Contents

Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes PDF

1 of 51
1 of 51

Summary of Content for Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes PDF

Dell EMC PowerFlex User Roles and LDAP Usage Technical Notes

3.x

August 2021 Rev. 01

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Chapter 1: PowerFlex LDAP........................................................................................................... 5

Chapter 2: PowerFlex authentication and user roles......................................................................6 PowerFlex user roles...........................................................................................................................................................6 Local versus LDAP users................................................................................................................................................... 6 Local domain roles............................................................................................................................................................... 7 LDAP domain roles.............................................................................................................................................................. 7

LDAP login requirements..............................................................................................................................................8 User permissions..................................................................................................................................................................9 Superuser.............................................................................................................................................................................. 9 Changes to the LDAP Active Directory........................................................................................................................ 10

Chapter 3: Command authorization.............................................................................................. 11 Administrator....................................................................................................................................................................... 11 BackendConfigure.............................................................................................................................................................. 11 FrontendConfigure............................................................................................................................................................. 11 Monitor................................................................................................................................................................................. 12 Security................................................................................................................................................................................ 12

Chapter 4: Preparing PowerFlex servers for use with LDAP......................................................... 13 Server configuration scenarios....................................................................................................................................... 13 LDAP server settings........................................................................................................................................................ 14 Red Hat Enterprise Linux, CentOS, and SLES systems........................................................................................... 14

Verify the installation of the openldap package................................................................................................... 14 Create a cacerts directory ........................................................................................................................................ 14 Edit the /etc/resolv.conf file.................................................................................................................................... 15 Add the LDAP server details to the /etc/hosts file............................................................................................ 15 Copy the certificate files and run cacertdir_rehash............................................................................................16 Install PowerFlex.......................................................................................................................................................... 16

Ubuntu.................................................................................................................................................................................. 16 Configure LDAP nodes on the server......................................................................................................................16 Install PowerFlex.......................................................................................................................................................... 21

Windows............................................................................................................................................................................... 21 Confirm that the LDAP server is accessible.......................................................................................................... 21 Import the CA certificates.........................................................................................................................................22 Test LDAP node connectivity using ldp.exe..........................................................................................................22 Install PowerFlex..........................................................................................................................................................23

Chapter 5: Configuring LDAP authentication on the PowerFlex MDM.......................................... 24 Preparing for LDAP authentication...............................................................................................................................24 Configuration overview....................................................................................................................................................24 Configure LDAP authentication on an MDM node for a Linux-based LDAP server......................................... 25 Configure LDAP authentication on an MDM node for a Linux-based LDAP server in PowerFlex 3.0.x .....26 Configure Linux LDAP authentication on an MDM when an authorizer is configured..................................... 27

Contents

Contents 3

Configure LDAP authentication on an MDM node for a Windows-based LDAP server.................................. 28 Configuring authentication when FQDN is configured.......................................................................................29

Using LDAP with PowerFlex...........................................................................................................................................30 Example of LDAP use with PowerFlex.................................................................................................................... 31 Cross domain authentication.....................................................................................................................................31

CLI command details........................................................................................................................................................ 33 Using the CLI................................................................................................................................................................ 33 add_ldap_service........................................................................................................................................................ 33 add_ldap_service (PowerFlex 3.0.x and earlier)................................................................................................. 35 assign_ldap_groups_to_roles.................................................................................................................................. 36 set_user_authentication_method........................................................................................................................... 37 query_user_authentication_properties..................................................................................................................38

Chapter 6: Additional PowerFlex CLI commands for LDAP........................................................... 39 remove_ldap_group_from_role_assignment............................................................................................................. 39 rename_ldap_service....................................................................................................................................................... 40 remove_ldap_service....................................................................................................................................................... 40

Chapter 7: Configuring LDAP authentication on the PowerFlex Gateway......................................41 Preliminary configurations .............................................................................................................................................. 41 FOSGWTool basics............................................................................................................................................................ 41 Configure LDAP authorization on the PowerFlex Gateway.....................................................................................41 Edit the gatewayUser.properties file............................................................................................................................ 43 Configure a secured connection....................................................................................................................................43 FOSGWTool commands...................................................................................................................................................44

reset_ldap_properties ...............................................................................................................................................44 update_ldap_properties.............................................................................................................................................46 query_ldap_properties............................................................................................................................................... 46

Chapter 8: Configuring LIA to work with LDAP............................................................................ 48 Changing LIA authentication to LDAP..........................................................................................................................48

Configure LDAP authentication for LIA on the PowerFlex Gateway..............................................................48 Change LIA authentication method to LDAP........................................................................................................49

Add an LDAP server for LIA following system deployment.................................................................................... 50 Remove an LDAP server from LIA LDAP configuration ......................................................................................... 50

4 Contents

PowerFlex LDAP This publication presents a high-level description of the user roles and LDAP feature as implemented in PowerFlex and VxFlex Ready Node. Where features are relevant only for a specific system type, this is noted.

It is assumed that readers of this document are familiar with LDAP technology.

1

PowerFlex LDAP 5

PowerFlex authentication and user roles This section explains the user roles PowerFlex supports and how they are handled by the different authentication methods.

