HPE Storage Users Group https://3parug.com/ |
|
LDAP Setup - Authentication Helper https://3parug.com/viewtopic.php?f=18&t=1147 |
Page 1 of 1 |
Author: | psshutdown [ Wed Feb 04, 2015 5:48 am ] |
Post subject: | LDAP Setup - Authentication Helper |
Hello All, We have recently installed a 3PAR StoreServ and i'm struggling with the LDAP setup and getting the following error: + internal system error communicating with authentication helper daemon: invalid response user joe1 is not authenticated or not authorized LDAP Setup; SAN01 cli% showauthparam Param --------------------Value-------------------- member-attr memberUid user-attr uid ldap-reqcert 0 user-dn-base CN=3PARAccess,CN=Users,DC=domain,DC=local group-name-attr cn groups-dn CN=Users,DC=domain,DC=local ldap-StartTLS no ldap-ssl 1 ldap-server DC01.domain.local account-obj user allow-ssh-key 0 account-name-attr sAMAccountName sasl-mechanism GSSAPI group-obj group accounts-dn CN=Users,DC=domain,DC=local memberof-attr memberOf super-map CN=3PARadminsDL,CN=Users,DC=domain,DC=local super-map cn=3PARAccess,CN=Users,DC=domain,DC=local ldap-server-hn Datadc01.networks.local kerberos-server 172.16.1.1 ldap-port 636 binding sasl kerberos-realm domain.local |
Author: | HCMay [ Thu Feb 05, 2015 12:07 pm ] |
Post subject: | Re: LDAP Setup - Authentication Helper |
Newbie, I have searched through the forum but needing additional assistance with understand how to secure the authentication process. I am in the midst of an audit to get PCI accreditation based on version 3.0 (https://www.pcisecuritystandards.org/do ... DSS_v3.pdf) and struggling to respond to requirement (#8.2.1) for secure authentication during transmission. I have searched this forum and located this thread, "Authentication Quick List / Cheat Sheet" and successfully authenticate with our Microsoft 2012 AD. Challenge is that this configuration uses unsecured LDAP port 389 which the auditor has indicated will not meet this requirement. I shared the configuration setting that it utilizes SASL GSSAPI to secure the communication. The auditor saw in the configuration file, TLS is set to NO. Changed that to yes and received an error that the servers did not support TLS. I have validated that TLS is enabled by our AD. The auditor is not buying the traffic is secure because port 389 and the TLS setting are set to no. I am not knowledgeable enough, to dispute that. If anyone has experience they can share to address secure authentication to Microsoft AD that I can use with my auditors. I will greatly appreciate it. THX! |
Author: | psshutdown [ Fri Feb 13, 2015 10:01 am ] | ||
Post subject: | Re: LDAP Setup - Authentication Helper | ||
After a weeks pain finally managed to get this working, there was no chance getting this working from the GUI. There was to many LDAP settings, so i cleared all the settings: setauthparam -f clearall I have attached the LDAP Config guide; then used the following; ldap-server 192.168.2.1 ldap-server-hn dc01.domain.local kerberos-realm DOMAIN.LOCAL binding sasl sasl-mechanism GSSAPI account-obj user account-name-attr sAMAccountName memberof-attr memberOf accounts-dn OU=group,OU=System Group,DC=domain,DC=local super-map CN=3PARAccess,OU=group,OU=System Group,DC=domain,DC=local
|
Author: | dardan [ Thu Mar 05, 2020 10:28 am ] |
Post subject: | Re: LDAP Setup - Authentication Helper |
HCMay wrote: Newbie, I have searched through the forum but needing additional assistance with understand how to secure the authentication process. I am in the midst of an audit to get PCI accreditation based on version 3.0 (https://www.pcisecuritystandards.org/do ... DSS_v3.pdf) and struggling to respond to requirement (#8.2.1) for secure authentication during transmission. I have searched this forum and located this thread, "Authentication Quick List / Cheat Sheet" and successfully authenticate with our Microsoft 2012 AD. Challenge is that this configuration uses unsecured LDAP port 389 which the auditor has indicated will not meet this requirement. I shared the configuration setting that it utilizes SASL GSSAPI to secure the communication. The auditor saw in the configuration file, TLS is set to NO. Changed that to yes and received an error that the servers did not support TLS. I have validated that TLS is enabled by our AD. The auditor is not buying the traffic is secure because port 389 and the TLS setting are set to no. I am not knowledgeable enough, to dispute that. If anyone has experience they can share to address secure authentication to Microsoft AD that I can use with my auditors. I will greatly appreciate it. THX! It turns GSSAPI is not a valid option to use with SSL certificate, as shown on the commands above (ldap-ssl 1). DIGEST-MD5 in combination with a (root) certificate looks to be the solution. setauthparam -f ldap-type MSAD setauthparam -f ldap-server <192.168.80.10> setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM> setauthparam -f ldap-port 636 setauthparam -f ldap-ssl 1 setauthparam -f ldap-reqcert 1 setauthparam -f sasl-mechanism DIGEST-MD5 I've created a step by step tutorial on how to use LDAP over SSL (LDAPS) with port 636 for Primera and 3PAR arrays https://www.storcom.com/configure-ldap- ... -and-3par/ Hope it will be useful for the community. |
Page 1 of 1 | All times are UTC - 5 hours |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |