Lesser known enhancements in the latest VNX code: Simplified Unisphere LDAP Integration

EMC World 2012 - Day 1 150This is part two of my series on lesser known enhancements in the latest code for your VNX.  Today we are going to focus on LDAP.  You may remember my very popular post from last year on configuring LDAP for Unisphere.  One of the big things I stressed before is that even with a Unified system, you still had to configure both the BLOCK & FILE side.  Well, with the latest changes, that is a thing of the past.  Now all the settings are done on the block side, and the new Unisphere Network Service will push them into the control station for you, simplifying the entire process.

 

imageLets take a look at the configuration section.  Just like it has been for the BLOCK side, you will find all the settings inside the “Domains” menu.  You will notice right away that there is a new option to configure DNS.  This is crucial for you to configure so that both the SPs and the control station can do host name lookups.

 

image

  1. DNS Domain Suffix
    • This is where you put in your domain suffix.  This will be your primary domain namespace for lookups.
  2. DNS Server IP Address
    • This is where you specify the IP addresses of your DNS servers.  I recommend using at least 2 here.
  3. Domain Search List
    • If you have multiple domains in your environment, this is where you would list them all in this area in order of search preference.  Make sure your primary domain is at the top of the list.

 

image

Just as important (in my opinion) as DNS, is configuring NTP.  You can specify up to 4 NTP servers to keep your SP and Control Station times in sync.  This really helps with comparing event logs against other sources.  One thing to note, NTP server Keys support is unique to the SPs.  It will not be copied over to the control station as it does not support it.

 

 

  1. Host Name or IP Addressimage
    • This is where you put in the FQDN or IP of the domain controller.  It is recommended to use the FQDN here, especially if you are using Secure LDAP.
  2. Port
    • 389 for LDAP, 636 for LDAPS
  3. Server Type
    • There are two options: LDAP Server and Active Directory. Make sure to choose “Active Directory” if you’re using an AD environment (most of you will be doing this)
  4. Protocol
    • LDAP or LDAPS
  5. Domain Name
    • Here you will specify the domain name being used
  6. BindDN
    • This is where you put the distinguished name of the service account. For this example I just used the administrator account
  7. Bind Password
    • Password for the service account
  8. Confirm Bind Password
    • Make sure it matches
  9. User Search Path
    • Just like with File, this is where you would set the search scope to find your users
  10. Group Search Path
    • Just like with File, This is where you set the search scope to find your groups
  11. Add certificate
    • This is where you would upload a root CA certificate for LDAPS. Make sure it’s in base64 encoding.  You will need the entire certificate chain, so if you have multiple CAs in your chain, cut and paste them into the “cut and paste” section.   The system will attempt to validate the certificate and let you know if there were problems during validation.  Make sure you have DNS configured if you are going to do this.

 

imageAfter you have put in all this information, click on the “Role Mapping” tab so we can map an AD group. In this updated version, individual LDAP user mapping has been removed, so make sure your AD groups contain only the users you want to give access.  Put in the name of the AD group (in this example I used “Domain Admins”), then select the Role from the second pull down (in this case I selected Administrator), and finally click “Add” to add the mapping. Once you have all your mappings, click ok and wait for the confirmation message.  The final addition is the ability to configure the level of nested group support in the advanced tab.  By default, it is set to zero.

 

 

Once you have finished all this configuration, you will want to do this all over again for the second domain controller. Once you have this all set, click “Synchronize”. And that is it!

 

image

Now it is time to test your LDAP login. Logout of Unisphere by clicking the door icon in the upper right. Open Unisphere again and this time put in your AD username and password. Be sure to select “Use LDAP” and click on “Login”. If all your configuration is correct, you will be brought back in to Unisphere. If you get an access denied message, check you username, password, as well as your user and group search paths.

 

 

I hope you find this post useful.  Let me know your own experiences with Unisphere LDAP Integration in the comments below.

Introducing VNX FILE OE 7.1 & BLOCK OE 05.32

EMC-VNXIts here! It’s finally here!  Today marks the general availability of the first release in a new line of VNX code.  Many of you may remember my preview posts on what can be found in this latest version (found here and here). Now you can take it for a spin and try out these new features and changes.

