• LDAP Configuration

    PDF

    LDAP Configuration

    This appendix describes how to configure the Unity system to connect to an LDAP server for authentication, and how to assign roles to LDAP users and groups.

    Topics include:

    About configuring LDAP

    The Lightweight Directory Access Protocol (LDAP), is an application protocol for querying and modifying directory services running on TCP/IP networks. LDAP helps centralize the management of network authentication and authorization operations. Integrating Unisphere users into an existing LDAP environment provides a way to control management access based on established user and group accounts within the LDAP directory.

    Before you configure LDAP, you must configure the Unity system to connect to a DNS server. This action is required to resolve the IP address and fully qualified hostname for each LDAP server that is configured.

    Networked entities that exchange data use certificates to authenticate each other. For secure communications to occur between two networked entities, one entity must trust (accept) the certificate from the other. Unisphere uses the SSL/TLS and the X.509 certificate standard to secure client (storage system) and server (LDAP) communications. The Unity system requires the certificate chain file to be uploaded, to properly verify the server certificate received from the LDAP server when the TLS session is established.

    After you configure the LDAP settings for the Unity system, you can perform user management functions. For example, you can assign access permissions to Unisphere based on existing users and groups, within the context of an established LDAP directory structure.

    Follow this sequence of steps to configure LDAP on a Unity system:

    1. Configure the DNS server
      Note:  Required only when host names are used for the LDAP IP addresses or when the dynamic LDAP feature is used. Otherwise, this step is optional.
    2. Configure the LDAP server.
    3. Verify the LDAP server connection.
    4. Configure LDAPS for the LDAP server.
    5. Verify the LDAP server connection using the LDAPS protocol.
    6. Configure LDAP Users and Groups.
    Note:   The Unisphere Online Help provides more information about LDAP and DNS and the steps to configure the Unity system to connect to an LDAP server and a DNS server, and how to assign roles to and manage LDAP users and groups.

    Configure DNS server

    DNS must be configured before configuring the LDAP server to resolve the LDAP server addresses. This is required to ensure that the IP address and fully qualified hostname for each LDAP server can be resolved.

    To configure the DNS, do the following:

    Procedure
    1. In Unisphere, click the gear icon in the top menu bar to display the Settings page.
    2. In the left panel under Management, click DNS Server.
      The Manage Domain Name Servers page appears.
    3. Depending on your site configuration, do one of the following:
      • If the system is configured to retrieve the DNS server addresses from a remote source, select Obtain DNS server address automatically.
      • For a DNS server that has the LDAP server configured, select Configure DNS server address manually and enter at least one IP address. If the LDAP servers are to be manually configured using IP addresses, the LDAP Servers must be in both forward and reverse lookup zones on the DNS server.
    4. Once the DNS server addresses are configured, click Apply to save the DNS server configuration.

    Configure LDAP server

    LDAP server configuration consists of specifying the configuration information needed to connect to the LDAP server.

    To configure LDAP, do the following:

    Procedure
    1. In Unisphere, click the gear icon in the top menu bar to display the Settings page.
    2. In the left panel under Users and Groups, click Directory Services.
      The Configure LDAP Server Credentials page appears.
    3. For Domain Name, type the Domain name of the LDAP authentication server.
      The Domain name must be filled in when the LDAP server configuration is created. After that, it is grayed out because it cannot be changed without deleting and re-creating the LDAP server configuration.
    4. For Distinguished Name, type the distinguished name of the LDAP user with administrator privileges.
      The distinguished name should be specified in one of the following formats:
      • LDAP notation format (for example, cn=Administrator,cn=Users,dc=mycompany,dc=com)
      • <user>@<domain> format (for example, Administrator@mycompany.com)
      • <domain>/<user> format (for example, mycompany.com/Administrator)
    5. For Password, type the password for the user specified in Distinguished Name.
    6. If the LDAP server uses a different port for LDAP than the default port number 389, change the port to the required port number.
      For example, specify port 3268 for LDAP with forest-level authentication. ( nsroot.net instead of nam.nsroot.net using LDAP allows customers to query the entire Active Directory (AD) forest (port 3268) instead of just the AD domain (TCP port 389). Also, AD role association is based on group scopes for Domain Local Groups and Universal Groups. This allows end-users to search the AD using an appropriate scope as needed and to avoid unnecessary group searches.) It is strongly recommended that LDAP be configured and verified before configuring Secure LDAP (LDAPS). This will minimize any troubleshooting that may be necessary when enabling LDAPS.
    7. In Server Address, do one of the following:
      • To manually add a server address, click Add to display the LDAP Server dialog box, enter the IP address or fully qualified hostname, and click OK. To remove a server address, select the address in the text box and click Remove.
      • To automatically retrieve the server addresses from DNS, click Auto Discover.
    8. If the LDAP server has a different search path than the default cn=Users,dc= for either User or Group, or both, click Advanced.
      The Advanced dialog box appears.
    9. In the Advanced window, update the search paths or other fields as necessary, then click OK to save the advanced configuration changes.
      For example, if you are configuring forest-level authentication, select Advanced to access the Advanced window and specify userPrincipalName in the User ID Attribute field. If the LDAP server has a different search path than the default (cn=Users,dc= ) for either users, groups, or both, access the Advanced window to update the search paths or other properties as necessary.
    10. After all the LDAP configuration information is specified, click Apply to save the configuration.
      If Auto Discover was selected to automatically retrieve the server addresses from DNS, the server addresses obtained from DNS are displayed grayed out in Server Address.
    After you finish

    After the LDAP server configuration is saved and to avoid the possibility of data being unavailable, you must verify the configuration to confirm that the connections to the LDAP server will be successful.

