Configuring Active Directory (or really LDAP) based authentication for your infrastructure is basically standard fare. Default accounts should always be changed and centralized management and control of access credentials saves you effort over time, and is “Security 101”
With that in mind I set about configuring LDAP authentication against an Active Directory on a freshly minted XtremIO 4 cluster, so thought I would quickly share the process.
I will be adding a group called “DataAdmins” in with the Administrator role. I have a specific AD account ( a Bind DN) for this, called “ldapbind”. This only needs to be a Domain User. Don’t use an account with Admin privileges. It’s not needed. I leave this account in the Users OU.
The input of the details can appear confusing, but the simplest method to obtain it is to use the built in Microsoft DSQUERY tool executable from a Domain Controller. Substitute your own Bind DN name in to the command
dsquery user -name ldapbind
Copy the result out of your console and paste it into the “Bind DN:” field, making sure there’s no quotation marks included.
The search base defines where the search for a matching account begins.
The Search Filter defines which AD attribute to to search for and use. (could be sAMAccountName or UserPrincipalName etc)
The User to DN field allows you include the domain suffix automatically for the matched account(s), so when entering the account details to login, the domain details are not required.
Enter the server URLs, including ports. for valid Domain Controllers ( for redundancy ).
Next is the group whose members will be mapped to a role and permitted logon. To get the group, again use the DSQUERY, substituting in your own group name;
dsquery group -name DataAdmins
In the Active Directory Group field,click on Add, choose the role to associate with the group and paste the DSQUERY output in.
At this point, I’m not going to apply an SSL certificate, but will do so soon.
The completed configuration;
From the cli, for verification;
…and my admin account logged in.
Once you have logged in with an account authenticated via LDAP, you’ll also see an entry in the “Users Administration” Manu, with the “Is External” set to Yes.
That’ll do it. One day, vendors will use consistent LDAP configs across their portfolios 🙂