Creating an LDAP configuration file

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-08-0x
Audience
anonymous
Part Number
MK-97HM85028-11

You can use an LDAP server for authentication on your storage system.

To use an LDAP server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension is allowed.

CAUTION:
If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM and then save.
auth.server.type=ldap 
auth.server.name=<server_name> 
auth.group.mapping=<value> 
auth.ldap.<server_name>.<attribute>=<value>

A full example is shown here:

auth.server.type=ldap 
auth.server.name=PrimaryServer 
auth.group.mapping=true 
auth.ldap.PrimaryServer.protocol=ldaps 
auth.ldap.PrimaryServer.host=ldaphost.domain.local 
auth.ldap.PrimaryServer.port=636
auth.ldap.PrimaryServer.timeout=3
auth.ldap.PrimaryServer.attr=sAMAccountName
auth.ldap.PrimaryServer.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.ldap.PrimaryServer.searchpw=password
auth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local
auth.ldap.PrimaryServer.retry.interval=1 
auth.ldap.PrimaryServer.retry.times=3
auth.ldap.PrimaryServer.domain.name=EXAMPLE.COM

The LDAP attributes are defined in the following table.

Attribute Description Required / Optional Default value
auth.server.type Type of authentication server. Specify ldap. Required None
auth.server.name

Name of the authentication server (referred to as <server_ name>).

When registering a primary and a secondary server, use a comma to separate the names. The name of the server, including the primary name, secondary name, and the comma (1 byte) must be 64 bytes or less.

The name can use all ASCII code characters except for the following: \ / : , ; * ? " < > | $ % & ' ˜

Required None
auth.group.mapping Information about whether to work together with an authorization server:
  • true: Works together.
  • false: Does not work together.
Optional False
auth.ldap.<server_name>.protocol LDAP protocol to use.

Specify ldaps (uses LDAP over SSL/TLS).

Do not specify starttls (uses StartTLS).

Required None
auth.ldap.<server_name>.host

Host name, an IPv4 address or an IPv6 address of the LDAP server. An IPv6 address must be enclosed in square brackets. To use StartTLS as a protocol, specify a host name.

If this value is specified, auth.ldap.<server_name>.dns_lookup will be ignored.

Optional1 None

auth.ldap.<server_name>.port

Port number of the LDAP server.

Must be between 1 and 65,535.2

Optional 389

auth.ldap.<server_name>.timeout

Number of seconds before the connection to the LDAP server times out.

Must be between 1 and 30.2

Required 10

auth.ldap.<server_name>.attr

Attribute name to identify a user (such as a user ID).

  • Hierarchical model: An attribute name where the value that can identify a user is stored.
  • Flat model: An attribute name for a user entry's RDN.

sAMAccountName is used for Active Directory.

Required None

auth.ldap.<server_name>.searchdn

DN of the user for searching. If omitted, [value_of_attr]=[Login_ID],[value_ of _basedn] is used for bind authentication.3

Otional None

auth.ldap.<server_name>.searchpw

User password that is used for searching. Specify the same password that is registered in the LDAP server.

Required None

auth.ldap.<server_name>.basedn

BaseDN for searching for users to authenticate.3

  • Hierarchical model: DN of hierarchy that includes all the targeted users for searching.
  • Flat model: DN of hierarchy that is one level up from the targeted user for searching.
Required None

auth.ldap.<server_name>.retry.interval

Retry interval in seconds when the connection to the LDAP server fails.

Must be between 1 and 5.2

Optional 1

auth.ldap.<server_name>.retry.times

Retry times when the connection to the LDAP server fails.

Must be between 0 and 3. Zero means no retry.2

Optional 3

auth.ldap.<server_name>.domain.name

Domain name that the LDAP server manages.

Required None

auth.ldap.<server_name>.dns_lookup

Information about whether to search the LDAP server with the information registered in the SRV records in the DNS server.

Specify false (Searches with the host name and port number).

Do not specify true (Searches with the information registered in the SRV records in the DNS server).

Optional False
Notes:
  1. This item can be omitted if true is specified for auth.ldap.<server_name>.dns_lookup.
  2. If the specified value is not valid, the default value is used.
  3. To use symbols such as + ; , < = and >, type a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the basedn or searchdn field, type abc\+\+.
    To enter \ , /, or ", type a backslash (\) followed by the ASCII code in hex for the character:
    • To enter a backslash (\), type \5c.
    • To enter a forward slash (/), type \2f.
    • To enter a quotation mark ("), type \22.