Configuring Active Directory servers

Storage System User Administration Guide for Hitachi NAS Platform

Version
15.3.x
Audience
anonymous
Part Number
MK-92HNAS013-31

Global Administrators can provide information to configure, modify, and list Active Directory (AD) servers for authentication on the Active Directory Servers page.

To enable Active Directory, the SMU administrator needs to know the following information:

  • The name of the domain or forest from which the Active Directory users and groups will access the SMU.
  • The LDAP distinguished name and password of an Active Directory user that has read access to users and groups on the Active Directory servers. This is referred to as the Search User. The user can search for users or groups under the supplied base distinguished name.
  • The addresses of one or more Active Directory servers that maintain the users and groups for the domain or forest. Each AD server must be from the same domain unless Global Catalog is enabled in which case each AD server must be from the same Forest. If DNS servers have been configured for the SMU, then when a Forest DNS name or Domain DNS name is set in the find servers dialogue box, the SMU should be able to automatically discover these server addresses via the find button in the find servers dialogue box. SRV records must be setup for find servers to find the Active Directory servers.
  • The Active Directory group or groups whose members are to be given the right to log into the SMU. To guarantee that membership will work properly with any AD server when Global Catalog is enabled, all the groups must be Universal groups.
  • If RADIUS was previously in use and it is to be replaced by Active Directory, then the RADIUS configuration must first be removed before Active Directory can be configured. This is done from the Home>SMU Administrator>RADIUS Servers page by clicking the remove all settings button. No RADIUS user will be able to log into the SMU after this is done.
Note: On the NAS system, local users and Active Directory groups can be given read-only access. A read-only user has permission to view most pages of the NAS Manager; however, they are not generally allowed to perform any actions on the NAS Manager that would create a system or configuration change.
  1. Navigate to Home > SMU Administrator to display the Active Directory Servers page.
  2. To authenticate with a Forest rather than with a Domain, mark the Global Catalog checkbox. As a result, the Global Catalog ports 3268 or 3269 will be used in all AD connections initiated by SMU.
    The following table describes the fields on this page:
    Field/Item Description
    Connection
    Global Catalog To connect to an Active Directory Forest, the Global Catalog box must be checked.
    Connection port The port and encryption method to use when connecting to an Active Directory server.

    Non-Global Catalog options are:

    • port 389 unencrypted
    • port 389 encrypted using START TLS
    • port 636 encrypted using LDAPS

    Global Catalog options are:

    • port 3268 unencrypted
    • port 3268 encrypted using START TLS
    • port 3269 encrypted using LDAPS
    Connections
    Connection Attempts The maximum number of times that the SMU attempts to connect to each Active Directory server when a connection fails.
    Timeout for Connection Attempts The maximum time in seconds that the SMU waits when connecting to an Active Directory server before failing with a time out.
    Search Credentials
    Distinguished Name The LDAP distinguished name for a user that has search capabilities.
    Password The password for the search user.
    User Search
    Base Distinguished Name The root of an Active Directory subtree of entries from where the SMU searches for users. The maximum number of Base Distinguished Names is 5. During authentication, all Base Distinguished Names are scanned. The order can be changed with Move Up and Move Down buttons.
    Include Entire Directory If checked, the entire Active Directory forest will be searched for user details. During authentication, all the Base Distinguished Names are scanned with the Entire Directory being the last. This option is only available when Global Catalog is configured.
    Group Search
    Use User Search Settings If checked, the Base Distinguished Names from User Search section will be used.
    Base Distinguished Name The root of an Active Directory subtree of entries from where the SMU searches for groups. The maximum number of Base Distinguished Names is 5. This list is used by the find group utility which searches groups in the Active Directory domain or forest. The utility scans Base Distinguished Names in the order they appear in the list. The order can be changed with Move Up and Move Down buttons.
    Include Entire Directory If checked, the Entire Directory is scanned after all configured Base Distinguished Names. This option is only available when Global Catalog is configured.
    Servers
    IP Address or DNS Name The address of one or more Active Directory servers for the domain. Each AD server must be from the same domain unless Global Catalog is enabled in which case each AD server must be from the same Forest. The maximum number of servers is 20.
    find servers A utility which queries DNS to show the list of available Active Directory servers for the domain or forest. The NAS Manager lists the Active Directory servers in order of their response time (quickest first). If you add them in the same order, the SMU attempts to authenticate users against the fastest responding servers first.
    Forest DNS Name When Global Catalog is configured, the find servers utility expects the DNS name of the Active Directory Forest. Clicking on find button, will find all the Active Directory servers that support Global Catalog.
    Domain DNS Name When Global Catalog is not configured, the utility expects the DNS name of the Active Directory Domain. Clicking on find button, will find all the Active Directory servers in that Domain.
    Add Add an Active Directory server after you have entered its fully qualified domain name or IP address.
    Move Up

