Configuring a federated identity source

You can configure identity federation if you want tenant groups and users to be managed in another system such as Active Directory, OpenLDAP, or Oracle Directory Server.

Before you begin

About this task

Whether you can configure an identity federation service for your tenant depends on how your tenant account was set up. Your tenant might share the identity federation service that was configured for the Grid Manager. If you see this message when you access the Identity Federation page, you cannot configure a separate federated identity source for this tenant.


Tenant Shares Identity Federation

Note: Configuration of identity federation has been verified with Active Directory, OpenLDAP and Oracle Directory Server. If you want to use another LDAP service, contact support.
Note: StorageGRID uses STARTTLS for securing LDAP communications. It does not support the LDAP over SSL (LDAPS) protocol. The default port used for communications with the LDAP server is 389, but you can use any port as long as your firewall is configured correctly.

Steps

  1. Select Access Control > Identity Federation.
  2. Select Enable Identity Federation.
    The fields for configuring the LDAP server appear.
  3. Select the type of LDAP service you want to configure from the LDAP Service Type drop-down list.
    You can select Active Directory, OpenLDAP, or Other.
    Note: If you select OpenLDAP, you must configure the OpenLDAP server. See "Guidelines for configuring an OpenLDAP server."
  4. If you selected Other, complete the fields in the LDAP Attributes section.
    • Unique User Name: The name of the attribute that contains the unique identifier of an LDAP user. This attribute is equivalent to sAMAccountName for Active Directory and uid for OpenLDAP. If you are configuring Oracle Directory Server, enter uid.
    • User UUID: The name of the attribute that contains the permanent unique identifier of an LDAP user. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP. If you are configuring Oracle Directory Server, enter nsuniqueid. Each user’s value for the specified attribute must be a 32-digit hexadecimal number in either 16-byte or string format, where hyphens are ignored.
    • Group Unique Name: The name of the attribute that contains the unique identifier of an LDAP group. This attribute is equivalent to sAMAccountName for Active Directory and cn for OpenLDAP. If you are configuring Oracle Directory Server, enter cn.
    • Group UUID: The name of the attribute that contains the permanent unique identifier of an LDAP group. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP. If you are configuring Oracle Directory Server, enter nsuniqueid. Each group’s value for the specified attribute must be a 32-digit hexadecimal number in either 16-byte or string format, where hyphens are ignored.
  5. Enter the required LDAP server and network connection information in the LDAP Server section:
    • Hostname: The server host name or IP address of the LDAP server.
    • Port: The port used to connect to the LDAP server. Enter 389.
    • Username: The full path of the distinguished name (DN) for the user that will connect to the LDAP server.
      Note: For Active Directory, you can also specify the Down-Level Logon Name or the User Principal Name.
      The specified user must have permission to list groups and users and to access the following attributes:
      • sAMAccountName or uid
      • objectGUID, entryUUID, or nsunique
      • cn
      • memberOf or isMemberOf
    • Password: The password associated with the username.
    • Group Base DN: The full path of the distinguished name (DN) for an LDAP subtree you want to search for groups. In the Active Directory example (below), all groups whose Distinguished Name is relative to the base DN (DC=storagegrid,DC=example,DC=com) can be used as federated groups.
      Note: The Unique Group Name values must be unique within the Group Base DN they belong to.
    • User Base DN: The full path of the distinguished name (DN) of an LDAP subtree you want to search for users.
      Note: The Unique User Name values must be unique within the User Base DN they belong to.
  6. Select a security setting from the Transport Layer Security (TLS) drop-down list to specify if TLS is used to secure communications with the LDAP server:
    • Use operating system CA certificate: Use the default CA certificate installed on the operating system to secure connections.
    • Use custom CA certificate: Use a custom security certificate.

      If you select this setting, copy and paste the custom security certificate in the CA Certificate text box.

    • Do not use TLS: The network traffic between the StorageGRID system and the LDAP server will not be secured.
  7. Optionally, click Test Connection to validate your connection settings for the LDAP server.
    A green checkmark appears on the button if the connection is valid.

    Test Connection valid

  8. If the connection is valid, click Save.
    Example
    The following screenshot shows example configuration values for an LDAP server that uses Active Directory.
    Identity Federation page showing LDAP server that uses Active Directory
    Example
    The following screenshot shows example configuration values for an LDAP server that uses Oracle Directory Server.
    screen shot of Configuration > Identity Federation > Other