Active Directory Authentication Quick List/Cheat Sheet
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
Active Directory Authentication Quick List/Cheat Sheet
SSH to the inserve with a local admin account.
Check to make sure the Inserve is set to use the proper NTP server using "shownet"
Check the time on the Inserve is insync with "showdate". If time deviates from LDAP server too much, auth will fail.
Execute the following commands:
setauthparam ldap-server 10.x.x.x (# IP address of LDAP server)
setauthparam ldap-server-hn ldap.yourcompany.com (# Hostname of your ldap server, must reverse lookup to the IP address provided)
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn OU=Your\ Group,DC=yourcompany,DC=com (Location in your AD to search for users, put a \ in front of spaces within your dn)
setauthparam account-obj user
setauthparam account-name-attr sAMAccountName
setauthparam memberof-attr memberOf
setauthparam super-map CN=3PAR_ADMINS,OU=Administrative,DC=yourcompany,DC=com
Test the config with the checkpassword <username> command.
The last line of the output should read "user <username> is authenticated and authorized"
Check to make sure the Inserve is set to use the proper NTP server using "shownet"
Check the time on the Inserve is insync with "showdate". If time deviates from LDAP server too much, auth will fail.
Execute the following commands:
setauthparam ldap-server 10.x.x.x (# IP address of LDAP server)
setauthparam ldap-server-hn ldap.yourcompany.com (# Hostname of your ldap server, must reverse lookup to the IP address provided)
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn OU=Your\ Group,DC=yourcompany,DC=com (Location in your AD to search for users, put a \ in front of spaces within your dn)
setauthparam account-obj user
setauthparam account-name-attr sAMAccountName
setauthparam memberof-attr memberOf
setauthparam super-map CN=3PAR_ADMINS,OU=Administrative,DC=yourcompany,DC=com
Test the config with the checkpassword <username> command.
The last line of the output should read "user <username> is authenticated and authorized"
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
Re: Active Directory Authentication Quick List/Cheat Sheet
P.S. Also, make sure you do not have a local account on the 3PAR that matches your domain account name. If the same username exists in both places, it will authenticate with the local username/password combination first.
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
Re: Active Directory Authentication Quick List/Cheat Sheet
I'm now trying to connect to some different Windows DC's but to no avail. I'm using the above procedure using SASL with GSSAPI.
Receiving the following messages when using checkpassword:
+ Kerberos credentials denied: Cannot contact any KDC for requested realm
All 3 DC's (Windows 2008 R2 64-bit) I tried to connect to give the same message
Routing to and from the 3Par is okay (though I wonder how I can ping from a 3par node )
Do I need to configure anything on Windows?
Regards,
Martien
Receiving the following messages when using checkpassword:
+ Kerberos credentials denied: Cannot contact any KDC for requested realm
All 3 DC's (Windows 2008 R2 64-bit) I tried to connect to give the same message
Routing to and from the 3Par is okay (though I wonder how I can ping from a 3par node )
Do I need to configure anything on Windows?
Regards,
Martien
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
Re: Active Directory Authentication Quick List/Cheat Sheet
Howdy,
That error looks familair, try changing the case of your realm name.
Everywhere I see our domain name its always lower case, however, the realm name was ALL UPPER. It could be that microsoft converts it to all upper by default... or perhaps our admin that started the domain was inconsistant...
That error looks familair, try changing the case of your realm name.
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)
Everywhere I see our domain name its always lower case, however, the realm name was ALL UPPER. It could be that microsoft converts it to all upper by default... or perhaps our admin that started the domain was inconsistant...
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
Re: Active Directory Authentication Quick List/Cheat Sheet
I checked the realm name and it is all uppercase.
Just found out that there might be a problem communicating between two vlans, something with access lists on our LAN switches.
Will get back
Regards,
Martien
Just found out that there might be a problem communicating between two vlans, something with access lists on our LAN switches.
Will get back
Regards,
Martien
Re: Active Directory Authentication Quick List/Cheat Sheet
Finally back... problem was an ACL in a switch which block LDAP traffic .
Took a while to figure that out... *grin*
Took a while to figure that out... *grin*
Re: Active Directory Authentication Quick List/Cheat Sheet
Hi all,
I've tried to give each Multitenant Domain his own Access Active Directory Group but it doesn't work. Any hint how to do this?
e.g.:
Dom1 with access rights for AD-Group1
Dom2 with access rights for AD-Group2
Dom3 with access rights for AD-Group3
Dom4 with access rights for AD-Group3
Regards,
I've tried to give each Multitenant Domain his own Access Active Directory Group but it doesn't work. Any hint how to do this?
e.g.:
Dom1 with access rights for AD-Group1
Dom2 with access rights for AD-Group2
Dom3 with access rights for AD-Group3
Dom4 with access rights for AD-Group3
Regards,
Re: Active Directory Authentication Quick List/Cheat Sheet
These commands are available when using Inform OS Virtual Domains and AD-groups, more info in the CLI Adminstrators Guide for your version of Inform OS:
First you map an AD-group to an Inform OS role with the first command.
Then you map AD-groups to a domain with then next command(s)
Check out page 41-43 of the 3.1.1 CLI Administrators Guide for more info.
Regards,
Martien
- setauthparam <map_param> <map_value>
- setauthparam group-obj group
- setauthparam domain-name-attr <attribute>, and optionallysetauthparam domain-name-prefix <prefix>
- checkpassword <user_name>
First you map an AD-group to an Inform OS role with the first command.
Then you map AD-groups to a domain with then next command(s)
Check out page 41-43 of the 3.1.1 CLI Administrators Guide for more info.
Regards,
Martien
Re: Active Directory Authentication Quick List/Cheat Sheet
I had a bit of trouble initially forcing Active Directory to work together with 3PAR Domains, since HP's documentation is somewhat lacking (and, at times, erroneous).
Here's how I managed to work around it:
Create your groups, one for each pairing of role and domain. I named them in the format of "3PAR-<domain>-<role>". In the case of global roles, use "all" in place of the domain name, since "all" is a reserved domain for global roles.
Set the description attribute for each group to "InServDomain=<domain>", where <domain> is either the name of the domain, or "all" in groups for global roles. Groups without this field set will not function.
Here are my groups:
These are the sanitized CLI commands that I used for my configuration (change the obvious to fit your environment):
Note that for each of the <role>-map commands, you need to put all of the related group DNs on the same line, not in sequential commands. If there are spaces in your DNs, be sure to escape them with a backslash.
Once you get it all set up and ready, verification should look like this:
Regards,
Aaron
Here's how I managed to work around it:
Create your groups, one for each pairing of role and domain. I named them in the format of "3PAR-<domain>-<role>". In the case of global roles, use "all" in place of the domain name, since "all" is a reserved domain for global roles.
Set the description attribute for each group to "InServDomain=<domain>", where <domain> is either the name of the domain, or "all" in groups for global roles. Groups without this field set will not function.
Here are my groups:
Code: Select all
dn: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
description: InServDomain=all
dn: CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
description: InServDomain=all
dn: CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
description: InServDomain=all
dn: CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
description: InServDomain=domainname
dn: CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
description: InServDomain=domainname
These are the sanitized CLI commands that I used for my configuration (change the obvious to fit your environment):
Code: Select all
setauthparam ldap-server 10.1.1.2
setauthparam ldap-server-hn ads.example.com
setauthparam kerberos-realm EXAMPLE.COM
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn ou=users,dc=example,dc=com
setauthparam account-obj user
setauthparam memberof-attr memberOf
setauthparam account-name-attr sAMAccountName
setauthparam group-obj group
setauthparam domain-name-attr description
setauthparam domain-name-prefix !InServDomain=
setauthparam super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com
setauthparam edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
setauthparam browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
Note that for each of the <role>-map commands, you need to put all of the related group DNs on the same line, not in sequential commands. If there are spaces in your DNs, be sure to escape them with a backslash.
Once you get it all set up and ready, verification should look like this:
Code: Select all
inserv cli% showauthparam
Param ------------------------Value-------------------------
kerberos-realm EXAMPLE.COM
binding sasl
sasl-mechanism GSSAPI
accounts-dn ou=users,dc=example,dc=com
account-obj user
memberof-attr memberOf
ldap-server 10.1.1.2
ldap-server-hn ads.example.com
account-name-attr sAMAccountName
group-obj group
domain-name-attr description
super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com
edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
edit-map CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
browse-map CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
domain-name-prefix !InServDomain=
inserv cli% checkpassword reactor
password:
+ attempting authentication and authorization using system-local data
+ authentication denied: unknown username
+ attempting authentication and authorization using LDAP
+ using Kerberos configuration file:
[domain_realm]
ads.example.com = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ads.example.com
}
+ temporarily setting name-to-address mapping: ads.example.com -> 10.1.1.2
+ attempting to obtain credentials for "reactor@EXAMPLE.COM"
+ connecting to LDAP server using URI: ldap://ads.example.com
+ binding to user "reactor" with SASL mechanism GSSAPI
+ searching LDAP using:
search base: ou=users,dc=example,dc=com
scope: sub
filter: (&(objectClass=user)(sAMAccountName=reactor))
for attributes: memberOf
+ search result DN: CN=Reactor,OU=Users,DC=example,DC=com
+ search result: memberOf: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ mapping rule: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ rule match: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-all-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-all-browse,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com"
+ searching LDAP using:
search base: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
scope: base
filter: (objectClass=group)
for attributes: description
+ search result DN: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ search result: description: InServDomain=all
+ group "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" has potential domain "all" (transformed from "InServDomain=all")
+ domain match: "all" mapped to super
user reactor is authenticated and authorized
Regards,
Aaron
Re: Active Directory Authentication Quick List/Cheat Sheet
Is there a way to set up multiple ldap-servers for redundancy? I.e if ldap server 1 is unavailable you are not able to authenticate.
Multiple values for:
setauthparam ldap-server
setauthparam ldap-server-hn
Multiple values for:
setauthparam ldap-server
setauthparam ldap-server-hn