Page 1 of 1

3PAR LDAP & Kerberos

Posted: Fri Feb 20, 2015 10:14 am
by karel.hu
Hello everybody,
I've already read posts how 3PAR doesn't really support multi-domain AD authentication, cannot have more LDAP configs, maybe in next version, but I still have a question:

In our environment, we have 3 domains, we'll call them TOP.com, CHILD1.TOP.com and CHILD2.TOP.com. We have the LDAP configuration set to talk to CHILD1 domain, administrator's account in CHILD1 domain, administrators group in CHILD1 too, all the same.

So far we've found that we can change the LDAP port in CLI, so instead of port 389 (or 636 with SSL) we can use port 3268 (or 3269 with SSL), using setauthparam ldap-port PORT_NUMBER command. Then you change the Accounts DN value to DC=TOP,DC=com and the LDAP search will go from top down to both child domains. You can even have the administrators group in CHILD2 domain, the account will still be found, authenticated and assigned thru super-map to the super role.

In case of administrator, who is a CHILD2 domain member, this will not work. Kerberos will prevent the user in CHILD2 (administrator group is in CHILD1) getting in, because such account does not exist in CHILD1, so it will never get to the LDAP search.

Is this something a Kerberos trust between domains could help? What does your AD guy think?