Setting Domain Authentication

To centrally manage user information, DeviceManager allows users to log in to the storage system in Lightweight Directory Access Protocol (LDAP) server authentication mode.

Prerequisites

An LDAP server or a Windows AD domain server has been deployed.

Context

LDAP is a TCP/IP network protocol that enables users to access directory system agents (DSAs). It is a simplified form of X.500 Directory Access Protocol (DAP).

The complexity of network management, especially user management, increases as the number of network applications grows. Most systems that provide a single service implement username-password authentication. However, each user has different permissions on various applications, which means that each user requires a different username and password for each application. In this condition, users must enter different user names and passwords to access different applications. To address this issue, directory services are provided by LDAP through the following mechanism.

The purpose of LDAP-based authentication is to set up a directory-oriented user authentication system, specifically, an LDAP environment. When a client attempts to access applications in the LDAP environment, the LDAP server compares the username and password sent by the client with the authentication information in the directory database for identity verification.

For storage systems, the client hierarchy information is stored on the LDAP server. Users are authenticated by the LDAP server when accessing the storage systems.

LDAP over SSL (LDAPS) is used for communication between clients and the LDAP server if the LDAP server supports SSL.

Before using LDAPS, import the CA certificate for the LDAP domain server.

Procedure

  1. Choose Settings > User and Security > Domain Authentication.
  2. Click Edit.

  3. Set the LDAP binding parameters. Table 1 describes related parameters.

    Table 1 LDAP binding parameters

    Parameter

    Description

    Server Type

    Type of a server. Possible values are Windows AD domain server and LDAP server.

    Client hierarchy information is stored on a domain authentication server. Users are authenticated by the domain authentication server when they attempt to access shared resources.

    Protocol

    Encryption protocol used for domain authentication.

    NOTE:

    LDAP is vulnerable to security risks. LDAPS is recommended.

    IP Address

    IP addresses to be added to the LDAP server. Enter an IP address and click Add. A maximum of four IP addresses can be added.

    NOTE:

    To remove an IP address, click on its right.

    Port

    Port number of the server.

    The default port number of the LDAP server is 389, and that of the LDAPS server is 636.

    CA Certificate

    CA certificate for the domain authentication server.

    NOTE:

    A CA certificate needs to be imported only when Protocol is set to LDAPS.

    Bind DN

    Binding directory on the server.

    Binding is a process that a client initiates a connection request to establish a session to the LDAP server. During binding, the client specifies accounts to access directories on the server. You must search the binding directory for desired contents.

    A bind DN consists of RDNs separated by commas (,). An RDN is in the format of "key=value", where the value cannot start with a number sign (#) or a space or end with a space. For example: testDn=testDn,exampleDn=example

    [How to obtain]

    The following uses a Windows AD domain server as an example:

    1. On the Windows AD domain server, open Active Directory Users and Computers.
    2. Right-click the administrator account or another account that has the permission to access the domain service on the LDAP server and choose Properties from the shortcut menu.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the bind DN.

    [Example]

    cn=xxx,dc=abc,dc=com

    NOTE:

    The default access account is the administrator account. If you use another account, ensure that it has access permission to the domain service on the LDAP server.

    Bind Password

    Password used for accessing the binding directory. That is, the password of the account corresponding to the bind DN.

    NOTE:

    A simple password may result in security issues. A complex password that contains uppercase letters, lowercase letters, digits, and special characters is recommended.

  4. Set LDAP user parameters. Table 2 describes related parameters.

    Table 2 LDAP user parameters

    Parameter

    Description

    Path

    Path of a created domain user.

    [How to obtain]

    The following uses a Windows AD domain server as an example:

    1. On the Windows AD domain server, open Active Directory Users and Computers.
    2. Right-click the folder where the administrator account or another account that has the permission to access the domain service on the LDAP server reside and choose Properties from the shortcut menu.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the path.

    [Example]

    cn=xxx,dc=abc,dc=com

    Name Attribute

    Name attribute of a user. This parameter defines the name of a user object and allows the query of a specific user based on the given name.

    Object Class

    Class of a user object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

  5. Enable LDAP Groups and set related parameters. Table 3 describes related parameters.

    Table 3 LDAP user group parameters

    Parameter

    Description

    Path

    Path of a created domain user group.

    [How to obtain]

    The following uses a Windows AD domain server as an example:

    1. On the Windows AD domain server, open Active Directory Users and Computers.
    2. Right-click the created domain user group and choose Properties from the shortcut menu.
    3. In the Properties dialog box that is displayed, click Attribute Editor. The value of distinguishedName is the path.

    [Example]

    cn=xxx,dc=abc,dc=com

    Name Attribute

    Name attribute of a group. This parameter defines the name of a group object and allows the query of a specific group based on the given name.

    Member Attribute

    Group member attribute. This parameter defines members of a group.

    Object Class

    Class of a group object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

  6. (Optional) To restore the default settings, disable the LDAP service.
  7. (Optional) You can click Test to test whether the domain authentication server is available.

    When Protocol is set to LDAPS, save the CA certificate uploaded to CA Certificate and then perform the test.

  8. Click Save. Confirm your operation as prompted.

    After LDAP authentication is complete, refer to Adding a User to add an LDAP user or an LDAP user group. Then, you can use the LDAP user or a member in the LDAP user group to log in to the storage system.

Parent topic: Managing Permission Settings