Managing LDAP Services

To centrally manage user information, DeviceManager allows users to log in to the storage system in Lightweight Directory Access Protocol (LDAP) server authentication mode. If an LDAP domain server is deployed on a customer's network, a storage device must join the LDAP domain. Then, NFS clients need to be authenticated by the LDAP domain server when they attempt to access shared resources on the storage device.

Context

When the system provides shared access using multiple nodes accross platforms, maintaining shared directories and authentication information on different platforms and nodes becomes complicated. To address this, you can add the nodes that provide shared services to the same LDAP domain managed by an LDAP server. The structure of the LDAP domain is planned during domain creation. In this way, shared files in the LDAP domain can be maintained and accessed easily.

LDAP data is organized in a tree structure, which clearly shows the organizational information. A node on the tree is called an Entry. Each Entry has a distinguished name (DN). The DN of an Entry is composed of the Base DN and RDN. The Base DN refers to the position of the parent node where the Entry resides on the tree, and the RDN refers to an attribute that distinguishes the Entry from others.

The DN consists of the following parts:

Domain component (DC)
Identifies the domain name of a company or organization.
Organizational unit (OU)
Identifies the internal information classification of a company or organization.
Common name (CN)
Identifies the name of a directory Entry.

Prerequisites

An LDAP domain has been set up.

Procedure

Choose Settings > File Service Settings > Domain Authentication > LDAP Service.

View LDAP service parameters. Table 1 describes related parameters.

**Table 1** LDAP service parameters
Parameter	Description
Status	Indicates whether the LDAP service is available.
Active Server Address	Indicates the active LDAP server IP address or domain name.
Standby Server Address 1	Indicates the IP address or domain name of standby LDAP domain server 1.
Standby Server Address 2	Indicates the IP address or domain name of standby LDAP domain server 2.
Protocol	Indicates the protocol used by the storage system to communicate with the LDAP domain server.
Port	Indicates the port used by the storage device to communicate with the LDAP domain server.
Base DN	Indicates the LDAP domain's start distinguished name (DN) specified for searching.
Bind Level	Indicates a bind level for the LDAP domain server. simple: simple authentication SASL: simple authentication and security layer

You can click an LDAP service to view its details and manage it.

Configure the LDAP service.

Select the desired LDAP service and click Configure.
The Configure LDAP Service page is displayed on the right.

You can also click More on the right of the desired LDAP and select Configure.

Configure basic information. Table 2 describes related parameters.

**Table 2** Basic LDAP service parameters
Parameter	Description
Active Server IP Address	Indicates the active LDAP server IP address or domain name. NOTE: Ensure that the IP address or domain name is reachable. Otherwise, user authentication commands and network commands will time out. Click Test to check the connectivity of the entered IP address or domain name.
Standby Server Address 1	Indicates the IP address or domain name of standby LDAP server 1. NOTE: Ensure that the IP address or domain name is reachable. Otherwise, user authentication commands and network commands will time out. Click Test to check the connectivity of the entered IP address or domain name.
Standby Server Address 2	Indicates the IP address or domain name of standby LDAP server 2. NOTE: Ensure that the IP address or domain name is reachable. Otherwise, user authentication commands and network commands will time out. Click Test to check the connectivity of the entered IP address or domain name.
Protocol	Indicates the protocol used by the storage system to communicate with the LDAP domain server. LDAP: The system uses the standard LDAP protocol to communicate with the LDAP domain server. LDAPS: The system uses the LDAPS protocol to communicate with the LDAP domain server if the LDAP server supports SSL. NOTE: LDAP is vulnerable to security risks. LDAPS is recommended.
Port	Indicates the port used by the storage device to communicate with the LDAP domain server. When Protocol is set to LDAP, the default port number is 389. When Protocol is set to LDAPS, the default port number is 636.
Base DN	Indicates the LDAP domain's start DN specified for searching. [Value range] A DN consists of RDNs, which are separated by commas (,). An RDN is in the format of key=value. The value cannot start with a number sign (#) or a space and cannot end with a space. For example, testDn=testDn,xxxDn=xxx. [Example] dc=example,dc=com
Bind Level	Indicates a bind level for the LDAP domain server. simple: simple authentication SASL: simple authentication and security layer
Bind DN	Indicates the binding directory on the server. Binding is a process that a client initiates a connection request to establish a session to the LDAP server. During binding, the client specifies accounts to access directories on the server. You must search the binding directory for desired contents. [Value range] A DN consists of RDNs, which are separated by commas (,). An RDN is in the format of key=value. The value cannot start with a number sign (#) or a space and cannot end with a space. For example, testDn=testDn,xxxDn=xxx. [Example] cn=Manager,dc=example,dc=com NOTE: The default access account is the administrator account. If you use another account, ensure that it has access permission to the domain service on the LDAP server.
Bind Password	Indicates the password used for accessing the binding directory. NOTE: A simple password may result in security issues. A complex password that contains uppercase letters, lowercase letters, digits, and special characters is recommended.
Confirm Bind Password	Enter the same bind password again.
User Directory	Indicates the user directory configured on the LDAP domain server.
User Search Scope	Indicates the search scope for user queries. subtree: searches the named DN and subnodes under the DN. onelevel: searches the subnodes under the DN. base: searches just the named DN.
User Group Directory	Indicates the user group directory configured on the LDAP domain server.
User Group Search Scope	Indicates the search scope for user group queries. subtree: searches the named DN and subnodes under the DN. onelevel: searches the subnodes under the DN. base: searches just the named DN.
Network Group DN	Indicates the network group DN.
Network Group Search Scope	Indicates the search scope for network group queries. subtree: searches the named DN and subnodes under the DN. onelevel: searches the subnodes under the DN. base: searches just the named DN.
Search Timeout Duration (Seconds)	Indicates the timeout duration that the client waits for the LDAP domain server to return the query result. The default value is 3 seconds.
Connection Timeout Duration (Seconds)	Indicates the timeout duration that the client establishes a connection with the LDAP domain server. The default value is 3 seconds.
Idle Timeout Duration (Seconds)	Indicates the timeout duration that the client has no communication with the LDAP domain server. The default value is 30 seconds.

