HPE Storage Users Group

A Storage Administrator Community




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: LDAP Setup - Authentication Helper
PostPosted: Wed Feb 04, 2015 5:48 am 

Joined: Wed Feb 04, 2015 5:16 am
Posts: 7
Hello All,

We have recently installed a 3PAR StoreServ and i'm struggling with the LDAP setup and getting the following error:

+ internal system error communicating with authentication helper daemon: invalid response
user joe1 is not authenticated or not authorized



LDAP Setup;

SAN01 cli% showauthparam
Param --------------------Value--------------------
member-attr memberUid
user-attr uid
ldap-reqcert 0
user-dn-base CN=3PARAccess,CN=Users,DC=domain,DC=local
group-name-attr cn
groups-dn CN=Users,DC=domain,DC=local
ldap-StartTLS no
ldap-ssl 1
ldap-server DC01.domain.local
account-obj user
allow-ssh-key 0
account-name-attr sAMAccountName
sasl-mechanism GSSAPI
group-obj group
accounts-dn CN=Users,DC=domain,DC=local
memberof-attr memberOf
super-map CN=3PARadminsDL,CN=Users,DC=domain,DC=local
super-map cn=3PARAccess,CN=Users,DC=domain,DC=local
ldap-server-hn Datadc01.networks.local
kerberos-server 172.16.1.1
ldap-port 636
binding sasl
kerberos-realm domain.local


Top
 Profile  
Reply with quote  
 Post subject: Re: LDAP Setup - Authentication Helper
PostPosted: Thu Feb 05, 2015 12:07 pm 

Joined: Thu Feb 05, 2015 9:05 am
Posts: 1
Newbie, I have searched through the forum but needing additional assistance with understand how to secure the authentication process. :?

I am in the midst of an audit to get PCI accreditation based on version 3.0 (https://www.pcisecuritystandards.org/do ... DSS_v3.pdf) and struggling to respond to requirement (#8.2.1) for secure authentication during transmission. I have searched this forum and located this thread, "Authentication Quick List / Cheat Sheet" and successfully authenticate with our Microsoft 2012 AD. 8-)

Challenge is that this configuration uses unsecured LDAP port 389 which the auditor has indicated will not meet this requirement. I shared the configuration setting that it utilizes SASL GSSAPI to secure the communication. The auditor saw in the configuration file, TLS is set to NO. Changed that to yes and received an error that the servers did not support TLS. I have validated that TLS is enabled by our AD. The auditor is not buying the traffic is secure because port 389 and the TLS setting are set to no. I am not knowledgeable enough, to dispute that.

If anyone has experience they can share to address secure authentication to Microsoft AD that I can use with my auditors. I will greatly appreciate it. THX!


Top
 Profile  
Reply with quote  
 Post subject: Re: LDAP Setup - Authentication Helper
PostPosted: Fri Feb 13, 2015 10:01 am 

Joined: Wed Feb 04, 2015 5:16 am
Posts: 7
After a weeks pain finally managed to get this working, there was no chance getting this working from the GUI. There was to many LDAP settings, so i cleared all the settings:

setauthparam -f clearall

I have attached the LDAP Config guide;

then used the following;

ldap-server 192.168.2.1
ldap-server-hn dc01.domain.local
kerberos-realm DOMAIN.LOCAL
binding sasl
sasl-mechanism GSSAPI
account-obj user
account-name-attr sAMAccountName
memberof-attr memberOf
accounts-dn OU=group,OU=System Group,DC=domain,DC=local
super-map CN=3PARAccess,OU=group,OU=System Group,DC=domain,DC=local


Attachments:
File comment: LDAP Config Guide From HP
LDAP Authentication for 3PAR InServs.pdf [201.05 KiB]
Downloaded 2814 times
Top
 Profile  
Reply with quote  
 Post subject: Re: LDAP Setup - Authentication Helper
PostPosted: Thu Mar 05, 2020 10:28 am 

Joined: Wed Sep 03, 2014 7:58 am
Posts: 9
HCMay wrote:
Newbie, I have searched through the forum but needing additional assistance with understand how to secure the authentication process. :?

I am in the midst of an audit to get PCI accreditation based on version 3.0 (https://www.pcisecuritystandards.org/do ... DSS_v3.pdf) and struggling to respond to requirement (#8.2.1) for secure authentication during transmission. I have searched this forum and located this thread, "Authentication Quick List / Cheat Sheet" and successfully authenticate with our Microsoft 2012 AD. 8-)

Challenge is that this configuration uses unsecured LDAP port 389 which the auditor has indicated will not meet this requirement. I shared the configuration setting that it utilizes SASL GSSAPI to secure the communication. The auditor saw in the configuration file, TLS is set to NO. Changed that to yes and received an error that the servers did not support TLS. I have validated that TLS is enabled by our AD. The auditor is not buying the traffic is secure because port 389 and the TLS setting are set to no. I am not knowledgeable enough, to dispute that.

If anyone has experience they can share to address secure authentication to Microsoft AD that I can use with my auditors. I will greatly appreciate it. THX!


It turns GSSAPI is not a valid option to use with SSL certificate, as shown on the commands above (ldap-ssl 1). DIGEST-MD5 in combination with a (root) certificate looks to be the solution.

setauthparam -f ldap-type MSAD
setauthparam -f ldap-server <192.168.80.10>
setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
setauthparam -f ldap-port 636
setauthparam -f ldap-ssl 1
setauthparam -f ldap-reqcert 1

setauthparam -f sasl-mechanism DIGEST-MD5

I've created a step by step tutorial on how to use LDAP over SSL (LDAPS) with port 636 for Primera and 3PAR arrays https://www.storcom.com/configure-ldap- ... -and-3par/

Hope it will be useful for the community.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 


Who is online

Users browsing this forum: No registered users and 58 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group | DVGFX2 by: Matt