    Verify LDAP configuration

    Note:  To avoid the possibility of data being unavailable, you must verify the LDAP connection after every LDAP configuration change.

    To verify connection to the LDAP server will be successful, do the following:

    Procedure
    1. Click Verify Connection on the Configure LDAP Server Credentials page.
      If the configuration is valid, a connection will be established with the LDAP server and a green check mark along with the text Connection Verified will appear.
    2. If the verification fails, the following steps are recommended to troubleshoot the failure:
      1. Verify the Configure LDAP Server Credentials configuration information, in particular the Distinguished Name (user name), Password, and the Server Address (IP address or hostname).
      2. Verify the LDAP server is online.
      3. Verify there are no network issues; for example, firewall rules that would block access to the LDAP port, network router configuration that prevents the connection, and such.

    Configure Secure LDAP

    Configuring Secure LDAP (LDAPS) requires the following:

    • Configure LDAPS protocol and the port
    • Configure the certificate chain

    When LDAPS is configured, the Unity system connects to the LDAP server using TLS. The Unity system requires the certificate chain file to be uploaded, to properly verify the server certificate received from the LDAP server when the TLS session is established.

    The format of the certificate file to be uploaded is as follows:

    • The certificate file must end in a cer file extension. Example: LdapServerChain.cer
    • All certificates in the certificate file to be uploaded must be in PEM format. PEM formatted certificates are ASCII text that begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
    • The LDAP server certificate must have the Server Name, as specified in the LDAP configuration, in the Subject or Subject Alternative Name field in the certificate. This is required to verify that the certificate is from the desired LDAP server.
    • If the LDAP server certificate is self-signed, only the server certificate is required.
    • If the LDAP server certificate is signed by a Certificate Authority, then the certificate chain, up to the root certificate Authority, must be in the certificate file to be uploaded in the following order:
      1. Intermediate Certificate Authority certificate (if any).
      2. ...
      3. Root Certificate Authority certificate.
      4. If there are multiple certificates in the file to be uploaded, there must be a new line between each certificate.

    To configure LDAPS, do the following:

    Procedure
    1. Click the Use LDAPS Protocol checkbox on the Configure LDAP Server Credentials page.
      The Port is automatically changed to 636, which is the default LDAPS port number. If the LDAP server uses a different port for LDAPS, change the port to the required port number. For example, specify port 3269 for LDAPS with forest-level authentication. ( nsroot.net instead of nam.nsroot.net using LDAPS allows customers to query the entire AD forest (port 3269) instead of just the AD domain (TCP port 636). Also, AD role association is based on group scopes for Domain Local Groups and Universal Groups. This allows end-users to search the AD using an appropriate scope as needed and to avoid unnecessary group searches.) Also, Upload Certificate becomes active when the Use LDAPS Protocol checkbox is selected.
    2. Click Upload Certificate.
      The Upload File dialog box appears.
    3. Click Choose File.
    4. Browse to the desired certificate file, then select the file and click Start Upload.
    5. After the file upload completes, click Apply to save the configuration changes.
    After you finish

    You must verify the configuration after configuring LDAP and uploading the server certificate file.

    Verify LDAPS configuration

    Note:  To avoid the possibility of data being unavailable, you must verify the LDAPS connection after every LDAPS configuration change.

    To verify the LDAPS configuration, do the following:

    Procedure
    1. Click Verify Connection on the Configure LDAP Server Credentials page.
      If the configuration is valid, a connection will be established with the LDAP server and a green check mark along with the text Connection Verified will appear.
    2. If the verification fails, the following steps are recommended to troubleshoot the failure:
      1. Verify the Configure LDAP Server Credentials configuration information, in particular the port number.
      2. Verify the LDAP server is online and configured for LDAPS.
      3. Verify the certificates in the uploaded certificate file are valid, for example, not expired and in the correct order.
      4. Verify the configured Server Name is in the Subject or Subject Alternative Name field in the LDAP server certificate.
      5. Verify there are no network issues; for example, firewall rules that would block access to the LDAPS port, and such.
    After you finish

    After the LDAP server is configured, one or more LDAP users or groups must be added to the Unity system to map the users (or groups) to roles. Otherwise, LDAP authentication will succeed on login, but the login will fail because no role could be assigned to the user.

    Configure LDAP user

    The procedure for creating an LDAP group on the Unity system is the same as creating an LDAP user, except that the LDAP group must also be created on the LDAP server, and LDAP users added as members of that group. Creating an LDAP group has the advantage of an LDAP group being configured on the Unity system and then assigned to multiple LDAP users.

    To create an LDAP user or group, do the following:

    Note:   LDAP server must be configured before an LDAP user or group can be created.
    Procedure
    1. In Unisphere, click the gear icon in the top menu bar to display the Settings page.
    2. In the left panel under Users and Groups, click User Management.
      The Manage Users & Groups page appears.
    3. Click the add icon (plus sign).
      The Create User or Group wizard appears.
    4. Do one of the following:
      • Click LDAP User.
      • Click LDAP Group.
    5. Click Next.
      The LDAP Information page appears with the LDAP Authority displayed on the page.
    6. For LDAP User, type the user name that is listed in the LDAP server.
    7. Click Next.
      The Role page appears.
    8. Click the radio button for the role to be assigned.
    9. Click Next.
      The Summary page appears.
    10. After verifying that the LDAP user or group name and the role are correct, click Finish to complete the transaction or Back to change the user configuration.
      When the user or group is successfully created, the Results page appears.
    11. Click Close to close the Create User or Group wizard.
      The LDAP user or group just added will appear in the list of users on the Manage Users and Groups page.