PowerFlex user roles PowerFlex supports the following user roles: Superuser Security Administrator Configure (an aggregate of both FrontendConfigure and BackendConfigure) FrontendConfigure BackendConfigure Monitor

Each role is associated with different activities and commands, as explained in more detail in Command authorization on page 11. The manner in which roles are defined depends on whether native (local) or LDAP authentication is used, as explained in the following topic.

Local versus LDAP users Local users function differently than LDAP users in PowerFlex. Although the role names are similar for local and LDAP users, the authorization permissions for each user role are defined differently for native and LDAP authentication.

Native authentication uses the nested model, in which a more privileged role immediately grants access to the same set of authorized commands associated with a less-privileged role, For example, in the local domain, when a user is defined as Administrator, that user may execute any command associated with the lesser privileged roles (Configure and Monitor). An Administrator may add users due to the Administrator role, and in addition, may also perform configuration changes through the Configure role.

For an LDAP user, this is not the case. Instead, a segregated model is used for the roles, and a specific set of commands is associated with each role. An LDAP user defined as an Administrator is limited to Administrator operations, such as adding users, but is not able to invoke any BackendConfigure, FrontendConfigure, or Monitor commands. You must assign LDAP users to each role to grant access to its specific set of commands.

The Configure and Superuser roles do not exist at all for LDAP authentication.

2

6 PowerFlex authentication and user roles

Local domain roles When native authentication is used, all roles except Security are defined in a nested manner. Each role is authorized to perform operations related to its definition, in addition to the commands permitted by lower-level roles.

Figure 1. Local domain nested roles model

1. Superuser: Can perform all operations, configuration tasks, and upgrades. There can only be one Superuser, who is always a local user.

2. Security: Can define administrators and control LDAP. The Security user is not part of the hierarchical model and has a set of commands that only a Security (or Superuser) can perform.

3. Administrator: Can perform all Configure operations and also define the Configure- and Monitor-level users. Can perform upgrades.

4. Configure: Does not exist as a default option, but can be configured from FrontendConfigure or BackendConfigure. Can perform upgrades.

5. FrontendConfigure: Can perform Monitor operations and frontend-related configurations that include volume manipulations (adding, deleting, and mapping volumes and snapshots) and SDC operations (adding and deleting SDCs).

6. BackendConfigure: Can perform monitoring operations, upgrades, and backend-related configurations. Operations include: Protection Domain and Storage Pool operations Manipulating Fault Sets and SDS Configuring SDS devices Configuring replication

7. Monitor: Can only perform monitoring operations that do not affect the system.

NOTE: You must assign the BackendConfigure role to the users who need to update the system license.

LDAP domain roles Roles in the LDAP domain are similar by name to local user roles, but are defined in a mutually exclusive manner.

Each role is authorized to perform a separate set of commands that are related to its functionality, with basically no overlap. The only exception is Configure, which is constructed from FrontendConfigure and BackendConfigure and does not exist as a separate role in LDAP. This model allows better granularity when defining users.

PowerFlex authentication and user roles 7

Figure 2. LDAP domain segregated roles model

1. Superuser: Not supported for LDAP users. Must be a local user. 2. Security: Can define administrators and control LDAP. The Security user is not part of the hierarchical model and has a set of

commands that only a Security (or Superuser) user can perform. 3. Administrator: Can define Configure and Monitor users. 4. FrontendConfigure: Can perform any frontend-related configurations that include volume manipulations (adding, deleting,

and mapping volumes and snapshots) and SDC operations (adding and deleting SDCs). 5. BackendConfigure: Can perform upgrades and any backend-related configurations. Operations include:

Protection Domain and Storage Pool operations Manipulating Fault Sets and SDS Configuring SDS devices Configuring replication

NOTE: You must assign the BackendConfigure role to users who need to update the system license.

6. Monitor: Can only perform monitoring operations that do not affect the system.

In order to run NDU, the LDAP user must be assigned at a minimum both the Monitor and BackendConfigure user roles.

NOTE: You must assign the BackendConfigure role to the users who need to update the system license.

LDAP login requirements

The following table lists the requirements for logging in to the different PowerFlex components using LDAP user roles:

Table 1. LDAP user roles by component

Component Requirements

CLI, REST At least one LDAP service in the system (not necessarily the one you log in with) must be assigned to the Administrator group. CLI and REST command execution will be according to the user role and permissions.

Any LDAP user can log in (CLI command execution is according to the user role and permissions).

PowerFlex GUI, PowerFlex plug-in, PowerFlex Installer (PowerFlex Installer and PowerFlex plug-in are not applicable for VxFlex Ready Node)

Monitor role

Additional roles can also be assigned in order to perform operations other than queries, but Monitor role is mandatory.

SRS BackendConfigure role, Monitor role

When performing system registration for SRS, the MDM remote syslog feature is enabled. BackendConfigure user role is required when accessing the MDM which will perform this operation.

8 PowerFlex authentication and user roles

Table 1. LDAP user roles by component (continued)

Component Requirements

The MDM local user/LDAP user in the lockbox must be assigned Monitor privileges in addition to BackendConfigure privileges. The BackendConfigure role does not automatically include Monitor privileges.