Click Advanced and set the advanced parameters. Table 3 describes related parameters.

**Table 3** Advanced LDAP service parameters
Parameter	Description
LDAP Schema Template	You can select a type for the LDAP schema template. Custom RFC2307: schema based on RFC2307 AD_IDMU: schema based on active directory identity management in Unix NOTE: You can select a schema template for which relevant parameters are entered automatically. You can also customize relevant parameters instead of selecting a schema template. Schema defines the structure and rules for LDAP directories and how LDAP servers identify category, attribute, and other information of LDAP directories.
RFC2307 posixAccount Object Class	Schema defines the name of the RFC2307 posixAccount object class. [Value range] The value contains 0 to 1024 characters. [Default value] posixAccount (displayed by default when RFC2307 is selected in LDAP Schema Template) User (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 posixGroup Object Class	Schema defines the name of the RFC2307 posixGroup object class. [Value range] The value contains 0 to 1024 characters. [Default value] posixGroup (displayed by default when RFC2307 is selected in LDAP Schema Template) Group (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 nisNetgroup Object Class	Schema defines the name of the RFC2307 nisNetgroup object class. [Value range] The value contains 0 to 1024 characters. [Default value] nisNetgroup
RFC2307 uid Attribute	Schema defines the name of the RFC2307 uid attribute. [Value range] The value contains 0 to 1024 characters. [Default value] uid
RFC2307 uidNumber Attribute	Schema defines the name of the RFC2307 uidNumber attribute. [Value range] The value contains 0 to 1024 characters. [Default value] uidNumber
RFC2307 gidNumber Attribute	Schema defines the name of the RFC2307 gidNumber attribute. [Value range] The value contains 0 to 1024 characters. [Default value] gidNumber
RFC2307 CN Attribute for User Group	Schema defines the name of the RFC2307 CN attribute for user group. [Value range] The value contains 0 to 1024 characters. [Default value] cn
RFC2307 CN Attribute for Network Group	Schema defines the name of the RFC2307 CN attribute for network group. [Value range] The value contains 0 to 1024 characters. [Default value] cn (displayed by default when RFC2307 is selected in LDAP Schema Template) name (displayed by default when AD_IDMU is selected in LDAP Schema Template)
RFC2307 memberUid Attribute	Schema defines the name of the RFC2307 memberUid attribute. [Value range] The value contains 0 to 1024 characters. [Default value] memberUid
RFC2307 memberNisNetgroup Attribute	Schema defines the name of the RFC2307 memberNisNetgroup attribute. [Value range] The value contains 0 to 1024 characters. [Default value] memberNisNetgroup
RFC2307 nisNetgroupTriple Attribute	Schema defines the name of the RFC2307 nisNetgroupTriple attribute. [Value range] The value contains 0 to 1024 characters. [Default value] nisNetgroupTriple (displayed by default when RFC2307 is selected in LDAP Schema Template) NisNetgroupTriple (displayed by default when AD_IDMU is selected in LDAP Schema Template)
Support RFC2307bis	Indicates whether to enable the RFC2307bis attribute.
RFC2307bis groupOfUniqueNames Object Class	Schema defines the name of the RFC2307bis groupOfUniqueNames object class. This parameter is valid only when Support RFC2307bis is enabled. [Value range] The value contains 0 to 1024 characters. [Default value] groupOfUniqueName
RFC2307bis uniqueMember Object Class	Schema defines the name of the RFC2307bis uniqueMember attribute. This parameter is valid only when Support RFC2307bis is enabled. [Value range] The value contains 0 to 1024 characters. [Default value] uniqueMember

Click OK.

(Optional) Restore the configured parameters to their initial values.
Select one or more desired LDAP services and click Restore to Initial.

You can also click More on the right of a desired LDAP service and select Restore to Initial.