Skip to main content
SANtricity 11.8

Add directory server

Contributors netapp-jolieg

To configure authentication for Access Management, you establish communications between an LDAP server and the host running the Web Services Proxy for Unified Manager. You then map the LDAP user groups to the local user roles.

Before you begin
  • You must be logged in with a user profile that includes Security admin permissions. Otherwise, the Access Management functions do not appear.

  • User groups must be defined in your directory service.

  • LDAP server credentials must be available, including the domain name, server URL, and optionally the bind account user name and password.

  • For LDAPS servers using a secure protocol, the LDAP server's certificate chain must be installed on your local machine.

About this task

Adding a directory server is a two-step process. First you enter the domain name and URL. If your server uses a secure protocol, you also must upload a CA certificate for authentication if it is signed by a non-standard signing authority. If you have credentials for a bind account, you also can enter your user account name and password. Next, you map the LDAP server's user groups to local user roles.

Steps
  1. Select Access Management.

  2. From the Directory Services tab, select Add Directory Server.

    The Add Directory Server dialog box opens.

  3. In the Server Settings tab, enter the credentials for the LDAP server.

    Field details
    Setting Description

    Configuration settings

    Domain(s)

    Enter the domain name of the LDAP server. For multiple domains, enter the domains in a comma separated list. The domain name is used in the login (username@domain) to specify which directory server to authenticate against.

    Server URL

    Enter the URL for accessing the LDAP server in the form of ldap[s]://host:*port*.

    Upload certificate (optional)

    Note This field appears only if an LDAPS protocol is specified in the Server URL field above.

    Click Browse and select a CA certificate to upload. This is the trusted certificate or certificate chain used for authenticating the LDAP server.

    Bind account (optional)

    Enter a read-only user account for search queries against the LDAP server and for searching within the groups. Enter the account name in an LDAP-type format. For example, if the bind user is called "bindacct", then you might enter a value such as CN=bindacct,CN=Users,DC=cpoc,DC=local.

    Bind password (optional)

    Note This field appears when you enter a bind account.

    Enter the password for the bind account.

    Test server connection before adding

    Select this checkbox if you want to make sure the system can communicate with the LDAP server configuration you entered. The test occurs after you click Add at the bottom of the dialog box.

    If this checkbox is selected and the test fails, the configuration is not added. You must resolve the error or de-select the checkbox to skip the testing and add the configuration.

    Privilege settings

    Search base DN

    Enter the LDAP context to search for users, typically in the form of CN=Users, DC=cpoc, DC=local.

    Username attribute

    Enter the attribute that is bound to the user ID for authentication. For example: sAMAccountName.

    Group attribute(s)

    Enter a list of group attributes on the user, which is used for group-to-role mapping. For example: memberOf, managedObjects.

  4. Click the Role Mapping tab.

  5. Assign LDAP groups to the predefined roles. A group can have multiple assigned roles.

    Field details
    Setting Description

    Mappings

    Group DN

    Specify the group distinguished name (DN) for the LDAP user group to be mapped. Regular expressions are supported. These special regular expression characters must be escaped with a backslash (\) if they are not part of a regular expression pattern: \.[]{}()<>*+-=!?^$|

    Roles

    Click in the field and select one of the local user roles to be mapped to the Group DN. You must individually select each role you want to include for this group. The Monitor role is required in combination with the other roles to log in to SANtricity Unified Manager. The mapped roles include the following permissions:

    • Storage admin — Full read/write access to storage objects on the arrays, but no access to the security configuration.

    • Security admin — Access to the security configuration in Access Management and Certificate Management.

    • Support admin — Access to all hardware resources on storage arrays, failure data, and MEL events. No access to storage objects or the security configuration.

    • Monitor — Read-only access to all storage objects, but no access to the security configuration.

    Note The Monitor role is required for all users, including the administrator.
  6. If desired, click Add another mapping to enter more group-to-role mappings.

  7. When you are finished with the mappings, click Add.

    The system performs a validation, making sure that the storage array and LDAP server can communicate. If an error message appears, check the credentials entered in the dialog box and re-enter the information if necessary.