SNMP BackendConfigure role, Monitor role

The MDM local user/LDAP user in the lockbox must be assigned Monitor privileges in addition to BackendConfigure privileges. The BackendConfigure role does not automatically include Monitor privileges.

User permissions The following table describes the permissions defined for each user role, depending on whether native or LDAP authentication is used:

Table 2. Permissions by user role

User role Query Configure parameters Configure user credentials

Local LDAP Local LDAP Local LDAP

Superuser

(Only one Superuser is allowed per system, and it must be a local user.)

Yes N/A Yes N/A Yes N/A

Security No No No No Can assign Administrator users and control LDAP

Administrator Yes No Yes No Can assign Configure and Monitor users

Configure

(This role is only applicable for local users.)

Yes N/A Yes (an aggregate of FrontendConfigure and BackendConfigure)

N/A No N/A

FrontendConfigure Yes No Yes

Frontend operations only (volumes, SDCs, snapshots)

No No

BackendConfigure Yes No Yes

Backend operations only (Protection Domains, Storage Pools, Fault Sets, SDSs, devices, other system settings)

No No

Monitor Yes Yes No No No No

Superuser The Superuser is the default user for setting up the system. The Superuser, which is only available in the local domain and cannot be an LDAP user, has all the privileges of all the roles.

Dell EMC recommends using the Superuser role in the following cases:

When setting up a new system. When there is no need to define separate or additional users.

PowerFlex authentication and user roles 9

The Superuser comes with the default username and password of admin/admin.

Username: admin Password: admin

When a single Superuser is configured, the audit log does not track the activity of individual users logging in using the Superuser role.

Dell EMC recommends disabling the Superuser after the system is deployed and other users are configured. This ensures that all users are associated with a specific person.

To disable the Superuser, from the SCLI run:

scli --disable_admin [--i_am_sure]

In emergency cases, you may need to override the LDAP authentication and restore the Superuser (admin) so that the authentication method becomes both LDAP and native authentication. To restore the Superuser, follow the "Reset the admin user password" procedure described in Configure and Customize PowerFlex Guide .

Changes to the LDAP Active Directory In the event changes are made to the LDAP Active Directory following PowerFlex LDAP configuration, you must reconfigure LDAP accordingly for the MDM, PowerFlex Gateway, and LIA.

Changes to the Active Directory are propagated to all PowerFlex nodes. Depending on the cluster configuration, the propagation process can take up to a few hours.

10 PowerFlex authentication and user roles

Command authorization This section lists the different user roles when LDAP authorization is used, and gives examples of the commands associated with each role.

Administrator The Administrator role is used to configure and monitor users. Examples of the commands associated with the Administrator user role are:

--add_user --delete_user --query_user --query_users --set_password

BackendConfigure The BackendConfigure role allows users to perform operations such as configuring Protection Domains, Storage Pools, Fault Sets, SDRs, SDSs,and devices. Examples of commands associated with the BackendConfigure user role are:

--add_sds --add_sds_device --enable_rfcache --enter_maintenance_mode --inactivate_protection_domain --modify_zero_padding_policy --remove_protection_domain --rename_storage_pool --set_rebuild_policy --add_sdr --enter_sdr_maintenance_mode --set_replication_journal_capacity

FrontendConfigure The FrontendConfigure role allows users to perform frontend operations related to volumes, SDCs, and snapshots. Examples of commands associated with the FrontendConfigure user role are:

--add_sdc --add_source_volume_to_snapshot_policy --migrate_vtree --modify_snapshot_policy --overwrite_volume_content --remove_volume --resume_vtree_migration --set_sdc_volume_limit --snapshot_volume --unlock_auto_snapshot

3

Command authorization 11

Monitor The Monitor role allows users to perform operations, such as queries, that do not affect the system. Examples of commands associated with the Monitor role are:

--query_all --query_fault_set --query_device_test --query_diag_counters --query_license --query_network_latency_meters --query_oscillating_failure_counter_parameters --query_sds_network_test --query_user_authentication_properties --query_vtree_migration

Security The Security role defines Administrator users and controls LDAP. Examples of commands associated with the Security role are:

--add_ldap_service --assign_ldap_group_to_roles --generate_certificate --generate_mdm_certificate --generate_mdm_csr_file --remove_ldap_group_from_role_assignment --remove_ldap_service --replace_mdm_security_files --set_cli_login_banner_acceptance_mode --set_management_client_communication

12 Command authorization

Preparing PowerFlex servers for use with LDAP

This section explains how to configure the servers for use with LDAP before configuring LDAP authentication on a PowerFlex node. The procedures used in this section are for setting up LDAP in a secure (LDAPS) environment. Where relevant, they also include instruction for prepare the server for non-secure LDAP.

NOTE: PowerFlex Gateway configurations are not relevant for VxFlex Ready Node systems.

Server configuration scenarios PowerFlex supports LDAP authentication for three different purposes: LIA user authorization, MDM user authorization, and PowerFlex Gateway user authorization. Before configuring LDAP authentication for any of these purposes, perform the tasks in this section to prepare the PowerFlex servers or nodes that will use LDAP.

The following table explains the three LDAP cases and the stage in the PowerFlex deployment process at which you should prepare the server or nodes.

