HPE Storage Users Group

A Storage Administrator Community




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Mon Apr 12, 2010 3:15 pm 
Site Admin
User avatar

Joined: Tue Aug 18, 2009 10:35 pm
Posts: 1328
Location: Dallas, Texas
SSH to the inserve with a local admin account.

Check to make sure the Inserve is set to use the proper NTP server using "shownet"

Check the time on the Inserve is insync with "showdate". If time deviates from LDAP server too much, auth will fail.

Execute the following commands:

setauthparam ldap-server 10.x.x.x (# IP address of LDAP server)
setauthparam ldap-server-hn ldap.yourcompany.com (# Hostname of your ldap server, must reverse lookup to the IP address provided)
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn OU=Your\ Group,DC=yourcompany,DC=com (Location in your AD to search for users, put a \ in front of spaces within your dn)
setauthparam account-obj user
setauthparam account-name-attr sAMAccountName
setauthparam memberof-attr memberOf
setauthparam super-map CN=3PAR_ADMINS,OU=Administrative,DC=yourcompany,DC=com


Test the config with the checkpassword <username> command.
The last line of the output should read "user <username> is authenticated and authorized"

_________________
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Mon Jun 27, 2011 4:15 pm 
Site Admin
User avatar

Joined: Tue Aug 18, 2009 10:35 pm
Posts: 1328
Location: Dallas, Texas
P.S. Also, make sure you do not have a local account on the 3PAR that matches your domain account name. If the same username exists in both places, it will authenticate with the local username/password combination first.

_________________
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Thu Sep 01, 2011 8:55 am 
User avatar

Joined: Thu Sep 01, 2011 8:27 am
Posts: 20
I'm now trying to connect to some different Windows DC's but to no avail. I'm using the above procedure using SASL with GSSAPI.

Receiving the following messages when using checkpassword:
+ Kerberos credentials denied: Cannot contact any KDC for requested realm

All 3 DC's (Windows 2008 R2 64-bit) I tried to connect to give the same message :(

Routing to and from the 3Par is okay (though I wonder how I can ping from a 3par node :) )

Do I need to configure anything on Windows?

Regards,
Martien


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Thu Sep 01, 2011 2:31 pm 
Site Admin
User avatar

Joined: Tue Aug 18, 2009 10:35 pm
Posts: 1328
Location: Dallas, Texas
Howdy,

That error looks familair, try changing the case of your realm name.

Quote:
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)


Everywhere I see our domain name its always lower case, however, the realm name was ALL UPPER. It could be that microsoft converts it to all upper by default... or perhaps our admin that started the domain was inconsistant...

_________________
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Thu Sep 01, 2011 2:46 pm 
User avatar

Joined: Thu Sep 01, 2011 8:27 am
Posts: 20
I checked the realm name and it is all uppercase.

Just found out that there might be a problem communicating between two vlans, something with access lists on our LAN switches.

Will get back ;)

Regards,
Martien


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Mon Oct 10, 2011 7:42 am 
User avatar

Joined: Thu Sep 01, 2011 8:27 am
Posts: 20
Finally back... problem was an ACL in a switch which block LDAP traffic :).

Took a while to figure that out... *grin*


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Sun Oct 30, 2011 6:58 am 

Joined: Sun Oct 30, 2011 6:54 am
Posts: 1
Hi all,

I've tried to give each Multitenant Domain his own Access Active Directory Group but it doesn't work. Any hint how to do this?
e.g.:
Dom1 with access rights for AD-Group1
Dom2 with access rights for AD-Group2
Dom3 with access rights for AD-Group3
Dom4 with access rights for AD-Group3

Regards,


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Sun Oct 30, 2011 4:51 pm 
User avatar

Joined: Thu Sep 01, 2011 8:27 am
Posts: 20
These commands are available when using Inform OS Virtual Domains and AD-groups, more info in the CLI Adminstrators Guide for your version of Inform OS:

  • setauthparam <map_param> <map_value>
  • setauthparam group-obj group
  • setauthparam domain-name-attr <attribute>, and optionallysetauthparam domain-name-prefix <prefix>
  • checkpassword <user_name>

First you map an AD-group to an Inform OS role with the first command.
Then you map AD-groups to a domain with then next command(s)

Check out page 41-43 of the 3.1.1 CLI Administrators Guide for more info.

