You must configure a federated identity source (such as Active Directory or OpenLDAP) before you can assign management permissions to federated groups and users.
Before you begin
- You must be signed in using a supported browser.
- You must have specific access permissions.
- The Uses Own Identity Source check box must have been selected when the tenant account was created. Contact the grid administrator for information or to change this setting.
Note: When using identity federation, be aware that users who only belong to a primary group on Active Directory are not allowed to sign in to the Tenant Management Interface. To allow these users to sign in, grant them membership in a user-created group.
Steps
- Select .
- Select Enable Identity Federation.
LDAP service configuration information appears.
- Select the type of LDAP service you want to configure from the LDAP Service Type drop-down list.
You can select
Active Directory,
OpenLDAP, or
Other.
Note: If you select OpenLDAP, you must configure the OpenLDAP server. See "Guidelines for configuring an OpenLDAP server" in this guide.
- If you selected Other, complete the fields in the LDAP Attributes section.
- Unique User Name: The name of the attribute that contains the unique identifier of an
LDAP user. This attribute is equivalent to sAMAccountName for
Active Directory and uid for OpenLDAP.
- User UUID: The name of the attribute that contains the permanent unique
identifier of an LDAP user. This attribute is equivalent to
objectGUID for Active Directory and entryUUID for OpenLDAP.
- Group Unique Name: The name of the attribute that contains the unique identifier of an
LDAP group. This attribute is equivalent to sAMAccountName for
Active Directory and cn for OpenLDAP.
- Group UUID: The name of the attribute that contains the permanent unique
identifier of an LDAP group. This attribute is equivalent to
objectGUID for Active Directory and entryUUID for OpenLDAP.
- Enter the required LDAP server and network connection information:
- Hostname: The host name or IP address of the LDAP server.
- Port: The port used to connect to the LDAP server. This is typically 389.
- Username: The username used to access the LDAP server, including the domain.
The specified user must have permission to list groups and users and to access the following attributes:
- cn
- sAMAccountName or uid
- objectGUID or entryUUID
- memberOf
- Password: The password associated with the username.
- Group Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for groups. In the example, all groups whose Distinguished Name is relative to the base DN (DC=storagegrid,DC=example,DC=com) can be used as federated groups.
Note: The Unique Group Name values must be unique within the Group Base DN they belong to.
- User Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users.
Note: The Unique User Name values must be unique within the User Base DN they belong to.
- Select a security setting from the Transport Layer Security (TLS) drop-down list to specify if TLS is used to secure communications with the LDAP server.
Example
The following screen shot shows example configuration values for an LDAP server that uses Active Directory.

- Optionally, click Test Connection to validate your connection settings for the LDAP server.
- Click Save.