Table 3. LDAP use cases

LDAP feature Description Server/node When to configure the server

LDAP for PowerFlex MDMs PowerFlex uses LDAP to authorize users to configure, maintain, or monitor the system.

MDM nodes Before or after system deployment, but before configuring LDAP authentication on the MDMs.

LDAP for PowerFlex Gateway PowerFlex uses LDAP authentication for the PowerFlex Gateway.

PowerFlex Gateway Before or after system deployment, but before configuring LDAP authentication on the gateway.

NOTE: If you already prepared the gateway server for LDAP authentication for LIA, skip these tasks.

LDAP for PowerFlex LIA LIA uses LDAP authorization to maintain and upgrade PowerFlex components.

PowerFlex Gateway New deployment: Prepare the server for LDAP before installing the PowerFlex Gateway.

Existing deployment: Prepare the server for LDAP before switching the LIA authentication mode from native to LDAP in the PowerFlex Installer.

NOTE: If you already prepared the gateway server for LDAP authentication for the

4

Preparing PowerFlex servers for use with LDAP 13

Table 3. LDAP use cases (continued)

LDAP feature Description Server/node When to configure the server

PowerFlex Gateway, skip these tasks.

LDAP server settings Before preparing the server, ensure that you have the following information at hand for each LDAP server :

Table 4. Required LDAP server information

Setting Configuration

IP address

Username

Password

Domain name

FQDN

Certificate name

Certificate location

NOTE: PowerFlex supports both Linux- and Windows-based LDAPS servers. The Linux LDAP server can have multiple

certificates.

Red Hat Enterprise Linux, CentOS, and SLES systems Perform the following tasks in the order they are presented to set up a RHEL-, CentOS-, or SLES-based server for use with LDAP.

Verify the installation of the openldap package

Verify that the openldap package is installed.

Run the following command:

rpm -qa | grep openldap

Output similar to the following should appear:

openldap-2.4.23-32.el6_4.1.x86_64

Create a cacerts directory

Create a cacerts directory in a predefined location.

About this task

NOTE: For non-secure LDAP, skip this task.

14 Preparing PowerFlex servers for use with LDAP

Steps

1. Create a directory named cacerts in this location: /etc/openldap.

2. Verify that the following entry is displayed in /etc/openldap/ldap.conf:

RHEL/CentOS:

TLS_CACERTDIR /etc/openldap/cacerts/ SLES:

TLS_CACERTDIR

Edit the /etc/resolv.conf file

Edit the /etc/resolv.conf file and confirm the following:

The LDAP server IP address is included in the file. If more than one LDAP server is configured for the system, list all the server IP addresses.

The search parameter is configured to the FQDN of the LDAP server..

For example:

cat /etc/resolv.conf nameserver 10.55.1.2 nameserver 8.8.8.8 nameserver 9.9.9.9 search ldaps.local

where:

10.55.1.2 is the IP address of the LDAP server

ldaps.local is the domain name of the LDAP server

Add the LDAP server details to the /etc/hosts file

Add the LDAP server IP address, FQDN, and hostname of each LDAP server to the /etc/hosts file. In the following example, the LDAP server information is the last line in the file:

127.0.0.1 localhost 127.0.1.1 SioVM_226 192.168.10.45 SioGwHA

# The following lines are desirable for IPv6 capable hosts: :1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters

192.168.10.226 SioVM_226 192.168.10.227 SioVM_227 192.168.10.228 SioVM_228 192.168.10.229 SioVM_229 10.55.1.2 example.ldaps.local example

where, in this example:

10.55.1.2 is the IP address of the LDAP server example.ldaps.local is the FQDN example is the hostname

NOTE: Configuring multiple LDAP servers with the same Base DN is not supported.

Preparing PowerFlex servers for use with LDAP 15

Copy the certificate files and run cacertdir_rehash

Copy the certificate files from the LDAP server to the node and run cacertdir_rehash.

About this task

NOTE: For non-secure LDAP, skip this task.

Steps

1. Using winscp, copy the certificate files to /etc/openldap/cacerts.

NOTE: When multiple LDAP servers are used, copy the certificates from all the LDAP servers.

2. Run:

cacertdir_rehash /etc/openldap/cacerts

Install PowerFlex

Install the PowerFlex system.

For details, refer to the Deploy Dell EMC PowerFlex guide.

Ubuntu Perform the following tasks in the order they are presented to set up a Ubantu-based server for use with LDAP.

Configure LDAP nodes on the server

Configure LDAP nodes on the PowerFlex server.

Steps

1. In the /etc/network/interfaces file, add the LDAP server's DNS parameters under the management interface.

For example:

# interfaces(5) file used by ifup(8) and ifdown(8) auto lo

iface lo inet loopback

auto eth0 iface eth0 inet static address 10.55.1.2 netmask 255.255.240.0b dns-nameservers 8.8.8.8 dns-nameservers 9.9.9.9 dns-search ldaps.local

# IPv4 configuration auto eth1 iface eth1 inet static address 7.1.1.226 netmask 255.255.0.0

# IPv6 configuration auto eth1 iface eth1 inet6 static pre-up modprobe ipv6

16 Preparing PowerFlex servers for use with LDAP

address 260:0:170:790D:250:56FF:FE89:C21F netmask 64

where:

10.55.1.2 is the IP address of the LDAP server

ldaps.local is the Domain name of the LDAP server

9.9.9.9 is for external IP communications.

