When an external authentication server is linked, authentication can be performed by using the user information registered in the external authentication server. Only an OpenLDAP or Active Directory (AD) external authentication server can be linked.
The following versions of external authentication servers are supported:
-
OpenLDAP: 2.4
-
Windows Server (Active Directory): 2012 R2, 2016, 2019
TLS protocols available:
-
LDAPS
-
StartTLS
To use a TLS protocol, you must set isStartTlsEnabled, primaryLdapServerUrl, and secondaryLdapServerUrl in the external authentication server settings according to the following table:
TLS protocol to be used |
External authentication server settings |
|
---|---|---|
isStartTlsEnabled |
primaryLdapServerUrl secondaryLdapServerUrl |
|
LDAPS |
false |
ldaps://example1.com |
StartTLS |
true |
ldap://example2.com |
The following shows how you can specify the external authentication server settings in the cases of using the REST API and the CLI:
REST API: PATCH /v1/objects/external-auth-server-setting
CLI: external_auth_server_setting_set
-
To use a Windows Server machine as the external authentication server, enable the TLS protocol, and then import the root certificate of the external authentication server. In Windows Server, a setting requiring an LDAP server signature has been enabled by default since January 2020. Therefore, disabling the TLS protocol might result in unsuccessful connection.
-
In an environment with multiple AD/LDAP servers specified, if the AD/LDAP server on the primary node goes down or becomes unreachable when STARTTLS is enabled, external authentication becomes unavailable. This is because STARTTLS does not support a redundant configuration of the AD/LDAP server. Note that external authentication is also unavailable if an AD/LDAP server is specified on only the secondary node.
In the case that the external AD/LDAP server goes down if STARTTLS is enabled, log in to the system as a local user and change the designation of the external AD/LDAP server by editing the external authentication server settings.
-
If an error occurs in a primary external authentication server in a redundant configuration with LDAPS, responses might be delayed up to about 10 minutes.
To ensure the security of the connection between the storage system and the external authentication server, configure the external authentication server as follows.
-
LDAP clients that the storage system uses to connect to external authentication servers allow unsafe renegotiating for backward compatibility. When connecting TLS to an external authentication server, we recommend that you use an external authentication server that is compatible with RFC 5746.
-
The external authentication server is TLS1.2 supported.
The LDAP client that is used by the storage system for connection with the external authentication server uses only TLS1.2. However, you should disable vulnerable protocol versions (SSL2.0, SSL3.0, TLS1.0, and TLS1.1) in the external authentication server settings.
-
At least one of the following is supported by the external authentication server as a TLS cipher suite.
(1) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(2) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
(3) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(4) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(5) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(6) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
If the cipher suite requirements are not met, TLS connection to the external authentication server cannot be established.
-
For whether the external authentication server supports any of the preceding cipher suites, see the documentation for the external authentication server to be used.
-
You might need to specify the settings for key exchange (DHE or ECDHE) on the external authentication server according to the key exchange method (DHE or ECDHE) of the cipher suite to be used. For details about the settings to be specified, see the documentation for the external authentication server to be used. Note that the OpenLDAP version that supports the ECDHE key exchange method is 2.4.48 or later.
-
The cipher suites that can be used differ depending on whether the server certificate set on the external authentication server is an RSA or ECC certificate. For an RSA certificate, the first to fourth cipher suites in the above can be used. For an ECC certificate, the fifth and sixth cipher suites in the above can be used. For details about how to set a server certificate on the external authentication server, see the documentation for the external authentication server to be used.
-
The LDAP client that is used by the storage system for connection with the external authentication server uses only the preceding cipher suites. Disable the other vulnerable cipher suites in the settings on the external authentication server. Vulnerable cipher suites refer to the cipher suites shown in Appendix A. TLS 1.2 Cipher Suite Black List of RFC7540.
-
-
If multiple server certificates are to be set on the external authentication server, they must be issued so that their authenticity can be proved by only one root certificate imported into the storage system.
Two use cases are possible:
When users are not managed on a group basis on the external authentication server:
A user is authenticated by using the user group information registered in VSP One SDS Block. The external authentication server is used as follows in VSP One SDS Block. After setting a link with the external authentication server, create a user locally in VSP One SDS Block by using the same user name (user ID) registered in the external authentication server. Hereinafter, these users might be called external users.
(Example) Alice, an external user, belongs to a built-in user group AuditAdministrators that has the Audit role.
She can download audit log files (required for the Audit role) by running the GET /v1/objects/audit-logs/download command with Alice specified for the user name and her password specified.
In this case, the external authentication server confirms that Alice has specified the correct password. VSP One SDS Block obtains the group from the user to which the external authentication server responded, obtains a role from the group, and then grants access after comparing the role to that required for access to URL /v1/objects/audit-logs/download.
