Setting Domain Authentication

To centrally manage user information, DeviceManager allows users to log in to the storage system in Lightweight Directory Access Protocol (LDAP) server authentication mode.

Prerequisites

An LDAP server or a Windows AD domain server has been deployed.

Context

LDAP is a TCP/IP network protocol that enables users to access directory system agents (DSAs). It is a simplified form of X.500 Directory Access Protocol (DAP).

The complexity of network management, especially user management, increases as the number of network applications grows. Most systems that provide a single service implement username-password authentication. However, each user has different permissions on various applications, which means that each user requires a different username and password for each application. In this condition, users must enter different user names and passwords to access different applications. To address this issue, directory services are provided by LDAP through the following mechanism.

The purpose of LDAP-based authentication is to set up a directory-oriented user authentication system, specifically, an LDAP environment. When a client attempts to access applications in the LDAP environment, the LDAP server compares the username and password sent by the client with the authentication information in the directory database for identity verification.

For storage systems, the client hierarchy information is stored on the LDAP server. Users are authenticated by the LDAP server when accessing the storage systems.

LDAP over SSL (LDAPS) is used for communication between clients and the LDAP server if the LDAP server supports SSL.

Before using LDAPS, import the CA certificate for the LDAP domain server.

Procedure

  1. Choose Settings > User and Security > Domain Authentication.
  2. Click Edit.

  3. Set the LDAP binding parameters listed in Table 1.

    Table 1 LDAP binding parameters

    Parameter

    Description

    Server Type

    Indicates the type of a server. Possible values are Windows AD domain server and LDAP server.

    Client hierarchy information is stored on a domain authentication server. Users are authenticated by the domain authentication server when they attempt to access shared resources.

    Protocol

    Indicates the encryption protocol used for domain authentication.

    NOTE:

    LDAP is vulnerable to security risks. LDAPS is recommended.

    IP Address

    Indicates IP addresses to be added to the LDAP server. Enter an IP address and click Add. A maximum of four IP addresses can be added.

    NOTE:

    To remove an IP address, click on its right.

    Port

    Indicates the port number of the server.

    The default port number of the LDAP server is 389, and that of the LDAPS server is 636.

    CA Certificate

    Indicates the CA certificate for the domain authentication server.

    NOTE:

    A CA certificate needs to be imported only when Protocol is set to LDAPS.

    Bind DN

    Indicates the binding directory on the server.

    Binding is a process that a client initiates a connection request to establish a session to the LDAP server. During binding, the client specifies accounts to access directories on the server. You must search the binding directory for desired contents.

    NOTE:

    The default access account is the administrator account. If you use another account, ensure that it has access permission to the domain service on the LDAP server.

    Bind Password

    Indicates the password used for accessing the binding directory.

  4. Set LDAP user parameters. Table 2 describes related parameters.

    Table 2 LDAP user parameters

    Parameter

    Description

    Path

    Indicates the path of a created domain user.

    Name Attribute

    Indicates the name attribute of a user. This parameter defines the name of a user object and allows the query of a specific user based on the given name.

    Object Class

    Class of a user object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

  5. Enable LDAP Groups and set related parameters. Table 3 describes related parameters.

    Table 3 LDAP user group parameters

    Parameter

    Description

    Path

    Indicates the path of a created domain user group.

    Name Attribute

    Indicates the name attribute of a group. This parameter defines the name of a group object and allows the query of a specific group based on the given name.

    Member Attribute

    Indicates the group member attribute. This parameter defines members of a group.

    Object Class

    Indicates the class of a group object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

  6. (Optional) To restore the default settings, disable the LDAP service.
  7. (Optional) You can click Test to test whether the domain authentication server is available.

    When Protocol is set to LDAPS, save the CA certificate uploaded to CA Certificate and then perform the test.

  8. Click Save. Confirm your operation as prompted.

    After LDAP authentication is complete, refer to Adding a User to add an LDAP user or an LDAP user group. Then, you can use the LDAP user or a member in the LDAP user group to log in to the storage system.

Parent topic: Managing Permission Settings