Add directory server
To configure authentication for Access Management, you establish communications between an LDAP server and the host running the Web Services Proxy for SANtricity Unified Manager. You then map the LDAP user groups to the local user roles.
You must be logged in with a user profile that includes Security admin permissions. Otherwise, the Access Management functions do not appear.
User groups must be defined in your directory service.
LDAP server credentials must be available, including the domain name, server URL, and optionally the bind account user name and password.
For LDAPS servers using a secure protocol, the LDAP server’s certificate chain must be installed on your local machine.
Adding a directory server is a two-step process. First you enter the domain name and URL. If your server uses a secure protocol, you also must upload a CA certificate for authentication if it is signed by a non-standard signing authority. If you have credentials for a bind account, you also can enter your user account name and password. Next, you map the LDAP server’s user groups to local user roles.
Select Access Management.
From the Directory Services tab, select Add Directory Server.
The Add Directory Server dialog box opens.
In the Server Settings tab, enter the credentials for the LDAP server.
Enter the domain name of the LDAP server. For multiple domains, enter the domains in a comma separated list. The domain name is used in the login (username@domain) to specify which directory server to authenticate against.
Enter the URL for accessing the LDAP server in the form of
Upload certificate (optional)
This field appears only if an LDAPS protocol is specified in the Server URL field above.
Click Browse and select a CA certificate to upload. This is the trusted certificate or certificate chain used for authenticating the LDAP server.
Bind account (optional)
Enter a read-only user account for search queries against the LDAP server and for searching within the groups. Enter the account name in an LDAP-type format. For example, if the bind user is called "bindacct," then you might enter a value such as
Bind password (optional)
This field appears when you enter a bind account.
Enter the password for the bind account.
Test server connection before adding
Select this checkbox if you want to make sure the system can communicate with the LDAP server configuration you entered. The test occurs after you click Add at the bottom of the dialog box. If this checkbox is selected and the test fails, the configuration is not added. You must resolve the error or de-select the checkbox to skip the testing and add the configuration.
Search base DN
Enter the LDAP context to search for users, typically in the form of
CN=Users, DC=copc, DC=local.
Enter the attribute that is bound to the user ID for authentication. For example:
Enter a list of group attributes on the user, which is used for group-to-role mapping. For example:
Click the Role Mapping tab.
Assign LDAP groups to the predefined roles. A group can have multiple assigned roles.
Specify the group distinguished name (DN) for the LDAP user group to be mapped.
Click in the field and select one of the local user roles to be mapped to the Group DN. You must individually select each role you want to include for this group. The Monitor role is required in combination with the other roles to log in to SANtricity Unified Manager. The mapped roles include the following permissions:
Storage admin — Full read/write access to storage objects on the arrays, but no access to the security configuration.
Security admin — Access to the security configuration in Access Management and Certificate Management.
Support admin — Access to all hardware resources on storage arrays, failure data, and MEL events. No access to storage objects or the security configuration.
Monitor — Read-only access to all storage objects, but no access to the security configuration.
The Monitor role is required for all users, including the administrator.
If desired, click Add another mapping to enter more group-to-role mappings.
When you are finished with the mappings, click Add.
The system performs a validation, making sure that the storage array and LDAP server can communicate. If an error message appears, check the credentials entered in the dialog box and re-enter the information if necessary.