NOTE: The IP address for external IP communications is required for the APT repository.

2. Confirm that you can ping the DNS name servers.

3. Reboot the server.

4. Confirm that the file /etc/resolv.conf is updated:

For example:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

nameserver 8.8.8.8

nameserver 9.9.9.9

nameserver 10.10.10.10

search ldaps.local

5. Run nslookup for the LDAP server hostname and IP address:

For example, when using the parameters listed for the example in the first step:

# root@SioVM_228:~# nslookup example Server: 10.55.1.2 Address: 10.55.1.2#53

Name: example.ldaps.local Address: 10.55.1.2

# root@SioVM_228:~# nslookup 10.55.1.1 Server: 10.55.1.2 Address: 10.55.1.2#53

10.55.1.2 :in-addr.arpa name = example.ldaps.local.

6. Run the following command, and wait until the operation is finished:

sudo apt-get update

7. Run:

sudo apt-get install openssh-client ldap-utils

8. Copy the LDAP certificate files from the LDAP servers to /etc/ssl/certs.

NOTE: For non-secure LDAP, skip this step and jump to step 11.

9. Run:

c_rehash /etc/ssl/certs

NOTE: For non-secure LDAP, skip this step and jump to step 11.

Preparing PowerFlex servers for use with LDAP 17

10. Run the following command and wait until the operation is finished:

sudo update-ca-certificates

NOTE: For non-secure LDAP, skip to the next step.

11. Add the following lines to the /etc/ldap/ldap.conf file and ensure that all the other lines are commented out:

URI ldaps://example.ldaps.local/ or

URI ldap://server.example.com/ The file contents should be similar to the following example:

# # LDAP Defaults #

# See ldap.conf(5) for details # This file should be world readable but not world writable.

#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never

# TLS certificates (needed for GnuTLS) # TLS_CACERT /etc/ssl/certs/ca-certificates.crt URI ldaps://example.ldaps.local/

12. Add the LDAP server IP address, FQDN, and hostname to the /etc/hosts file:

NOTE: When several LDAP servers are used, they should all be added to this file.

For example:

127.0.0.1 localhost 127.0.1.1 SioVM_226 192.168.10.45 SioGwHA

# The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters

192.168.10.226 SioVM_226 192.168.10.227 SioVM_227 192.168.10.228 SioVM_228 192.168.10.229 SioVM_229 10.55.1.2 example.ldaps.local example

13. Test the configuration:

a. Test that each certificate is valid.

sudo openssl s_client -connect example.ldaps.local:636 -CAfile /etc/ssl/certs/ scaleio.cer < /dev/null

Repeat this step for each LDAP server's certificates.

Output similar to the following appear:

18 Preparing PowerFlex servers for use with LDAP

sudo openssl s_client -connect example.ldaps.local:636 -CAfile /etc/ssl/certs/ scaleio.cer < /dev/null

The output should be similar to the following example. Note the last line of the output, before "Done".

CONNECTED(00000003) depth=1 DC = local, DC = ldaps, CN = ldaps-example-CA verify return:1 depth=0 CN = example.ldaps.local verify return:1 --- Certificate chain 0 s:/CN=example.ldaps.local i:/DC=local/DC=ldaps/CN=ldaps-example-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIF/TCCBOWgAwIBAgITQQAAAAI/hs4TiVKP4QAAAAAAAjANBgkqhkiG9w0BAQUF ADBMMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFTATBgoJkiaJk/IsZAEZFgVsZGFw czEcMBoGA1UEAxMTbGRhcHMtV0lOMTJSMi1EQy1DQTAeFw0xNTA5MDMxNDU4NDJa Fw0xNjA5MDIxNDU4NDJaMCExHzAdBgNVBAMTFldJTjEyUjItREMubGRhcHMubG9j YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPy34+oVF3p+z0oC1M UwWNlyVK78Vs7CsyR5PbwSCEMtjeqW7ND3SFu8siOzywqAs4IA72V388oXh9ylYM /MyMdAzgQL4wCwrlnOnWGwrz4gv/sQySmnImmsvBT99E/xmBjxHUsLyIGa8We8n5 WNhXRaA92tg4aLpOyLOTqMAw+3DlAKwQVefcpu/OjejyDmuSGa6D42a3E8Im1FA+ bdmHxZ9grFivcLTdtZ9yrvLV6ge6YXY9R6k5fkcbdoaHywDny2ENgE5zrNgIIXl7 UHNS2BrWgc0ugNP5txSTRihdhlPBmfjgMCZYRSYleSgIbjrBRrWienPLBdrRUQ+l PLpVAgMBAAGjggMBMIIC/TAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMA bwBuAHQAcgBvAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB MA4GA1UdDwEB/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIA gDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglg hkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1Ud DgQWBBTNLBBtk/Ux123+H2zNAY3CQ8a7/zAfBgNVHSMEGDAWgBSJ/n2QndapHgyp bFEsIn4/99ERyDCB1AYDVR0fBIHMMIHJMIHGoIHDoIHAhoG9bGRhcDovLy9DTj1s ZGFwcy1XSU4xMlIyLURDLUNBLENOPVdJTjEyUjItREMsQ049Q0RQLENOPVB1Ymxp YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s REM9bGRhcHMsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNl P29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHFBggrBgEFBQcBAQSB uDCBtTCBsgYIKwYBBQUHMAKGgaVsZGFwOi8vL0NOPWxkYXBzLVdJTjEyUjItREMt Q0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz LENOPUNvbmZpZ3VyYXRpb24sREM9bGRhcHMsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0 ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwQgYDVR0R BDswOaAfBgkrBgEEAYI3GQGgEgQQtfI1dFzIYEGq4QF04AUb94IWV0lOMTJSMi1E Qy5sZGFwcy5sb2NhbDANBgkqhkiG9w0BAQUFAAOCAQEAB7TMLHh3GMDjBCSX4kq6 QTec5safeUMGCCf1fyaUcehCDRpAtbNapre/ShHAfIxNYss3jtsPZhDBXo4v+bKG Oc0BVJCN+hNn5gdXsUDIQajA/DO6VkQL+0ceqa3BwyYy2GGFqwehhKJh6nt8k4tA lP67BmydoE/OYr3fSxZJaKOPrsgrNG9OeSvDLYRTaUpbZHQdnUxCBaHU+43lYpmp vox1zPJ9hfWfcby3Ox/0UnWWnEQammpNSorppCQVGtS80Xaiz6c2/QW3c06i/cKY 6YS6r40twXcozxZNqwJfMf+JoBJ/S4JH3M6ALzn0nclgl5eQ+r0DhMtC2fqP8g53 tA== -----END CERTIFICATE----- subject=/CN=example.ldaps.local issuer=/DC=local/DC=ldaps/CN=ldaps-example-CA --- No client certificate CA names sent

