KEMBAR78
Configure Authentication Directory Service | PDF | Command Line Interface | Secure Shell
Scribd
Upload
21 views9 pages

Configure Authentication Directory Service

Uploaded by

Sambasiva Reddy Inturi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
21 views9 pages

Configure Authentication Directory Service

Uploaded by

Sambasiva Reddy Inturi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

EMC ® VPLEX ™ SolVe Generator

Solution for Validating your engagement

Topic
VPLEX Customer Procedures
Selections
Procedures: Configure
Configure: Authentication directory service

Generated: 13:56 > April 30,


2015
SolVe Generator Updated:

REPORT PROBLEMS

If you find any errors in this procedure or have comments regarding this application, send email to
SolVeFeedback@emc.com

Copyright© 2010 – 2024 EMC Corporation. All rights reserved.


Publication Date: April, 2015
EMC believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date regulatory document for your product line, search for “regulatory” on the applicable product
page at https://support.EMC.com
For the most up-to-date listing of EMC trademarks, see the list of EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

version: 2.4.8.2
1 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

Contents
Setting up a VPLEX cluster for an authentication directory service........................................3
Before you begin.....................................................................................................................3
New Configurations:.................................................................................................................................... 4
Existing LDAP configurations...................................................................................................................... 4

Configuring Authentication Directory Service in VPLEX.........................................................5


Adding a User to the Directory Service configuration:.................................................................................6
Adding a Group to the Directory Service configuration:...............................................................................7
Removing a User from the Directory Service configuration:........................................................................8

Removing a Group from the Directory Service configuration:.................................................8


Removing the authentication directory service configuration.......................................................................9

version: 2.4.8.2
2 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

xxxLDAP Configuration

Setting up a VPLEX cluster for an authentication directory service


This procedure applies to GeoSynchrony Releases 5.2 Service Pack 1 and later. If you are using an
earlier release, generate the procedure for that release.

Note: . VPLEX does not support the ability to configure multiple directory services. It can only support a
single directory server, for a given VPLEX instance, at any point of time.

Note: From VPLEX GeoSynchrony Release 5.2 Service Pack 1, authentication directory service
configuration has been enhanced to securely persist LDAP configuration and support groups.

Best practice is to add groups rather than users. Adding groups allows multiple users to be added using
one map-principal. VPLEX is abstracted from any changes (modify/delete) to the user.

Before you begin


The following preparations will simplify the configuration of authentication directory service. .
 If you are configuring authentication directory service on Release 5.2 Service Pack 1, read the
Documentation Change section of the VPLEX with GeoSynchrony Release 5.2 Service Pack 1
Release Notes to understand the changes to authentication directory service in that release.
 Determine if you are upgrading an existing authentication directory service configuration or
configuring a new authentication directory service.
 Determine or assign the following information:

Information Value a
IP address of the authentication server

Port to be used for Default LDAP (Default port = 389)

Port to be used for Secure LDAP (LDAPS) (Default port = 636)

Directory server name (necessary if the connection between the


VPLEX management server and the authentication server is going
over SSL channel)
Base distinguished name - A sequence of relative distinguished
names connected by commas.
Example: dc=org,dc=company,dc=com
Bind distinguished name - A sequence of relative distinguished
names connected by commas.
Example: cn=bindUsr, dc=org,dc=company,dc=com
Password for bind distinguished name

User Search Path – A sequence of relative distinguished names


connected by commas.
Example: ou=team,ou=bu,dc=org,dc=company,dc=com
Note: Only users belonging to this organizationalUnit will be able to
login into Management Server

version: 2.4.8.2
3 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

Information Value a
Principal to map to the VPLEX management server - A sequence of
relative distinguished names connected by commas.
Example: cn=GUI-Group,ou=vplex,dc=emc,dc=com
Note: During configuration, a user and/or group can be specified.
Custom (UNIX) attributes if the directory server configuration is
different from the default VPLEX supported configuration.
Here are the custom UNIX attributes names:
Group Attributes:
posixGroup
gidNumber
User Attributes:
posixAccount
uid
uidNumber
loginShell
homeDirectory
For the default configuration supported in VPLEX, refer to the
description and examples in the authentication directory-service
configure command in the VPLEX CLI Guide.

New Configurations:
Clusters on which LDAP has NOT been configured previously:
 LDAP configuration will be using the new internal security component by default and the information
will be securely persisted.
 If users with multiple organizationalUnitNames (OU’s) are to be mapped consider the following
options:
 Create a usergroup and add all the users from multiple OU’s who need to mapped. Use this
usergroup to map the users.
 Identify a principal for usersearchpath that includes all the users from multiple OU’s and use this
to map the users
 Follow the procedure Configuring Authentication Directory Service in VPLEX.

Existing LDAP configurations


Clusters on which LDAP has already been configured:
 The existing configuration is not upgraded to the new secure based configuration automatically. It has
to be unconfigured and re-configured to leverage the new security fixes. To do this:
 First, follow the steps in Removing the authentication directory service configuration
 Then, follow the steps in Configuring Authentication Directory Service in VPLEX
 Until re-configured the configuration information will continue to have security vulnerabilities. Refer to
EMC VPLEX with GeoSynchrony 5.2 Service Pack 1 (Release Notes) for details.
 Principals can be mapped or unmapped using the existing commands to the existing configuration
until the configuration is moved to the new secure configuration.

version: 2.4.8.2
4 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

 If multiple OrganizationalUnitNames (OU’s) have been mapped in the existing configuration. In the
new configuration, all users within these OU’s can be added to a group and mapped in the new
configuration. If you would like to do this, please ensure that the usersearchpath specified contains
all the users specified in the group.

Configuring Authentication Directory Service in VPLEX


Following sections describe a new configuration of authentication directory service in VPLEX.

1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] Once you have gathered all the required information specified in the table
above, run the ldapsearch command to verify the directory server’s attribute mapping values:
ldapsearch -x -LLL -h ipaddress of the directory server -b "base dn" -D "binddn" -s
sub "principal to be mapped" –w bindpassword -E pr=1000/noprompt

Example:
In order to determine the users that reside under a given organizational unit, here is the ldapsearch
command example to list down their distinguished names.
/usr/bin/ldapsearch -x -LLL -l 30 -H ldap://10.31.50.59:389 -b
'ou=dev,ou=vplex,dc=emc,dc=com' -D 'cn=Administrator,dc=emc,dc=com'
objectClass=posixAccount -w password -E pr=1000/noprompt dn

dn: uid=dev1,ou=security,ou=dev,ou=vplex,dc=emc,dc=com
dn: uid=dev2,ou=security,ou=dev,ou=vplex,dc=emc,dc=com
dn: uid=dev3,ou=GUI,ou=dev,ou=vplex,dc=emc,dc=com

3. [ ] From the Linux shell prompt, type the following command to connect to
the VPlexcli:
vplexcli
Log in with the same username you used for the SSH connection.
4. [ ] From the VPlexcli prompt, type the following command. The VPLEX CLI
Guide describes the arguments:
authentication directory-service configure –d directory_server_type -i ip_address -
b base_distinguised_name -r user_search_path -u user_principal –g group_principal
-n bind_distinguished_name -p

Example:
VPlexcli:/> authentication directory-service configure -i 10.31.50.59
-b "dc=emc,dc=com"
-r "ou=qe,ou=vplex,dc=emc,dc=com"
-u "uid=dev1,ou=security,ou=dev,ou=vplex,dc=emc,dc=com"
-g "cn=GUI-Group,ou=vplex,dc=emc,dc=com"
-n "cn=Administrator,cn=Users,dc=emc,dc=com" -p

When prompted, enter the password for the bind distinguished name.

Note: Use --custom-attributes option if the configuration on the directory server is different from the
default configuration supported by VPLEX as shown below.

version: 2.4.8.2
5 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

authentication directory-service configure –d directory_server_type -i ip_address -b


base_distinguised_name -r user_search_path -n bind_distinguished_name -p --custom-attributes

When prompted, provide the required information for each of the custom attributes. Refer to the
VPLEX Configuration Worksheet for more information.

Note: When you specify the –r option with the configuration command, all users in the
user_search_path will be able to login into the management server.

To restrict users who can login into the Management Server:


 Use -g group_principal to restrict management server login to a group of users specified by
group_principal.
 Use -u user_principal. to restrict the users who can login into management server to those
specified in the user_principal variable.
The VPLEX management server can now interact with the directory server.
5. [ ] To map a directory service user principal/group principal to the VPLEX cluster, refer to
the sections below
6. [ ] To verify the status of the authentication directory service configuration, type
the following command at the VPlexcli prompt:
authentication directory-service show

The VPLEX CLI Guide describes the data that appears in the output.

Adding a User to the Directory Service configuration:


1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] From the Linux shell prompt, type the following command to connect to
the VPlexcli:
vplexcli
Log in with the same username you used for the SSH connection.
3. [ ] To map the directory service principal, type the following command. The
VPLEX CLI Guide describes the argument:
authentication directory-service map -u user_principal
Example:
VPlexcli:/> authentication directory-service map –u
“uid=dev2,ou=security,ou=dev,ou=vplex,dc=emc,dc=com”

In order to determine the attributes of the user principal in the case of Open LDAP server, here is the
ldapsearch command example to list it down along with the associated UNIX attributes.

/usr/bin/ldapsearch -x -LLL -l 30 -H ldap://10.31.50.59:389 -b


'uid=dev1,ou=security,ou=dev,ou=vplex,dc=emc,dc=com' -D
'cn=Administrator,dc=emc,dc=com' -w zephyr01 -E pr=1000/noprompt
dn: uid=dev1,ou=security,ou=dev,ou=vplex,dc=emc,dc=com
sn: dev

version: 2.4.8.2
6 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

cn: dev1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
uid: dev1
loginShell: /bin/bash
homeDirectory: /u/v/x/y/dev1
uidNumber: 50000
gidNumber: 80000

4. [ ] To verify the status of the directory service configuration, type the following
command at the VPlexcli prompt:
authentication directory-service show

Adding a Group to the Directory Service configuration:


1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] From the Linux shell prompt, type the following command to connect to
the VPlexcli:
Vplexcli

3. [ ] Log in with the same username you used for the SSH connection.
4. [ ] To map the directory service principal, type the following command. The
VPLEX CLI Guide describes the argument:
authentication directory-service map -g group_principal

Example:
VPlexcli:/> authentication directory-service map
–g "cn=GUI-Group,ou=vplex,dc=emc,dc=com"

In order to determine the user that reside under a group principal that needs to be mapped in the
case of Open LDAP servers, here is the ldapsearch command example to list it down along with the
associated UNIX attributes of the group they reside in.
/usr/bin/ldapsearch -x -LLL -l 30 -H ldap://10.31.50.59:389 -b 'cn=GUI-
Group,ou=vplex,dc=emc,dc=com' -D 'cn=Administrator,dc=emc,dc=com' -w password -E
pr=1000/noprompt

dn: cn=GUI-Group,ou=vplex,dc=emc,dc=com
objectClass: groupOfNames
cn: GUI-Group
description: GUI-Group
member: uid=QE1,ou=gui,ou=qe,ou=vplex,dc=emc,dc=com
member: uid=QE2,ou=gui,ou=qe,ou=vplex,dc=emc,dc=com
member: uid=dev3,ou=GUI,ou=dev,ou=vplex,dc=emc,dc=com

5. [ ] To verify the status of the directory service configuration, type the following
command at the VPlexcli prompt:
authentication directory-service show

version: 2.4.8.2
7 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

Removing a User from the Directory Service configuration:

1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] From the Linux shell prompt, type the following command to connect to the VPlexcli:
Vplexcli

3. [ ] Log in with the same username you used for the SSH connection.

4. [ ] To unmap the directory service principal, type the following command. The VPLEX CLI
Guide describes the argument:
authentication directory-service unmap -u user_principal

Example:
VPlexcli:/> authentication directory-service unmap
–u "uid=dev1,ou=security,ou=dev,ou=vplex,dc=emc,dc=com”

5. [ ] To verify the status of the directory service configuration, type the following command at
the VPlexcli prompt:
authentication directory-service show

Removing a Group from the Directory Service configuration:

1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] From the Linux shell prompt, type the following command to connect to
the VPlexcli:
Vplexcli

3. [ ] Log in with the same username you used for the SSH connection.
4. [ ] To unmap the directory service principal, type the following command. The
VPLEX CLI Guide describes the argument:
authentication directory-service unmap -g group_principal

Example:
VPlexcli:/> authentication directory-service unmap
–g "cn=GUI-Group,ou=vplex,dc=emc,dc=com"

5. [ ] To verify the status of the directory service configuration, type the following
command at the VPlexcli prompt:
authentication directory-service show

version: 2.4.8.2
8 of 9
EMC ® VPLEX ™ SolVe Generator
Solution for Validating your engagement

Removing the authentication directory service configuration

1. [ ] Establish an SSH connection to the management server in the VPLEX cluster, and log in
with username admin or service.
2. [ ] From the Linux shell prompt, type the following command to connect to the VPlexcli:
Vplexcli

3. [ ] Log in with the same username you used for the SSH connection.
4. [ ] From the VPlexcli prompt, type the following command, including any applicable
arguments as described in the VPLEX CLI Guide:
authentication directory-service unconfigure
Example:

VPlexcli:/> authentication directory-service unconfigure


This command will unconfigure the existing directory service. Continue? (Yes/No)
Yes

5. [ ] To verify the status of the authentication directory service configuration, type the following
command at the VPlexcli prompt:
authentication directory-service show

After successful removal of the configuration, the VPLEX cluster no longer authenticates against the
external authentication directory service.

version: 2.4.8.2
9 of 9

You might also like