    Move Down

    If there is more than one server, use these buttons to prioritize the list.
    Remove Remove a server from the list.
    apply Submit the page and save all the settings to the SMU database.
    Groups

    Groups with access to the SMU

    Shows groups with access to the SMU. Active Directory users who belong to these groups can access the SMU.
    Modify groups Click to go to the Active Directory Groups page, where you can add groups.
    Actions
    remove all settings Removes all Active Directory server settings, including server list, connection settings, search user credentials and groups. After this action, Active Directory users can no longer log into the SMU.
  3. Configure the following settings for the connections as required:
    • Connection Port - The port and encryption method to use when connecting to an Active Directory server. The options are: 'LDAP port 389 unencrypted', 'LDAP port 389 using TLS ' and 'LDAPS port 636'. In Global Catalog configuration, the options are: ‘LDAP port 3268 unencrypted’, ‘LDAP port 3268 using TLS’ and ‘LDAPS port 3269’. The default value is 'LDAP port 389 using TLS’ and for Global Catalog ‘LDAP port 3268 using TLS’.
    • Connection Attempts - The maximum number of times that the SMU attempts to connect to each Active Directory server when a connection fails. The default value is four attempts.
    • Timeout for Connection Attempts - The maximum time in seconds that the SMU waits when connecting to an Active Directory server before failing with a timeout. The default value is 60 seconds.
  4. Enter the Distinguished Name.
    This is the Distinguished Name of the Search User, an existing user that has permission to access Active Directory. An Search User DN would typically contain common name (cn) and possibly organization unit (ou) attributes as well as the domain components. The domain components should match those used in the Base Distinguished Name. An example Search User DN is "cn=ldapguest,cn=users,dc=example,dc=com".
  5. Enter the Password of the Search User (an existing user that may access the directory).
  6. Enter the Base Distinguished Names for User Search

    These names must be entered in LDAP distinguished name (DN) format which consists of a sequence of "attribute=value" pairs separated by comma. The Base Distinguished Name should contain the domain component (dc) attributes for the organization's domain or forest. For the domain example.com it would be "dc=example,dc=com". The name may also contain organization unit (ou) attributes. These Base Distinguished Names will be used to search for user details during authentication. No more than 5 Base Distinguished Names can be configured.

    When Global Catalog is configured, to search in the entire Active Directory forest, click on Include Entire Directory checkbox.

  7. Enter the Base Distinguished Names for Group Search

    By default, this is set to the same values as the Base Distinguished Names for User Search. To override these values, for example to make a narrower search, click on the Use User Search Settings checkbox to deselect it and add at least one Base Distinguished Name.

  8. There are two ways to add Active Directory servers.
    • Enter the fully qualified domain name of the server or its IP address and click Add.
    • Click find servers. The NAS Manager will try to determine the DNS name of the Active Directory domain or forest from the Base Distinguished Names set for User Search. The value can be overridden manually. For an Active Directory forest setup, the DNS name of the Active Directory forest is expected. For an Active Directory domain, the DNS name of the domain is expected. Click on the find button to get the list of Active Directory servers in order of their response time (quickest first). If you add them in the same order, the SMU attempts to authenticate users against the fastest responding servers first.
      Note: A DNS server or servers must be configured for the SMU (under Name Services) for find servers to work.
      • Select one or more servers and click add to add them to the list. No more than 20 Active Directory servers can be configured at a time.
      • When you are finished, click close to return to the Active Directory Servers window.
  9. If there is more than one server, the list can be prioritized using Move Up or Move Down buttons.
  10. Click Apply to submit this page and save all the settings to the SMU database.
    The SMU will perform a connection test to check that it can access the configured servers with the supplied details. It will also check for potential issues with configuration, for example whether a configured Base Distinguished Name exists in the Active Directory domain or forest. In case of an issue, a warning will be displayed. This gives the user the opportunity to either modify the settings or acknowledge that the settings are correct and save them as they are.

    Any information, warnings and errors related to Active Directory configuration or authentication are logged to /var/opt/smu/log/mgr/mgr.log and /var/opt/smu/log/mgr/security.log