SSL handshake has read 2107 bytes and written 489 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 000E0000A293DA7B903083F8BCB2737F2C10A98D298BD0E963B73E9EBAA4930C Session-ID-ctx: Master-Key: 2242522F8B151725BDED1DC92264F461F4487DAAEC8DB6F5EA4959A42D4DABD4105534110229870FC8B6 333B4443E891 Key-Arg : None

Preparing PowerFlex servers for use with LDAP 19

PSK identity: None PSK identity hint: None SRP username: None Start Time: 1455035763 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE

b. Test the connectivity to the LDAP server:

For example:

sudo ldapsearch -v -x -H ldaps://example.ldaps.local -D "CN=sio_1,OU=OU1,DC=ldaps,DC=local" -b "DC=ldaps,DC=local" -w password -s sub "cn=sio_1"

Output similar to the following appears:

ldap_initialize( ldaps://example.ldaps.local:636/??base ) filter: cn=sio_1 requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=sio_1 # requesting: ALL # # sio_1, OU1, ldaps.local dn: CN=sio_1,OU=OU1,DC=ldaps,DC=local objectClass: top objectClass: person objectClass: organizationalPerson

objectClass: user cn: sio_1 distinguishedName: CN=sio_1,OU=OU1,DC=ldaps,DC=local instanceType: 4 whenCreated: 20150903151639.0Z whenChanged: 20160204120821.0Z uSNCreated: 16441 memberOf: CN=SIO_GRP_1,OU=OU1,DC=ldaps,DC=local uSNChanged: 42047 name: sio_1 objectGUID:: nZsX4yqFIEaR3qKEKSyZcw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130932822411399444 lastLogoff: 0 lastLogon: 130932822593743040 pwdLastSet: 130990597572374527 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA9hRku46/nHL6xBLIUAQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: sio_1 sAMAccountType: 805306368 lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ldaps,DC=local dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130990613014592452 # search reference ref: ldaps://ForestDnsZones.ldaps.local/DC=ForestDnsZones,DC=ldaps,DC=local # search reference ref: ldaps://DomainDnsZones.ldaps.local/DC=DomainDnsZones,DC=ldaps,DC=local

20 Preparing PowerFlex servers for use with LDAP

# search reference ref: ldaps://ldaps.local/CN=Configuration,DC=ldaps,DC=local # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3

Install PowerFlex

Install the PowerFlex system.

For details, refer to the Deploy Dell EMC PowerFlex guide.

Windows Perform the following tasks in the order they are presented to set up a Windows-based PowerFlex Gateway server for use with LDAP.

Confirm that the LDAP server is accessible

Ensure that you have access to the LDAP server in the PowerFlex system using its IP address and hostname.

Steps

1. Confirm that the LDAP server is accessible using its IP address and hostname.

Dell EMC recommends that you edit the hosts file located under C:\Windows\System32\drivers\etc and add the following entry:

For example:

10.55.1.2 example.ldaps.local

The file will appear similar to the following:

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 vmware-localhost

Preparing PowerFlex servers for use with LDAP 21

::1 vmware-localhost 10.55.1.2 example.ldaps.local

2. Confirm that the ldp.exe tool is installed. If it is not present, install it:

a. Open the Server Manager, and On the Manage menu of the Server Manager console, click Add Roles and Features Wizard, and then click Next three times until you see the Add Roles and Features Wizard.

b. Select the Active Directory Lightweight Directory Services check box, and then click Next.

