HPE Storage Users Group https://3parug.net/ |
|
Active Directory Authentication Quick List/Cheat Sheet https://3parug.net/viewtopic.php?f=17&t=38 |
Page 1 of 2 |
Author: | Richard Siemers [ Mon Apr 12, 2010 3:15 pm ] |
Post subject: | Active Directory Authentication Quick List/Cheat Sheet |
SSH to the inserve with a local admin account. Check to make sure the Inserve is set to use the proper NTP server using "shownet" Check the time on the Inserve is insync with "showdate". If time deviates from LDAP server too much, auth will fail. Execute the following commands: setauthparam ldap-server 10.x.x.x (# IP address of LDAP server) setauthparam ldap-server-hn ldap.yourcompany.com (# Hostname of your ldap server, must reverse lookup to the IP address provided) setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case) setauthparam binding sasl setauthparam sasl-mechanism GSSAPI setauthparam accounts-dn OU=Your\ Group,DC=yourcompany,DC=com (Location in your AD to search for users, put a \ in front of spaces within your dn) setauthparam account-obj user setauthparam account-name-attr sAMAccountName setauthparam memberof-attr memberOf setauthparam super-map CN=3PAR_ADMINS,OU=Administrative,DC=yourcompany,DC=com Test the config with the checkpassword <username> command. The last line of the output should read "user <username> is authenticated and authorized" |
Author: | Richard Siemers [ Mon Jun 27, 2011 4:15 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
P.S. Also, make sure you do not have a local account on the 3PAR that matches your domain account name. If the same username exists in both places, it will authenticate with the local username/password combination first. |
Author: | Biite [ Thu Sep 01, 2011 8:55 am ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
I'm now trying to connect to some different Windows DC's but to no avail. I'm using the above procedure using SASL with GSSAPI. Receiving the following messages when using checkpassword: + Kerberos credentials denied: Cannot contact any KDC for requested realm All 3 DC's (Windows 2008 R2 64-bit) I tried to connect to give the same message Routing to and from the 3Par is okay (though I wonder how I can ping from a 3par node ) Do I need to configure anything on Windows? Regards, Martien |
Author: | Richard Siemers [ Thu Sep 01, 2011 2:31 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
Howdy, That error looks familair, try changing the case of your realm name. Quote: setauthparam kerberos-realm YOURCOMPANY.COM (# This is case sensative and must match your windows kerberos realm case) Everywhere I see our domain name its always lower case, however, the realm name was ALL UPPER. It could be that microsoft converts it to all upper by default... or perhaps our admin that started the domain was inconsistant... |
Author: | Biite [ Thu Sep 01, 2011 2:46 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
I checked the realm name and it is all uppercase. Just found out that there might be a problem communicating between two vlans, something with access lists on our LAN switches. Will get back Regards, Martien |
Author: | Biite [ Mon Oct 10, 2011 7:42 am ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
Finally back... problem was an ACL in a switch which block LDAP traffic . Took a while to figure that out... *grin* |
Author: | SHermano [ Sun Oct 30, 2011 6:58 am ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
Hi all, I've tried to give each Multitenant Domain his own Access Active Directory Group but it doesn't work. Any hint how to do this? e.g.: Dom1 with access rights for AD-Group1 Dom2 with access rights for AD-Group2 Dom3 with access rights for AD-Group3 Dom4 with access rights for AD-Group3 Regards, |
Author: | Biite [ Sun Oct 30, 2011 4:51 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
These commands are available when using Inform OS Virtual Domains and AD-groups, more info in the CLI Adminstrators Guide for your version of Inform OS:
First you map an AD-group to an Inform OS role with the first command. Then you map AD-groups to a domain with then next command(s) Check out page 41-43 of the 3.1.1 CLI Administrators Guide for more info. Regards, Martien |
Author: | Reactor [ Wed Oct 16, 2013 9:57 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