 

As of today, you can browse to the VNX Product Support Page or use the Unisphere Service Manager (USM) tool (which has been upgraded to version 1.2.0.1.0554) to download VNX FILE OE 7.1.47.5 and VNX BLOCK OE 05.32.000.5.006.  Again to highlight some of the changes you will see:

  • New “Flash First” data aging policy for tiering
  • Mixed raid levels for storage pools
  • Enhanced block snapshots
  • Windows Branch Cache support for CIFS
  • Simplified Unisphere LDAP configuration (see my note here)
  • FLR upgrades and enhancements

There are more changes under the hood than I could possibly list here, but a full set of release notes and documentation can be found on the VNX Product Support Page as well as the GA announcement that I posted on ECN.

 

Well what are you waiting for?  Go out and upgrade (remember that this is an out of family upgrade) and start enjoying the latest and greatest in unified storage and let me know what you think of it in the comments below!

Configuring LDAP Authentication for Unisphere on the VNX

Whether you are configuring security for corporate compliance, or you want a central repository to manage user access, LDAP integration is becoming a major part of corporate infrastructure. Many of you may not realize this, but the VNX (as well as the older Clariion and Celerra) support LDAP integration, and after reading this blog post you will to. During this post I will cover the different steps (with pictures) required to set up LDAP authentication for VNX for FILE, BLOCK, and Unified.

 

*UPDATE*  With the release of FILE OE 7.1 and BLOCK OE 5.32, All LDAP settings are now done in the Storage Domain section of Unisphere.  Just follow the directions here to setup LDAP.

 

To start this process we will need a few things:

  1. The IPs of two domain controllers
  2. The “distinguished name” and password of a service account that can do an LDAP lookup
  3. The name of an active directory group you want to give admin access to (no spaces pleas)
  4. An existing administrator account on the VNX (and the root password for FILE)

 

Before we begin, you may want to login to the control station CLI as root and run the following command: “/nas/sbin/cst_setup –reset”. This command will regenerate the control station lockbox fingerprint and is usually required on systems where you may have changed the IP or name of the control station. I find it’s best to get this out of the way early instead of proceeding with configuration and finding it needs to be done later since this does not change any settings outside of the scope of this tutorial. More information on this can be found in Primus EMC260883.

 

Configuring LDAP on VNX for FILE

 

To start, we will need to login with an administrator account such as nasadmin/systadmin. You will start by clicking on the “settings” tab. On the right hand side you will see link to “Manage File LDAP Domain”, click it.

This section has several entries and is where we configure all the domain information. I have broken this down line by line as well as included a picture.

 

  1. Domain Name:
    • In this area you will put in the domain name. For this example, I used my domain “thulin.local”
  2.  Primary:
    • This is where you put in the IP address of the first domain controller
  3. Backup:
    •  This is where you put in the IP address of the second domain controller
  4. SSL Enabled:
    • Are you using SSL? If so, click the box. For this example I am not because I don’t have a certificate authority setup in the lab
  5. Port:
    • 389 for LDAP and 636 if your using LDAPS
  6. Directory Service Type:
    • Here you get 3 options (default, custom, and other). Default takes most of the guess work out, but will only work if the service account and all the users and groups exist in the “users” container. The custom option allows you to specify the exact container for the service accounts and the user and group search path. Other is used for non active directory setups (such as OpenLDAP servers). For this example we are using the custom option
  7. User Id Attribute:
    • This is the attribute that represents a user in LDAP, in 99% of Active Directory environments it is “samAccountName” and we will leave it as that here
  8. Distinguished Name:
    • This is where you put the distinguished name of the service account. For this example I just used the administrator account
  9. Account Password:
    • If this needs explaining then I have a nice etch-a-sketch you should be using instead of a VNX.
  10. User Search Path:
    • This is where you specify the path to search for users who will be logging in. If the user is not inside this path, they will not be granted access. I like to search the whole domain because a user cannot exist in more than one spot, and authentication won’t be effected by moving a user inside active directory
  11. User Name Attribute:
    • This is the attribute to search by, we will use “cn” (aka Common Name)
  12. Group Search Path:
    • This is just like above, but for groups instead. The same restrictions apply as well
  13. Group Name Attribute:
    • Again we want to search by the common name
  14. Group Class:
    • You want to search for the “group” class
  15. Group Member:
    • We are searching for a “member” of a group

 

Once all the information has been populated, hit apply to save it (if you run into an error here, see the statement I made in paragraph 2 and start over). Once this is done we will need to test things, so hit the test button. If everything worked correctly it will say “Test Domain Settings. OK”. If you get “Bind Failed” error, either your IP, Distinguished Name, or password is incorrect. If you get a user or group error, check the search path and try again.

