Interesting Topic- 3PAR Authentication via LDAP

Post Reply
deepak.3a
Posts: 33
Joined: Thu Feb 13, 2014 8:45 am

Interesting Topic- 3PAR Authentication via LDAP

Post by deepak.3a »

I am configuring LDAP config for 3PAR authentication. In our AD structure is in this way that "Users" are location in two different OU. When we define account-dn during LDAP configuration then we have to give the path of user till base of the user. If I give the account-dn at top of the tree (say xyz.net) then system not able to authenticate. So is it a limitation of 3PAR or how this can be resolved??

Some one has similar type of AD structure and let me know how the AD integration is being done?
afidel
Posts: 216
Joined: Tue May 07, 2013 1:45 pm

Re: Interesting Topic- 3PAR Authentication via LDAP

Post by afidel »

My guess is your top level DN contains more than 1,000 results and the 3Par LDAP agent doesn't do pagination for results. You'll probably need to move your admins under a top level OU that contains <1,000 user objects and use that as the base DN.
Reactor
Posts: 44
Joined: Wed Oct 16, 2013 9:03 pm
Location: Chicago

Re: Interesting Topic- 3PAR Authentication via LDAP

Post by Reactor »

I made a post with some instructions a few months back that demonstrated the configuration solution I deployed (here: http://3parug.com/viewtopic.php?f=17&t=38, 9th post down).

I doubt there's an LDAP pagination issue with 3PAR's client—we have several thousand users divided across several child OUs contained within one larger parent OU, and we have never had an issue authenticating any particular user.

I'm not exactly sure what LDAP topology you are describing—is it that there are two separate User OUs located in diverse areas of your LDAP tree, and the root of the tree ("dc=xyz,dc=net") is the only common point? If you can perform an LDAP search using command-line utilities on a Mac or Linux host, that should most closely replicate the search that 3PAR is using. For example:

Code: Select all

$ ldapsearch -LLL -x -h adserver.xyz.net -b 'dc=xyz,dc=net' '(&(objectClass=user)(sAMAccountName=yourusername))' dn memberOf

Outside of posting the output of sanitized 'showauthparam' and 'checkpassword' output, you will likely need to describe your particular topology in better detail.
deepak.3a
Posts: 33
Joined: Thu Feb 13, 2014 8:45 am

Re: Interesting Topic- 3PAR Authentication via LDAP

Post by deepak.3a »

Let me explain again, please also look at the attached picture. This will give you more description.
When configuring LDAP for 3PAR then we have to define "account-dn" which is basically the dn for the user.
Look at the picture and out top of tree for AD is say "abc.xyz.net" and under that there are two OU named as "P_user" & "P_user1" (See attached picture, and those are highlighted with arrow keys).
So our users are located in "P_user" & "P_user1" and string attribute Editor for the user location is different. When we define parameter "account-dn" for the LDAP config then we have to give the output of string attribute Editor of user location (by right click and properties on USers folder, as shown in picture). So in that way either users located in "P_user" can be authenticated or users located in "P_user1" can be authenticated.
Normally in Linux or other storage, they search from the top of the AD tree but in 3PAR it is not !!
I hope I am able to explain the issue, and would like to see any suggestion on this, if any alternate is there.
Attachments
Attachment
Attachment
3PAR_LDAP issue.png (64.85 KiB) Viewed 15451 times
dannymunns
Posts: 3
Joined: Fri Feb 08, 2013 9:57 am

Re: Interesting Topic- 3PAR Authentication via LDAP

Post by dannymunns »

I had this exact same issue with two different customers/clients. Logged a call with HP in March, and they *eventually* came back with this answer, which wasn't really an answer.

All I can say is that as a community, keep logging this with HP, and they may actually change the AD integration to something a little more useful. Feel free to reference my case, 4647736214.

----

Dear Mr. Munns,

Regarding the issue with the LDAP, I wish to forward You the statement from our L3 support regarding this issue and the possible next actions:

This issue has been made know to the labs, they have looked into it and commented on this:

Status: Lab indicates searching from root for all users is not supported with the current 3PAR LDAP implementation. Location where user resides in tree needs to be specified. Consideration is being given to adding this information to documentation.

Lab will also consider whether current implementation needs to be changed.

Furthermore, it has been entered as a CFI (customer found issue) in our internal database. If any changes are made to the implementation, the customer will be informed.

So as it stands now the LDAP works with the 3APR as designed.

Though Your request or feedback is taken into consideration and it can be implemented in the next releases, which is the part in my opinion, which is the most useful for You at this point.

As written from the Engineering, the issue You have pointed, will be entered in our database and You will be kept informed in case this is being added as a feature.

Regarding this I would like to ask You, if we can close the current case.

If You need further details please let me know.

Thank You for Your patience.

With kind regards, / Mit freundlichen Grüßen, / Meilleures salutations,

Chavdar Rashkov
HP Storage / HPSD
Hewlett-Packard Customer Solution Center
Post Reply