Edit directory server settings and role mappings
If you previously configured a directory server in Access Management, you can change its settings at any time. Settings include the server connection information and the group-to-role mappings.
-
You must be logged in with a user profile that includes Security admin permissions. Otherwise, the Access Management functions do not appear.
-
A directory server must be defined.
-
Select
. -
Select the Directory Services tab.
-
If more than one server is defined, select the server you want to edit from the table.
-
Select View/Edit Settings.
The Directory Server Settings dialog box opens.
-
In the Server Settings tab, change the desired settings.
Field details
Setting Description Configuration settings
Domain(s)
The domain name(s) of the LDAP server(s). For multiple domains, enter the domains in a comma separated list. The domain name is used in the login (username@domain) to specify which directory server to authenticate against.
Server URL
The URL for accessing the LDAP server in the form of
ldap[s]://host:port
.Bind account (optional)
The read-only user account for search queries against the LDAP server and for searching within the groups.
Bind password (optional)
The password for the bind account. (This field appears when a bind account is entered.)
Test server connection before saving
Checks that the storage array can communicate with the LDAP server configuration. The test occurs after you click Save at the bottom of the dialog box. If this checkbox is selected and the test fails, the configuration is not changed. You must resolve the error or de-select the checkbox to skip the testing and re-edit the configuration.
Privilege settings
Search base DN
The LDAP context to search for users, typically in the form of
CN=Users, DC=cpoc, DC=local
.Username attribute
The attribute that is bound to the user ID for authentication. For example:
sAMAccountName
.Group attribute(s)
A list of group attributes on the user, which is used for group-to-role mapping. For example:
memberOf, managedObjects
. -
In the Role Mapping tab, change the desired mapping.
Field details
Setting Description Mappings
Group DN
The domain name for the LDAP user group to be mapped. Regular expressions are supported. These special regular expression characters must be escaped with a backslash (
\
) if they are not part of a regular expression pattern: \.[]{}()<>*+-=!?^$|Roles
The storage array's roles to be mapped to the Group DN. You must individually select each role you want to include for this group. The Monitor role is required in combination with the other roles to log in to SANtricity System Manager. The storage array's roles include the following:
-
Storage admin — Full read/write access to the storage objects (for example, volumes and disk pools), but no access to the security configuration.
-
Security admin — Access to the security configuration in Access Management, certificate management, audit log management, and the ability to turn the legacy management interface (SYMbol) on or off.
-
Support admin — Access to all hardware resources on the storage array, failure data, MEL events, and controller firmware upgrades. No access to storage objects or the security configuration.
-
Monitor — Read-only access to all storage objects, but no access to the security configuration.
The Monitor role is required for all users, including the administrator. System Manager will not operate correctly for any user without the Monitor role present.
-
-
If desired, click Add another mapping to enter more group-to-role mappings.
-
Click Save.
After you complete this task, any active user sessions are terminated. Only your current user session is retained.