Adding a Storage System to an LDAP Domain

If an LDAP domain server is deployed on a customer's network, a storage device must join the LDAP domain. Then, NFS clients need to be authenticated by the LDAP domain server when they attempt to access shared resources on the storage device.

Prerequisites

Procedure

  1. Choose Settings > File Service Settings > Domain Authentication.
  2. In the LDAP Domain area, click Edit to configure LDAP domain authentication. Table 1 describes related parameters.

    Table 1 LDAP domain parameters

    Parameter

    Description

    Active IP Address

    Indicates the IP address of the active LDAP domain server.

    NOTE:
    • Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out.
    • You can click Test to check whether the entered IP address can be pinged.

    Standby IP Address 1

    Indicates the IP address of standby LDAP domain server 1.

    NOTE:
    • Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out.
    • You can click Test to check whether the entered IP address can be pinged.

    Standby IP Address 2

    Indicates the IP address of standby LDAP domain server 2.

    NOTE:
    • Ensure that the IP address is reachable. Otherwise, executing user authentication commands or network commands will time out.
    • You can click Test to check whether the entered IP address can be pinged.

    Port

    Indicates the port used by the storage device to communicate with the LDAP domain server.

    [Value range]

    The value must be an integer ranging from 1 to 65535.

    Protocol

    Indicates the protocol used by the storage device to communicate with the LDAP domain server.

    • LDAP: The system uses the standard LDAP protocol to communicate with the LDAP domain server.
    • LDAPS: The system uses the LDAPS protocol to communicate with the LDAP domain server. If the LDAP domain server supports SSL, you can select LDAPS.

    Base DN

    Indicates the LDAP domain's start distinguished name (DN) specified for searching.

    [Value range]

    A DN consists of RDNs, which are separated by commas (,). An RDN is in the format of key=value. The value cannot start with a number sign (#) or a space and cannot end with a space. For example, testDn=testDn,xxxDn=xxx.

    [Example]

    dc=example,dc=com

    Bind Using the AD Credential

    Indicates whether to enable Bind Using the AD Credential.

    Bind Level

    Indicates a bind level for the LDAP domain server.

    • Simple: simple authentication
    • SASL: simple authentication and security layer

    User Search Scope

    Indicates the search scope for user queries.

    • Base: searches just the named DN directory.
    • ONELEVEL: searches the subnodes under the DN.
    • SUBTREE: searches the named DN directory and subnodes under the DN.

    User Group Search Scope

    Indicates the search scope for user group queries.

    • Base: searches just the named DN directory.
    • ONELEVEL: searches the subnodes under the DN.
    • SUBTREE: searches the named DN directory and subnodes under the DN.

    Network Group DN

    Indicates the network group DN.

    Network Group Search Scope

    Indicates the search scope for network group queries.

    • Base: searches just the named DN.
    • ONELEVEL: searches the subnodes under the DN.
    • SUBTREE: searches the named DN and subnodes under the DN.

    Bind DN

    Indicates the name of a bond directory.

    [Value range]

    A DN consists of RDNs, which are separated by commas (,). An RDN is in the format of key=value. The value cannot start with a number sign (#) or a space and cannot end with a space. For example, testDn=testDn,xxxDn=xxx.

    [Example]

    cn=Manager,dc=example,dc=com

    NOTE:

    To access content, use the directory for searching.

    Bind Password

    Indicates the password for accessing the bond directory.

    NOTE:

    A simple password may result in security issues. A complex password that contains uppercase letters, lowercase letters, digits, and special characters is recommended.

    Confirm Bind Password

    Confirms the password for logging in to the LDAP domain server.

    User Directory

    Indicates the user directory configured on the LDAP domain server.

    Group Directory

    Indicates the user group directory configured on the LDAP domain server.

    Search Timeout Duration (Seconds)

    Indicates the timeout duration that the client waits for the LDAP domain server to return the query result. The default value is 3 seconds.

    Connection Timeout Duration (Seconds)

    Indicates the timeout duration that the client establishes a connection with the LDAP domain server. The default value is 3 seconds.

    Idle Timeout Duration (Seconds)

    Indicates the timeout duration that the client has no communication with the LDAP domain server. The default value is 30 seconds.

  3. (Optional) Click Advanced to set the advanced parameters of the LDAP domain server. Table 2 describes related parameters.

    Table 2 Advanced parameters

    Parameter

    Description

    LDAP Schema Template

    You can select a type for the LDAP schema template.

    • RFC2307: schema based on RFC2307
    • AD_IDMU: schema based on active directory identity management in Unix
    NOTE:
    • You can select a schema template for which relevant parameters are entered automatically. You can also customize relevant parameters instead of selecting a schema template.
    • Schema defines the structure and rules for LDAP directories and how LDAP servers identify category, attribute, and other information of LDAP directories.

    RFC2307User Object

    Schema defines the name of the RFC2307 posixAccount object class.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    • posixAccount (displayed by default when RFC2307 is selected in LDAP Schema Template)
    • User (displayed by default when AD_IDMU is selected in LDAP Schema Template)

    RFC2307User Group Object

    Schema defines the name of the RFC2307 posixGroup object class.

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    • posixGroup (displayed by default when RFC2307 is selected in LDAP Schema Template)
    • Group (displayed by default when AD_IDMU is selected in LDAP Schema Template)

    RFC2307Network Group Object

    Schema defines the name of the RFC2307 nisNetgroup object class.

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    nisNetgroup

    RFC2307 uid Attribute

    Schema defines the name of the RFC2307 uid attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    uid

    RFC2307 uidNumber Attribute

    Schema defines the name of the RFC2307 uidNumber attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    uidNumber

    RFC2307 gidNumber Attribute

    Schema defines the name of the RFC2307 gidNumber attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    gidNumber

    RFC2307cn (for Groups) Attribute

    Schema defines the name of the RFC2307cn (for Groups) attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    cn

    RFC2307cn (for Network Groups) Attribute

    Schema defines the name of the RFC2307cn (for Network Groups) attribute.

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    • cn (displayed by default when RFC2307 is selected in LDAP Schema Template)
    • name (displayed by default when AD_IDMU is selected in LDAP Schema Template)

    RFC2307 memberUid Attribute

    Schema defines the name of the RFC2307 memberUid attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    memberUid

    RFC2307 memberNisNetgroup Attribute

    Schema defines the name of the RFC2307 memberNisNetgroup attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    memberNisNetgroup

    RFC2307 nisNetgroupTriple Attribute

    Schema defines the name of the RFC2307 nisNetgroupTriple attribute.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    • nisNetgroupTriple (displayed by default when RFC2307 is selected in LDAP Schema Template)
    • NisNetgroupTriple (displayed by default when AD_IDMU is selected in LDAP Schema Template)

    RFC2307bis Supported

    Indicates Whether to enable the RFC2307bis attribute.

    RFC2307bis groupOfUniqueNames Object

    Schema defines the name of the RFC2307bis groupOfUniqueNames object class. This parameter is valid only when RFC2307bis Supported is enabled.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    groupOfUniqueName

    RFC2307bis uniqueMember Attribute

    Schema defines the name of the RFC2307bis uniqueMember attribute. This parameter is valid only when RFC2307bis Supported is enabled.

    [Value range]

    This parameter can be left empty or contain up to 1024 characters.

    [Default value]

    uniqueMember

  4. Click Save.

    You can click Reset to restore the configuration of the LDAP domain authentication to the initial state.

Parent topic: Configuring Domain Authentication