Lesser known enhancements in the latest VNX code: Simplified Unisphere LDAP Integration

EMC World 2012 - Day 1 150This is part two of my series on lesser known enhancements in the latest code for your VNX.  Today we are going to focus on LDAP.  You may remember my very popular post from last year on configuring LDAP for Unisphere.  One of the big things I stressed before is that even with a Unified system, you still had to configure both the BLOCK & FILE side.  Well, with the latest changes, that is a thing of the past.  Now all the settings are done on the block side, and the new Unisphere Network Service will push them into the control station for you, simplifying the entire process.

 

imageLets take a look at the configuration section.  Just like it has been for the BLOCK side, you will find all the settings inside the “Domains” menu.  You will notice right away that there is a new option to configure DNS.  This is crucial for you to configure so that both the SPs and the control station can do host name lookups.

 

image

  1. DNS Domain Suffix
    • This is where you put in your domain suffix.  This will be your primary domain namespace for lookups.
  2. DNS Server IP Address
    • This is where you specify the IP addresses of your DNS servers.  I recommend using at least 2 here.
  3. Domain Search List
    • If you have multiple domains in your environment, this is where you would list them all in this area in order of search preference.  Make sure your primary domain is at the top of the list.

 

image

Just as important (in my opinion) as DNS, is configuring NTP.  You can specify up to 4 NTP servers to keep your SP and Control Station times in sync.  This really helps with comparing event logs against other sources.  One thing to note, NTP server Keys support is unique to the SPs.  It will not be copied over to the control station as it does not support it.

 

 

  1. Host Name or IP Addressimage
    • This is where you put in the FQDN or IP of the domain controller.  It is recommended to use the FQDN here, especially if you are using Secure LDAP.
  2. Port
    • 389 for LDAP, 636 for LDAPS
  3. Server Type
    • There are two options: LDAP Server and Active Directory. Make sure to choose “Active Directory” if you’re using an AD environment (most of you will be doing this)
  4. Protocol
    • LDAP or LDAPS
  5. Domain Name
    • Here you will specify the domain name being used
  6. BindDN
    • This is where you put the distinguished name of the service account. For this example I just used the administrator account
  7. Bind Password
    • Password for the service account
  8. Confirm Bind Password
    • Make sure it matches
  9. User Search Path
    • Just like with File, this is where you would set the search scope to find your users
  10. Group Search Path
    • Just like with File, This is where you set the search scope to find your groups
  11. Add certificate
    • This is where you would upload a root CA certificate for LDAPS. Make sure it’s in base64 encoding.  You will need the entire certificate chain, so if you have multiple CAs in your chain, cut and paste them into the “cut and paste” section.   The system will attempt to validate the certificate and let you know if there were problems during validation.  Make sure you have DNS configured if you are going to do this.

 

imageAfter you have put in all this information, click on the “Role Mapping” tab so we can map an AD group. In this updated version, individual LDAP user mapping has been removed, so make sure your AD groups contain only the users you want to give access.  Put in the name of the AD group (in this example I used “Domain Admins”), then select the Role from the second pull down (in this case I selected Administrator), and finally click “Add” to add the mapping. Once you have all your mappings, click ok and wait for the confirmation message.  The final addition is the ability to configure the level of nested group support in the advanced tab.  By default, it is set to zero.

 

 

Once you have finished all this configuration, you will want to do this all over again for the second domain controller. Once you have this all set, click “Synchronize”. And that is it!

 

image

Now it is time to test your LDAP login. Logout of Unisphere by clicking the door icon in the upper right. Open Unisphere again and this time put in your AD username and password. Be sure to select “Use LDAP” and click on “Login”. If all your configuration is correct, you will be brought back in to Unisphere. If you get an access denied message, check you username, password, as well as your user and group search paths.

 

 

I hope you find this post useful.  Let me know your own experiences with Unisphere LDAP Integration in the comments below.

Tagged , , , , . Bookmark the permalink.
  • Pingback: Configuring LDAP Authentication for Unisphere on the VNX - Thulin' Around()

  • Brian

    so…i worked on configuring LDAP on a VNX for most of the morning, and this helped me fix it.  Thanks!

  • Wynn Anthony

    try your config ldap in my enviroment it not work please advice.

  • Hey Sean, great post on configuring LDAP. In my environment I had to do things slightly different and wanted to share the experience.
     
     
    We have a forest that has many child domains and each domain has a VNX5700. The account I use for enterprise administration exists in the child domain at the site where I work, but it is a member of a forest root group that has admin rights over the enterprise. In order to configure LDAP to use my account that was an object of a child domain, but give a role to a group that existed at the forest root, here is what I had to do:
     
    Hostname = dc01
    Domain = local.com (this is where my user account exsited)
    Port Number 3268
     
    User Search Path = the path to where my admin account is on the local domain
    Group Search Path = the path to the enterprise group at the forest root
     
    Even though I didn’t see this documented anywhere, and it isn’t an option from the dropdown, using port 3268 allows to check group memberships of universal groups that exist in the forest.
     
    So, to recap, if you want to use LDAP to log on as a user from one domain, but for the role mapping you want to use a group that is outside the LDAP domain you specified, use port 3268 and ensure you set the Group Search Path accordingly. Also,  be sure that the host you are connecting to is a global catelog (GC) server.
     
    -Josh

    • Great information Josh.  I’m glad you were able to get this working.  When i tell people to look at my instructions, i let them know this works for about 90% of the installs.  Clearly yours was in the other 10%

  • Pingback: My 2012 in review (and a look towards 2013) - Thulin' Around()

  • Tim

    Good stuff Sean. I use your LDAP articles alot with customers.

  • baryt

    Great Article. I tried using the OU where all users i located, it didn’t work, so finally i used the domain DN at the user and Group search path, and created a group named Clariion, and added there all the users I wished to log in to the arrays and that’s it:)

  • dave3000

    Anyone know where the log is for the LDAP connection attempts? /var/log/messages on the CS has an abbreviated message of “failures” but truncated so you cannot really see what it’s failing on. thanks!

  • Pingback: EMC – VNX – Configuring LDAP Authentication | penguinpunk.net()

  • Pingback: کانفیگ LDAP Authentication برای Unisphere در استوریج VNX - راهکارهای جامع دیتاسنتر()