Regards,
Martien


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Wed Oct 16, 2013 9:57 pm 

Joined: Wed Oct 16, 2013 9:03 pm
Posts: 44
Location: Chicago
I had a bit of trouble initially forcing Active Directory to work together with 3PAR Domains, since HP's documentation is somewhat lacking (and, at times, erroneous).

Here's how I managed to work around it:

Create your groups, one for each pairing of role and domain. I named them in the format of "3PAR-<domain>-<role>". In the case of global roles, use "all" in place of the domain name, since "all" is a reserved domain for global roles.

Set the description attribute for each group to "InServDomain=<domain>", where <domain> is either the name of the domain, or "all" in groups for global roles. Groups without this field set will not function.

Here are my groups:
Code:
dn: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
description: InServDomain=domainname

dn: CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
description: InServDomain=domainname

These are the sanitized CLI commands that I used for my configuration (change the obvious to fit your environment):
Code:
setauthparam ldap-server 10.1.1.2
setauthparam ldap-server-hn ads.example.com
setauthparam kerberos-realm EXAMPLE.COM
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn ou=users,dc=example,dc=com
setauthparam account-obj user
setauthparam memberof-attr memberOf
setauthparam account-name-attr sAMAccountName
setauthparam group-obj group
setauthparam domain-name-attr description
setauthparam domain-name-prefix !InServDomain=
setauthparam super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com
setauthparam edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
setauthparam browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com

Note that for each of the <role>-map commands, you need to put all of the related group DNs on the same line, not in sequential commands. If there are spaces in your DNs, be sure to escape them with a backslash.

Once you get it all set up and ready, verification should look like this:
Code:
inserv cli% showauthparam
Param              ------------------------Value-------------------------
kerberos-realm     EXAMPLE.COM
binding            sasl
sasl-mechanism     GSSAPI
accounts-dn        ou=users,dc=example,dc=com
account-obj        user
memberof-attr      memberOf
ldap-server        10.1.1.2
ldap-server-hn     ads.example.com
account-name-attr  sAMAccountName
group-obj          group
domain-name-attr   description
super-map          CN=3PAR-all-super,OU=Groups,DC=example,DC=com
edit-map           CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
edit-map           CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
browse-map         CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
browse-map         CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
domain-name-prefix !InServDomain=
inserv cli% checkpassword reactor
password:
+ attempting authentication and authorization using system-local data
+ authentication denied: unknown username
+ attempting authentication and authorization using LDAP
+ using Kerberos configuration file:
   [domain_realm]
      ads.example.com = EXAMPLE.COM
   [realms]
      EXAMPLE.COM = {
         kdc = ads.example.com
      }
+ temporarily setting name-to-address mapping: ads.example.com -> 10.1.1.2
+ attempting to obtain credentials for "reactor@EXAMPLE.COM"
+ connecting to LDAP server using URI: ldap://ads.example.com
+ binding to user "reactor" with SASL mechanism GSSAPI
+ searching LDAP using:
   search base:    ou=users,dc=example,dc=com
   scope:          sub
   filter:         (&(objectClass=user)(sAMAccountName=reactor))
   for attributes: memberOf
+ search result DN: CN=Reactor,OU=Users,DC=example,DC=com
+ search result:    memberOf: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ mapping rule: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ rule match: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-all-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-all-browse,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com"
+ searching LDAP using:
   search base:    CN=3PAR-all-super,OU=Groups,DC=example,DC=com
   scope:          base
   filter:         (objectClass=group)
   for attributes: description
+ search result DN: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ search result:    description: InServDomain=all
+ group "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" has potential domain "all" (transformed from "InServDomain=all")
+ domain match: "all" mapped to super
user reactor is authenticated and authorized

Regards,
Aaron


Top
 Profile  
Reply with quote  
 Post subject: Re: Active Directory Authentication Quick List/Cheat Sheet
PostPosted: Thu Feb 13, 2014 12:05 pm 

Joined: Mon Feb 03, 2014 9:40 am
Posts: 116
Is there a way to set up multiple ldap-servers for redundancy? I.e if ldap server 1 is unavailable you are not able to authenticate.

Multiple values for:

setauthparam ldap-server
setauthparam ldap-server-hn


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next


Who is online

Users browsing this forum: No registered users and 33 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group | DVGFX2 by: Matt