I had a bit of trouble initially forcing Active Directory to work together with 3PAR Domains, since HP's documentation is somewhat lacking (and, at times, erroneous). Here's how I managed to work around it: Create your groups, one for each pairing of role and domain. I named them in the format of "3PAR-<domain>-<role>". In the case of global roles, use "all" in place of the domain name, since "all" is a reserved domain for global roles. Set the description attribute for each group to "InServDomain=<domain>", where <domain> is either the name of the domain, or "all" in groups for global roles. Groups without this field set will not function. Here are my groups: Code: dn: CN=3PAR-all-super,OU=Groups,DC=example,DC=com description: InServDomain=all dn: CN=3PAR-all-edit,OU=Groups,DC=example,DC=com description: InServDomain=all dn: CN=3PAR-all-browse,OU=Groups,DC=example,DC=com description: InServDomain=all dn: CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com description: InServDomain=domainname dn: CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com description: InServDomain=domainname These are the sanitized CLI commands that I used for my configuration (change the obvious to fit your environment): Code: setauthparam ldap-server 10.1.1.2 setauthparam ldap-server-hn ads.example.com setauthparam kerberos-realm EXAMPLE.COM setauthparam binding sasl setauthparam sasl-mechanism GSSAPI setauthparam accounts-dn ou=users,dc=example,dc=com setauthparam account-obj user setauthparam memberof-attr memberOf setauthparam account-name-attr sAMAccountName setauthparam group-obj group setauthparam domain-name-attr description setauthparam domain-name-prefix !InServDomain= setauthparam super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com setauthparam edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com setauthparam browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com Note that for each of the <role>-map commands, you need to put all of the related group DNs on the same line, not in sequential commands. If there are spaces in your DNs, be sure to escape them with a backslash. Once you get it all set up and ready, verification should look like this: Code: inserv cli% showauthparam Param ------------------------Value------------------------- kerberos-realm EXAMPLE.COM binding sasl sasl-mechanism GSSAPI accounts-dn ou=users,dc=example,dc=com account-obj user memberof-attr memberOf ldap-server 10.1.1.2 ldap-server-hn ads.example.com account-name-attr sAMAccountName group-obj group domain-name-attr description super-map CN=3PAR-all-super,OU=Groups,DC=example,DC=com edit-map CN=3PAR-all-edit,OU=Groups,DC=example,DC=com edit-map CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com browse-map CN=3PAR-all-browse,OU=Groups,DC=example,DC=com browse-map CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com domain-name-prefix !InServDomain= inserv cli% checkpassword reactor password: + attempting authentication and authorization using system-local data + authentication denied: unknown username + attempting authentication and authorization using LDAP + using Kerberos configuration file: [domain_realm] ads.example.com = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = ads.example.com } + temporarily setting name-to-address mapping: ads.example.com -> 10.1.1.2 + attempting to obtain credentials for "reactor@EXAMPLE.COM" + connecting to LDAP server using URI: ldap://ads.example.com + binding to user "reactor" with SASL mechanism GSSAPI + searching LDAP using: search base: ou=users,dc=example,dc=com scope: sub filter: (&(objectClass=user)(sAMAccountName=reactor)) for attributes: memberOf + search result DN: CN=Reactor,OU=Users,DC=example,DC=com + search result: memberOf: CN=3PAR-all-super,OU=Groups,DC=example,DC=com + mapping rule: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" + rule match: super mapped to by "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" + mapping rule: edit mapped to by "CN=3PAR-all-edit,OU=Groups,DC=example,DC=com" + mapping rule: edit mapped to by "CN=3PAR-domainname-edit,OU=Groups,DC=example,DC=com" + mapping rule: browse mapped to by "CN=3PAR-all-browse,OU=Groups,DC=example,DC=com" + mapping rule: browse mapped to by "CN=3PAR-domainname-browse,OU=Groups,DC=example,DC=com" + searching LDAP using: search base: CN=3PAR-all-super,OU=Groups,DC=example,DC=com scope: base filter: (objectClass=group) for attributes: description + search result DN: CN=3PAR-all-super,OU=Groups,DC=example,DC=com + search result: description: InServDomain=all + group "CN=3PAR-all-super,OU=Groups,DC=example,DC=com" has potential domain "all" (transformed from "InServDomain=all") + domain match: "all" mapped to super user reactor is authenticated and authorized Regards, Aaron |
Author: | nsnidanko [ Thu Feb 13, 2014 12:05 pm ] |
Post subject: | Re: Active Directory Authentication Quick List/Cheat Sheet |
Is there a way to set up multiple ldap-servers for redundancy? I.e if ldap server 1 is unavailable you are not able to authenticate. Multiple values for: setauthparam ldap-server setauthparam ldap-server-hn |
Page 1 of 2 | All times are UTC - 5 hours |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |