HPE Storage Users Group

A Storage Administrator Community
https://3parug.org/

Active Directory Authentication Quick List/Cheat Sheet

https://3parug.org/viewtopic.php?t=38

Page 1 of 2

Active Directory Authentication Quick List/Cheat Sheet

Posted: Mon Apr 12, 2010 3:15 pm
by Richard Siemers
SSH to the inserve with a local admin account.

Check to make sure the Inserve is set to use the proper NTP server using "shownet"

Check the time on the Inserve is insync with "showdate". If time deviates from LDAP server too much, auth will fail.

Execute the following commands:

setauthparam ldap-server 10.x.x.x (# IP address of LDAP server)
setauthparam ldap-server-hn ldap.yourcompany.com (# Hostname of your ldap server, must reverse lookup to the IP address provided)
setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn OU=Your\ Group,DC=yourcompany,DC=com (Location in your AD to search for users, put a \ in front of spaces within your dn)
setauthparam account-obj user
setauthparam account-name-attr sAMAccountName
setauthparam memberof-attr memberOf
setauthparam super-map CN=3PAR_ADMINS,OU=Administrative,DC=yourcompany,DC=com


Test the config with the checkpassword <username> command.
The last line of the output should read "user <username> is authenticated and authorized"

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Mon Jun 27, 2011 4:15 pm
by Richard Siemers
P.S. Also, make sure you do not have a local account on the 3PAR that matches your domain account name. If the same username exists in both places, it will authenticate with the local username/password combination first.

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Thu Sep 01, 2011 8:55 am
by Biite
I'm now trying to connect to some different Windows DC's but to no avail. I'm using the above procedure using SASL with GSSAPI.

Receiving the following messages when using checkpassword:
+ Kerberos credentials denied: Cannot contact any KDC for requested realm

All 3 DC's (Windows 2008 R2 64-bit) I tried to connect to give the same message :(

Routing to and from the 3Par is okay (though I wonder how I can ping from a 3par node :) )

Do I need to configure anything on Windows?

Regards,
Martien

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Thu Sep 01, 2011 2:31 pm
by Richard Siemers
Howdy,

That error looks familair, try changing the case of your realm name.

setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case)


Everywhere I see our domain name its always lower case, however, the realm name was ALL UPPER. It could be that microsoft converts it to all upper by default... or perhaps our admin that started the domain was inconsistant...

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Thu Sep 01, 2011 2:46 pm
by Biite
I checked the realm name and it is all uppercase.

Just found out that there might be a problem communicating between two vlans, something with access lists on our LAN switches.

Will get back ;)

Regards,
Martien

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Mon Oct 10, 2011 7:42 am
by Biite
Finally back... problem was an ACL in a switch which block LDAP traffic :).

Took a while to figure that out... *grin*

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Sun Oct 30, 2011 6:58 am
by SHermano
Hi all,

I've tried to give each Multitenant Domain his own Access Active Directory Group but it doesn't work. Any hint how to do this?
e.g.:
Dom1 with access rights for AD-Group1
Dom2 with access rights for AD-Group2
Dom3 with access rights for AD-Group3
Dom4 with access rights for AD-Group3

Regards,

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Sun Oct 30, 2011 4:51 pm
by Biite
These commands are available when using Inform OS Virtual Domains and AD-groups, more info in the CLI Adminstrators Guide for your version of Inform OS:

  • setauthparam <map_param> <map_value>
  • setauthparam group-obj group
  • setauthparam domain-name-attr <attribute>, and optionallysetauthparam domain-name-prefix <prefix>
  • checkpassword <user_name>

First you map an AD-group to an Inform OS role with the first command.
Then you map AD-groups to a domain with then next command(s)

Check out page 41-43 of the 3.1.1 CLI Administrators Guide for more info.

Regards,
Martien

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Wed Oct 16, 2013 9:57 pm
by Reactor
I had a bit of trouble initially forcing Active Directory to work together with 3PAR Domains, since HP's documentation is somewhat lacking (and, at times, erroneous).

Here's how I managed to work around it:

Create your groups, one for each pairing of role and domain. I named them in the format of "3PAR-<domain>-<role>". In the case of global roles, use "all" in place of the domain name, since "all" is a reserved domain for global roles.