The user Alice and group AuditAdministrators must be registered in VSP One SDS Block. Her password does not need to be registered.
The case in which users are not managed on a group basis on the external authentication server is called an external authentication and local authorization use case. This use case corresponds to the case in which the REST API (CLI) is run with "User" specified for the mappingMode (CLI: --mapping_mode) parameter in PATCH /v1/objects/external-auth-server-setting (CLI: external_auth_server_setting_set).
When users are managed on a group basis on the external authentication server:
This use case is supported when the external authentication server is Active Directory. A user is authenticated by using the user group information registered in the external authentication server. It is assumed that the external user belongs to a group of external authentication servers. In VSP One SDS Block, set the link with the external authentication server, create a user group locally in VSP One SDS Block, and then set the name of the external group in a parameter. In this case, you do not have to create a user individually. Hereinafter, these user groups might be called external groups.
(Example) Alice (a user) belongs to a CorporateAuditAdministrators group defined in an external authentication server.
In this case, whether Alice specified a correct password and belongs to a CorporateAuditAdministrators group are verified by an external authentication server. VSP One SDS Block obtains the role from the group to which the external authentication server responded, and then grants access after comparing the role to that required for access to URL /v1/objects/audit-logs/download.
The user Alice does not need to be registered in VSP One SDS Block. However, the group CorporateAuditAdministrators must be registered. More specifically, run the POST /v1/objects/user-groups (CLI: user_group_create) command with a user group corresponding to CorporateAuditAdministrators specified for the externalGroupName (CLI: --external_group_name) parameter.
The case in which users are managed on a group basis on the external authentication server is called an external authentication and external authorization use case. This use case corresponds to the case in which the REST API (CLI) is run with "Group" specified for the mappingMode (CLI: --mapping_mode) parameter in PATCH /v1/objects/external-auth-server-setting (CLI: external_auth_server_setting_set).
Each time an external authentication server is used, an inquiry is made to the external authentication server (in basic authentication) to verify the latest information. In session authentication, no inquiry is made to the external authentication server, but authentication is performed just by verifying if the token is valid.
Precautions when using an external authentication server:
- If connection to the external server is lost, authentication by the external authentication server becomes no longer possible. To perform operations for restoring connection to the external authentication server, a user with the Security role is required. Therefore, enable at least one user having the Security role for local authentication. If you want to perform other operations while connection to the external server is lost, consider creating a user having the role required for the operations for local authentication.
-
The maximum number of characters that can be used for a user name and user group name on the external authentication server that can be linked with VSP One SDS Block is 64.
-
It might take approximately five minutes until a password change made on the external authentication server is reflected to VSP One SDS Block. The time required to do this depends on the settings of the external authentication server.
-
If you are managing users in groups on an external authentication server, or if you are using an external authentication server even if you are not managing users in groups, the following user group-related parameters and attributes must be set.
-
userIdAttribute
-
userTreeDn
-
userObjectClass
-
externalGroupNameAttribute
-
userGroupTreeDn
-
userGroupObjectClass
When users are not managed on a group basis, specify the same values for the group-related parameters externalGroupNameAttribute, userGroupTreeDn, and userGroupObjectClass as the values for the user-related parameters userIdAttribute, userTreeDn, and userObjectClass. To verify connection by using POST /v1/objects/external-auth-server-setting/actions/verify-connectivity/invoke (CLI: external_auth_server_setting_verify_connectivity) or other means, ignore the returned value of numberOfExternalUserGroups.
For details about the setting values, see the VSP One SDS Block REST API Reference or the VSP One SDS Block CLI Reference.
-
-
If a Windows server is used as the external authentication server and users are managed on a group basis on the external authentication server, users who only belong to "Domain Users" (i.e., only belonging to the default user group) cannot be authenticated.
Configure the users to also belong to an external group other than "Domain Users" as described in When users are managed on a group basis on the external authentication server.
How to use mappingMode with VSP One SDS Block
When OpenLDAP is used as the external authentication server, "Group" cannot be used in mappingMode (CLI: --mapping_mode). This is because OpenLDAP does not support operations of searching groups to which users belong.
When Active Directory is used as the external authentication server, you can specify either "User" or "Group" in mappingMode (CLI: --mapping_mode). When the group of Active Directory corresponds to the role of VSP One SDS Block, use "Group" in mappingMode (CLI: --mapping_mode). If the group of Active Directory does not correspond to the role of VSP One SDS Block, use "User" in mappingMode (CLI: --mapping_mode).
-
Example of a case in which the use of "Group" in mappingMode (CLI: --mapping_mode) is appropriate
A user called Alice belongs to the CorporateAuditAdministrators group of Active Directory. The members of the group have the Audit role of VSP One SDS Block. In such a case, if "Group" is used in mappingMode (CLI: --mapping_mode), managing user passwords or affiliation between a user and group by VSP One SDS Block is unnecessary, and unified management by Active Directory is possible.