NOTE: When you choose to install the Active Directory Lightweight Directory Services, it automatically selects and

installs the .NET 3.5 Framework, unless it is already installed.

c. Click Add Features, and then click Next three times, until the Confirm installation selections window appears. d. Click Install. e. When the installation finishes, click Close.

Import the CA certificates

Import the CA certificate from the LDAP server into the local certificate store. When multiple LDAP servers are used, repeat this procedure to import the CA certificates for all the LDAP servers.

Steps

1. Copy the certificate file from the LDAP server to any location on the Windows server.

2. Double-click the certificate.

The Certificate window appears:

3. Click Install Certificate, and then click Next. The Certificate Import Wizard window appears:

NOTE: If an additional message appears, select Local Machine.

4. Select Place all certificates in the following store, and then click Browse.

The Select Certificate Store window appears:

5. Select Trusted Root Certification Authorities, and then click OK.

6. Click Next.

7. Click Finish.

8. Click OK to confirm.

Test LDAP node connectivity using ldp.exe

Test and verify secured LDAP node connectivity using the ldp.exe utility.

Steps

1. From the command prompt run:

ldp.exe

The Ldp window appears:

2. From the Connection menu, select Connect.

3. In the Connect window, enter the following information:

Secure LDAP:

Server: LDAPS server FQDN (for example, example.ldaps.local Port: 636

Non-secure LDAP:

Server: LDAP server FQDN (for example, example.ldap.local Port:389

22 Preparing PowerFlex servers for use with LDAP

4. Select the SSL check box, and then click OK.

5. Confirm that the output displays connectivity to the LDAP server.

If an error message appears, review the LDAP configuration.

Install PowerFlex

Install the PowerFlex system.

For details, refer to the Deploy Dell EMC PowerFlex guide.

Preparing PowerFlex servers for use with LDAP 23

Configuring LDAP authentication on the PowerFlex MDM

This section contains instructions for configuring LDAP authentication on the PowerFlex MDM.

Preparing for LDAP authentication Before configuring LDAP authentication on the PowerFlex MDM node, ensure that the system meets the following prerequisites: You have prepared both the LDAP server and the server on which the MDM is to be installed. For instructions, see Preparing

PowerFlex servers for use with LDAP on page 13. PowerFlex has been deployed on the node.

Configuration overview This topic provides a high-level overview of the CLI commands and special considerations to take into account when configuring LDAP authentication on the MDM. For the specific command syntax, including command parameters, for your LDAP configuration, refer to relevant task immediately following this topic.

Add the LDAP server as a service

Add the LDAP server as a service using the --add_ldap_service command.

Assign the LDAP groups to roles

After the LDAP service is configured, use the --assign_ldap_groups_to_roles command to map the LDAP Active Directory (AD) groups to PowerFlex user roles. For an explanation of the different user roles, see PowerFlex authentication and user roles on page 6.

The following considerations should be made when assigning groups to roles when LDAP authentication is used:

If you want LDAP users to be able to use the PowerFlex GUI or query the system, you must assign the LDAP groups to the Monitor role.

An LDAP user defined as an Administrator is limited to Administrator operations, such as adding users, but cannot invoke any Configure commands. To overcome this limitation, do one of the following: Assign each LDAP group to several PowerFlex roles. Assign each LDAP group to each PowerFlex role.

If the LDAP user will run NDU (non-disruptive upgrade), assign the user at a minimum to both the Monitor and BackendConfigure user roles

NOTE: If an LDAP user role is changed, users must log out of PowerFlex and log back in with the updated permissions.

Set the user authentication method

After the LDAP service is set and groups are assigned, use the set_user_authentication_method command to specify the authentication method with which PowerFlex will authenticate the users.

You may restrict users to only the local domain (native authentication) or to LDAP authentication only, or you can configure the MDM to allow both types of users. This decision should be made at the discretion of the system administrator, and is usually dictated by the security policy of the organization.

5

24 Configuring LDAP authentication on the PowerFlex MDM

NOTE: After LDAP authentication is set, it cannot be changed easily to native authentication. To change it, see the "Reset

the admin user password" procedure described in Configure and Customize PowerFlex Guide

Log in to the system

After configuring the system parameters, you may log in to the system using the scli --login command.

When logging in as a local user, the command must include a user name and password. When using LDAP, the command should also include the relevant LDAP domain and the LDAP authentication parameter.

Example for local login using native authentication:

scli --login --username JohnDoe --password

Example for LDAP login:

scli --login --username JohnDoe@example.ldaps.local --password -- ldap_authentication

Verify the configuration

The --query_user_authentication_properties command returns the configuration so you can confirm that the configuration is correct.

Configure LDAP authentication on an MDM node for a Linux-based LDAP server Use the following procedure to configure LDAP authentication using the PowerFlex CLI (SCLI) when the LDAP server is Linux based. This procedure should be used when configuring LDAP authentication in PowerFlex 3.5 or later.

About this task

For instructions on accessing the CLI and detailed information regarding the following commands, see CLI command details on page 33.

