Enabling external authentication

Storage Advisor Embedded User Guide

Version
93-07-2x
88-08-12
Audience
anonymous
Part Number
MK-97HM85022-25

You can set up external authentication using an LDAP directory server.

Ensure that the following requirements are met:
  • The authentication server must support TLS1.2 as a transfer protocol.
  • Make sure the LDAP directory server is connected to the management LAN.
  • Contact the administrator of the LDAP directory server to obtain a server certificate.
  • The authentication server protocol must be LDAPv3 simple bind authentication.
  • The certificate file type must be CA (Certification Authority) root certificate.
  • The certificate file format must be X509 DER or X509 PEM.
  • When searching for servers by information registered in the SRV record on the DNS server:
    • The DNS server setting must be completed on the LDAP server.
    • The host name, port number, domain name and other parameters of the LDAP directory server must be registered on the DNS server.
  • Make sure the authentication server is configured for user groups as defined in the maintenance utility, and that external users are assigned to these user groups.
    • If you don't create user accounts in the maintenance utility, use the authentication server to allocate user groups to users by configuring the same user group name between the storage system and the authentication server.
    • If you create user accounts in the maintenance utility, users can be authenticated by the authentication server, but user groups are allocated to users based on the configuration in the maintenance utility.
  1. Log in to the maintenance utility.
  2. Click Administration > External Authentication > Set Up Server > LDAP.
  3. Complete the entries in the Set up Server (LDAP) setting window. For details about each item, refer to the following table.
  4. Confirm the settings, and then click Apply.

Set Up Server (LDAP) settings

Item Description
Certificate File Name (Required) Specify a certificate file. Click Browse to specify a certificate file. The following formats are supported:
  • X509 DER
  • X509 PEM
DNS Lookup (Required) Enter a method to specify the authentication and authorization server.
  • Enable: Specifies the authentication and authorization server using the SRV records in the DNS server.
  • Disable: Specifies the authentication and authorization server using the host name or IP address.
Authentication Protocol (Required) Enter an LDAP protocol. The following protocols can be used:
  • LDAP over SSL/TLS
  • STARTTLS
If you select Enable in DNS Lookup, you cannot select LDAP over SSL/TLS .
External User Group Mapping Choose whether to use the specified LDAP directory server as also an authorization server.
  • Enable: Uses the LDAP directory server as an authorization server.
  • Disable: Does not use the LDAP directory server as an authorization server.
Primary Server - Host Name (Required) Enter the host name or IP address of the LDAP directory server.

Enter the same host name or IP address as the common name of root certificate.

If you select Enable in DNS Lookup, this item does not need to be specified.

Primary Server - Port Number (Required) Enter the port number of the LDAP directory server.

If you select Enable in DNS Lookup, this item does not need to be specified.

Primary Server - Domain Name (Required) Enter the domain name of the LDAP directory tree.
Primary Server - User Name Attribute (Required) Enter the attribute name for which the user ID value used for authentication is defined.
  • Usable characters: Alphanumeric characters and symbols (! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ )
  • Hierarchical model: Set up an attribute name where the value that can identify a user is stored.
  • Flat model: Set up an attribute name for a user entry's RDN.
Primary Server - Timeout (Required) Enter time in seconds before detecting that timeout for connecting to the LDAP directory server. The recommended value of 10 seconds is also the default.
Primary Server - Retry Interval (Required) Enter the retry interval in seconds when communication with the LDAP directory server fails. The recommended value of 1 second is also the default.
Primary Server - Number of Retries (Required) Enter the number of retries when communication with the LDAP directory server fails. The recommended value of 3 is also the default.
Primary Server - Base DN (Required) Enter a base DN to search for users to authenticate.
  • Usable characters: Alphanumeric characters and all symbols.
  • Hierarchical model: Enter a DN of hierarchy that includes all the targeted users for searching.
  • Flat model: Set up a DN of hierarchy that is one level up of the targeted user for searching.
Example: DC=ICPVM,DC=LOCAL

To use symbols such as ( + ; , < = > etc), enter a backslash( \ ) before each symbol for the escape sequence.

For the following 3 symbols, enter a backslash ( \ ) and then enter the ASCII code in hex as follows when you enter (\ / "):
  • Enter > \5c for \
  • Enter> \2f for /
  • Enter > \22 for "
Primary Server - Search User's DN (Required) Specify a DN of the user for searching.

Usable characters: Alphanumeric characters and all symbols.

Required if you specify sAMAccountName in Primary Server - User Name Attribute, or when you select Enable in External User Group Mapping.

Example: CN=Administrator,CN=Users,DC=ICPVM,DC=LOCAL

To use symbols such as ( + ; , < = > etc), enter a backslash( \ ) before each symbol for the escape sequence.

For the following 3 symbols, enter a backslash ( \ ) and then enter the ASCII code in hex as follows when you enter (\ / "):
  • Enter > \5c for \
  • Enter> \2f for /
  • Enter > \22 for "
Primary Server - Password (Required) Enter a password of the user for searching. Enter the same password that is registered in the LDAP directory server.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' ( ) * + - . = @ \ ^ _ | )

Required if you specify sAMAccountName in Primary Server - User Name Attribute, or when you select Enable in External User Group Mapping.
Primary Server - Re-enter Password (Required) Reenter the password entered in Primary Server - Password.
Secondary Server Select whether to use the secondary server.
  • Enable: Uses the secondary server.
  • Disable: Does not use the secondary server.
If you select Enable in DNS Lookup, this item does not need to be specified.
Secondary Server - Host Name Enter a host name or IP address of the secondary server.

Enter the same host name or IP address as the common name of root certificate.

If you select Disable in Secondary Server, this item does not need to be specified.

Secondary Server - Port Number Enter a port number of the secondary server.

If you select Disable in Secondary Server, this item does not need to be specified.

Test User Name (Required to test the configuration.) Enter a user name for the Server Configuration Test.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' * + - . / = ? @ ^ _ `{ | } ~ )

Test User Name - Password (Required to test the configuration.) Enter a password of the user name for the Server Configuration Test.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' * + - . / = ? @ ^ _ `{ | } ~ )

Server Configuration Test Click Check to test a server connection for the authentication and authorization server based on the specified settings.
Server Configuration Test - Result Displays a result of the server connection test for the authentication and authorization server.