-
Example of a case in which the use of "User" in mappingMode (CLI: --mapping_mode) is appropriate
A user (called Alice) belongs to a sales branch group of Active Directory. Another user (called Bob) belongs to an accounting branch group. If you want to assign an Audit role of VSP One SDS Block to Alice and Bob, "User" is appropriate to be used in mappingMode (CLI: --mapping_mode) because there is no relation between the group of Active Directory and the role of VSP One SDS Block. For this reason, make those two users belong to an AuditAdministrators built-in user group of VSP One SDS Block. By doing so, unified management by Active Directory without management of user passwords by VSP One SDS Block becomes possible.
Setting example of an external authentication server
This example assumes the condition that a Windows server is used as an external authentication server and users are managed on a group basis on the external authentication server.
Active Directory is in the following directory configuration.
The following shows an example of parameter settings for PATCH /v1/objects/external-auth-server-setting (CLI: external_auth_server_setting_set).
Parameter | Set value | |
---|---|---|
REST API | CLI | |
isEnabled |
is_enabled |
true |
authProtocol |
auth_protocol |
LDAP |
mappingMode |
mapping_mode |
Group |
primaryLdapServerUrl |
primary_ldap_server_url |
ldaps://ad.example.com |
secondaryLdapServerUrl |
secondary_ldap_server_url |
"" |
isStartTlsEnabled |
is_start_tls_enabled |
false |
baseDn |
base_dn |
dc=example,dc=com |
bindDn |
bind_dn |
cn=Storage,ou=StorageUsers,dc=example,dc=com |
bindDnPassword |
bind_dn_password |
Secret |
userIdAttribute |
user_id_attribute |
sAMAccountName |
userTreeDn |
user_tree_dn |
ou=StorageUsers,dc=example,dc=com |
userObjectClass |
user_object_class |
User |
externalGroupNameAttribute |
external_group_name_attribute |
sAMAccountName |
userGroupTreeDn |
user_group_tree_dn |
ou=StorageGroups,dc=example,dc=com |
userGroupObjectClass |
user_group_object_class |
Group |
VSP One SDS Block does not perform recursive search when searching users and groups on an external authentication server. For this reason, users and groups that VSP One SDS Block refer to must be directly under userTreeDn (CLI: user_tree_dn) and userGroupTreeDn (CLI: user_group_tree_dn), respectively.
The user account to be specified for bindDn (CLI: bind_dn) must have privileges to view all entries under userTreeDn (CLI: user_tree_dn) and userGroupTreeDn (CLI: user_group_tree_dn). This account does not have to be under userTreeDn (CLI: user_tree_dn).
Appropriate values for userObjectClass (CLI: user_object_class) and userGroupObjectClass (CLI: user_group_object_class) differ depending on external authentication servers that you are using. To confirm schema settings of your external authentication server, you must view the existing users and groups under baseDn (CLI: base_dn) by using a Linux ldapsearch command or Windows ldp.exe.
(Example) The following long command has line feeds delimited by "\". You can copy and paste command lines including "\" for normal operation.
$ ldapsearch -D <bind_dn> \ -w <bind_dn_password> \ -H <primary_ldap_server_url> \ -b <base_dn> \ "(objectClass=*)"
To verify whether connection with an external authentication server can be established by using ldapsearch command, use the following command: POST/v1/objects/external-auth-server-setting/actions/verify-connectivity/invoke (CLI: external_auth_server_setting_verify_connectivity). The following is an example of the command that is issued in such a case. If the preceding command execution does not succeed, running the following command on a Linux server might help to identify the cause of the failure. Adding the -d 1 option displays traces for debug, which might help with resolving the problem.
(Example) The following long command has line feeds delimited by "\". You can copy and paste command lines including "\" for normal operation.
$ ldapsearch -D <bind_dn> \ -w <bind_dn_password> \ -H <primary_ldap_server_url> \ -b <user_tree_dn> \ "(&(objectClass=<user_object_class>)(<user_id_attribute>=*))" \ <user_id_attribute>
-
Required external service (if the TLS protocol is used): DNS server
If the TLS protocol is used, the AD/LDAP server must be specified by using an FQDN. In VSP One SDS Block, register a DNS server for which an AD/LDAP server is registered for the Address record.
CAUTION:When using a DNS server, a storage node caches DNS inquiry results for the time (DNS TTL [sec]) set in the DNS server. For this reason, if the content registered in the DNS server (correspondence between the host name and IP address) is changed, the storage node might access an old address during DNS TTL. If you have changed the content registered in the DNS server (correspondence between the host name and IP address), wait until the time specified for DNS TTL has passed, and then specify the external authentication server settings.
-
Required role: Security