerberos will prevent the user in CHILD2 (administrator group is in CHILD1) getting in, because such account does not exist in CHILD1, so it will never get to the LDAP search.

Is this something a Kerberos trust between domains could help? What does your AD guy think?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 


Who is online

Users browsing this forum: No registered users and 28 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group | DVGFX2 by: Matt