Set the description attribute for each group to "InServDomain=<domain>", where <domain> is either the name of the domain, or "all" in groups for global roles. Groups without this field set will not function.

Here are my groups:

Code: Select all

dn: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
description: InServDomain=all

dn: CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
description: InServDomain=domainname

dn: CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
description: InServDomain=domainname

These are the sanitized CLI commands that I used for my configuration (change the obvious to fit your environment):

Code: Select all

setauthparam ldap-server 10.1.1.2
setauthparam ldap-server-hn ads.example.com
setauthparam kerberos-realm EXAMPLE.COM
setauthparam binding sasl
setauthparam sasl-mechanism GSSAPI
setauthparam accounts-dn ou=users,dc=example,dc=com
setauthparam account-obj user
setauthparam memberof-attr memberOf
setauthparam account-name-attr sAMAccountName
setauthparam group-obj group
setauthparam domain-name-attr description
setauthparam domain-name-prefix !InServDomain=
setauthparam super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com
setauthparam edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com 
setauthparam browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com

Note that for each of the <role>-map commands, you need to put all of the related group DNs on the same line, not in sequential commands. If there are spaces in your DNs, be sure to escape them with a backslash.

Once you get it all set up and ready, verification should look like this:

Code: Select all

inserv cli% showauthparam
Param              ------------------------Value-------------------------
kerberos-realm     EXAMPLE.COM
binding            sasl
sasl-mechanism     GSSAPI
accounts-dn        ou=users,dc=example,dc=com
account-obj        user
memberof-attr      memberOf
ldap-server        10.1.1.2
ldap-server-hn     ads.example.com
account-name-attr  sAMAccountName
group-obj          group
domain-name-attr   description
super-map          CN=3PAR-all-super,OU=Groups,DC=example,DC=com
edit-map           CN=3PAR-all-edit,OU=Groups,DC=example,DC=com
edit-map           CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com
browse-map         CN=3PAR-all-browse,OU=Groups,DC=example,DC=com
browse-map         CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com
domain-name-prefix !InServDomain=
inserv cli% checkpassword reactor
password:
+ attempting authentication and authorization using system-local data
+ authentication denied: unknown username
+ attempting authentication and authorization using LDAP
+ using Kerberos configuration file:
   [domain_realm]
      ads.example.com = EXAMPLE.COM
   [realms]
      EXAMPLE.COM = {
         kdc = ads.example.com
      }
+ temporarily setting name-to-address mapping: ads.example.com -> 10.1.1.2
+ attempting to obtain credentials for "reactor@EXAMPLE.COM"
+ connecting to LDAP server using URI: ldap://ads.example.com
+ binding to user "reactor" with SASL mechanism GSSAPI
+ searching LDAP using:
   search base:    ou=users,dc=example,dc=com
   scope:          sub
   filter:         (&(objectClass=user)(sAMAccountName=reactor))
   for attributes: memberOf
+ search result DN: CN=Reactor,OU=Users,DC=example,DC=com
+ search result:    memberOf: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ mapping rule: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ rule match: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-all-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: edit mapped to by "CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-all-browse,OU=Groups,DC=example,DC=com"
+ mapping rule: browse mapped to by "CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com"
+ searching LDAP using:
   search base:    CN=3PAR-all-super,OU=Groups,DC=example,DC=com
   scope:          base
   filter:         (objectClass=group)
   for attributes: description
+ search result DN: CN=3PAR-all-super,OU=Groups,DC=example,DC=com
+ search result:    description: InServDomain=all
+ group "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" has potential domain "all" (transformed from "InServDomain=all")
+ domain match: "all" mapped to super
user reactor is authenticated and authorized

Regards,
Aaron

Re: Active Directory Authentication Quick List/Cheat Sheet

Posted: Thu Feb 13, 2014 12:05 pm
by nsnidanko
Is there a way to set up multiple ldap-servers for redundancy? I.e if ldap server 1 is unavailable you are not able to authenticate.

Multiple values for:

setauthparam ldap-server
setauthparam ldap-server-hn
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited