Configuring a federated identity source

You must configure a federated identity source (such as Active Directory or OpenLDAP) before you can assign management permissions to federated groups and users.

Before you begin

Note: When using identity federation, be aware that users who only belong to a primary group on Active Directory are not allowed to sign in to the Tenant Manager. To allow these users to sign in, grant them membership in a user-created group.

Steps

  1. Select Access Control > Identity Federation.
  2. Select Enable Identity Federation.
    LDAP service configuration information appears.
  3. Select the type of LDAP service you want to configure from the LDAP Service Type drop-down list.
    You can select Active Directory, OpenLDAP, or Other.
    Note: If you select OpenLDAP, you must configure the OpenLDAP server. See "Guidelines for configuring an OpenLDAP server."
  4. If you selected Other, complete the fields in the LDAP Attributes section.
    • Unique User Name: The name of the attribute that contains the unique identifier of an LDAP user. This attribute is equivalent to sAMAccountName for Active Directory and uid for OpenLDAP.
    • User UUID: The name of the attribute that contains the permanent unique identifier of an LDAP user. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP.
    • Group Unique Name: The name of the attribute that contains the unique identifier of an LDAP group. This attribute is equivalent to sAMAccountName for Active Directory and cn for OpenLDAP.
    • Group UUID: The name of the attribute that contains the permanent unique identifier of an LDAP group. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP.
  5. Enter the required LDAP server and network connection information:
    • Hostname: The host name or IP address of the LDAP server.
    • Port: The port used to connect to the LDAP server. This is typically 389.
    • Username: The username used to access the LDAP server, including the domain.
      The specified user must have permission to list groups and users and to access the following attributes:
      • cn
      • sAMAccountName or uid
      • objectGUID or entryUUID
      • memberOf
    • Password: The password associated with the username.
    • Group Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for groups. In the example, all groups whose Distinguished Name is relative to the base DN (DC=storagegrid,DC=example,DC=com) can be used as federated groups.
      Note: The Unique Group Name values must be unique within the Group Base DN they belong to.
    • User Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users.
      Note: The Unique User Name values must be unique within the User Base DN they belong to.
  6. Select a security setting from the Transport Layer Security (TLS) drop-down list to specify if TLS is used to secure communications with the LDAP server.
    • Use operating system CA certificate: Use the default CA certificate installed on the operating system to secure connections.
    • Use custom CA certificate: Use a custom security certificate.

      If you select this setting, copy and paste the custom security certificate in the CA Certificate text box.

    • Do not use TLS: The network traffic between the StorageGRID Webscale system and the LDAP server will not be secured.
    Example
    The following screenshot shows example configuration values for an LDAP server that uses Active Directory.
    Identity Federation page showing LDAP server that uses Active Directory
  7. Optionally, click Test Connection to validate your connection settings for the LDAP server.
  8. Click Save.