 

Now that we have configured our authentication protocol, we need to assign a privilege to an AD group. This is done in the in the user management area, so go back to the settings tab, then click on security, then click on user management, and finally “User Customization for File”. This area will present you with 3 tabs: Users, Groups, and Roles. Click on groups and then click create at the bottom. You will now be presented with a screen to make a new group and map it to LDAP.

 

  1. Group Name:
    • This is a local name for the group. You can call it whatever you want because it ONLY exists on the VNX FILE control station. I chose the name LDAP_Admins
  2. GID:
    • This is where you can specify a GID or just have the system auto select one. I use the default of auto select
  3. Role:
    • This is where you give permissions to the group based on the role. Any user in this group will be given this role/permission level by default. For this example, I chose to give the users the Administrator role.
  4. Group Type:
    1. This is where you would select “LDAP group mapped” and put in the name of the group (in this case serviceAdmins) and the domain name (thulin.local). The group name can’t have any spaces but does support underscores.

 

At this point all the work on the VNX FILE side is done and it’s time to start on the BLOCK side.

 

Configuring LDAP on VNX for BLOCK

 

Setting up LDAP for Block is very similar to the way it was done on the Clariions. Just like with the File side, you will need the same 4 bits of information. To begin, click on the home button in the upper left, then click on the domain tab, and finally click on “Manage LDAP Domain for Block”. This will bring up a window where we can start configuring our LDAP settings. The block side requires you to setup individual domain controllers, and set all the settings on that one server, so click on the “add” button and we’ll get started. You will see several areas to input information and I will go through them:

 

  1. IP Address
    • This is where you put in the IP of the domain controller
  2. Port
    • 389 for LDAP, 636 for LDAPS
  3. Server Type
    • There are two options: LDAP Server and Active Directory. Make sure to choose “Active Directory” if you’re using an AD environment (most of you will be doing this)
  4. Protocol
    • LDAP or LDAPS
  5. BindDN
    • This is where you put in the Distinguished Name of the service account just like when setting it up for file.
  6. Bind Password
    • Password for the service account
  7. Confirm Bind Password
    • Make sure it matches
  8. User Search Path
    • Just like with File, this is where you would set the search scope to find your users
  9. Group Search Path
    • Just like with File, This is where you set the search scope to find your groups
  10. Add certificate
    • This is where you would upload a root CA certificate for LDAPS. Make sure it’s in base64 encoding

 

After you have put in all this information, click on the “Role Mapping” tab so we can map an AD group. Once in there you will want to select “Group” from the first pull down. Put in the name of the AD group (in this example I used “ServiceAdmins”), then select the Role from the second pull down (in this case I selected Administrator), and finally click “Add” to add the mapping. Once you have all your mappings, click ok and wait for the confirmation message. Then you want to do this all over again for the second domain controller. Once you have this all set, click “Synchronize”. And that is it!

 

Configuring LDAP on VNX for UNIFIED

 

Configuring LDAP for a unified box is no different than the Block and File side.  The only thing you need to remember is that you need to do both, because the authentication will check your LDAP account against both the control station and the service processor.  Both configurations will have to be working correctly to login properly.

 

Now it is time to test your LDAP login. Logout of Unisphere by clicking the door icon in the upper right. Open Unisphere again and this time put in your AD username and password. Be sure to select “Use LDAP” and click on “Login”. If all your configuration is correct, you will be brought back in to Unisphere. If you get an access denied message, check you username, password, as well as your user and group search paths.

*UPDATE*

I have included a youtube video published by EMC that shows exactly what I have demonstrated above.

I hope you enjoyed this tutorial and I hope this is the first of many. If you have any questions on what you’ve just seen, or if you have any suggestions for future write-ups, drop a message in the comments below.