Steps

1. Perform the following configurations on the MDM:

scli --add_ldap_service --ldap_service_uri --ldap_base_dn -- ldap_service_name --username_dn_format --search_filter_format

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

scli --assign_ldap_groups_to_roles --ldap_service_id -- administrator_role_dn

scli --set_user_authentication_method

For example:

scli --add_ldap_service --ldap_service_uri "ldaps://server.ldap.com" --ldap_base_dn "dc=ldap,DC=com" --ldap_service_name "linux_ldap" --username_dn_format "CN=[USER],OU=People,DC=ldap,DC=com"

Configuring LDAP authentication on the PowerFlex MDM 25

--search_filter_format "(&(objectClass=userSecurityInformation)(cn=[USER]) (memberOf=[GROUP]))"

scli --assign_ldap_groups_to_roles --ldap_service_id "226521b800000000" -- administrator_role_dn "cn=scaleio_QA,ou=People,dc=ldap,dc=com"

scli --set_user_authentication_method --native_and_ldap_authentication

2. Verify the configuration:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ User authentication method: Native and LDAP System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: 226521b800000000 LDAP service name: linux_ldap LDAP service URI: ldaps://server.ldap.com Users base DN: dc=ldap,dc=com FQDN: ldap.com User search filter: (&(objectClass=userSecurityInformation)(cn=[USER]) (memberOf=[GROUP])) Username DN format: CN=[USER],OU=People,DC=ldap,DC=com LDAP service has 1 configured groups. Role: Administrator Group DN: cn=scaleio_QA,ou=People,dc=ldap,dc=com ------------------------------------------------------------

Configure LDAP authentication on an MDM node for a Linux-based LDAP server in PowerFlex 3.0.x Use the following procedure to configure LDAP authentication using the PowerFlex CLI (SCLI) when the LDAP server is Linux based. Use this procedure when configuring LDAP in PowerFlex 3.0.x and earlier.

About this task

For instructions on accessing the CLI and detailed information regarding the following commands, see CLI command details on page 33.

Steps

1. Perform the following configurations on the MDM:

scli --add_ldap_service --ldap_service_uri --ldap_base_dn -- ldap_service_name --username_dn_format --object_class_attribute --user_attribute_name --member_of_attribute_name -- disable_recursive_search

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

scli --assign_ldap_groups_to_roles --ldap_service_id -- administrator_role_dn

scli --set_user_authentication_method

26 Configuring LDAP authentication on the PowerFlex MDM

For example:

scli --add_ldap_service --ldap_service_uri "ldap://server.ldap.com" --ldap_base_dn "dc=ldap,dc=com" --ldap_service_name "linux_ldap" --username_dn_format "CN=*,OU=People,DC=ldap,DC=com" --object_class_attribute "*" --user_attribute_name "cn" --member_of_attribute_name "memberOf" --disable_recursive_search

scli --assign_ldap_groups_to_roles --ldap_service_id "4f30877a00000001" -- administrator_role_dn "cn=scaleio_QA,ou=People,dc=ldap,dc=com"

scli --set_user_authentication_method --native_and_ldap_authentication

2. Verify the configuration:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ User authentication method: Native and LDAP System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: 4f30877a00000001 LDAP service name: linux_ldap LDAP service URI: ldap://server.ldap.com Users base DN: dc=ldap,dc=com User search filter: (&(objectClass=*)(cn= )(memberOf= )) Username DN format: CN=*,OU=People,DC=ldap,DC=com LDAP service has 1 configured groups. Role: Administrator Group DN: cn=scaleio_QA,ou=People,dc=ldap,dc=com ------------------------------------------------------------

Configure Linux LDAP authentication on an MDM when an authorizer is configured Use the following procedure to configure LDAP authentication on an MDM node when an authorizer (specific user for running the LDAP search) is configured on the Linux-based LDAP server. This procedure adds the --authorizer_dn and --authorizer_password parameters to the --add_ldap_service command.

About this task

For instructions on accessing the CLI and detailed information regarding the following commands, see CLI command details on page 33.

Steps

1. Perform the following configurations on the MDM:

scli --add_ldap_service --ldap_service_uri --ldap_base_dn -- ldap_service_name --username_dn_format --search_filter_format --authorizer_dn > --authorizer_password

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

scli --assign_ldap_groups_to_roles --ldap_service_id -- administrator_role_dn

scli --set_user_authentication_method

Configuring LDAP authentication on the PowerFlex MDM 27

For example:

scli --add_ldap_service --ldap_service_uri "ldaps:// server.ldap.com" --ldap_base_dn "dc=ldap,dc=com" -- username_dn_format "CN=[USER],OU=People,DC=ldap,DC=com" --search_filter_format "(&(objectClass=userSecurityInformation)(cn=[USER])(memberOf=[GROUP]))" -- authorizer_dn "cn=authorizer_user,ou=Authorizer,dc=ldap,dc=com" --authorizer_password "Password1" --ldap_service_name "linux_ldap"

scli --assign_ldap_groups_to_roles --ldap_service_name "linux_ldap" -- administrator_role_dn "cn=scaleio_QA,ou=People,dc=ldap,dc=com"

scli --set_user_authentication_method --native_and_ldap_authentication

2. Verify the configuration:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ User authentication method: Native and LDAP System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: fe97b19700000000 LDAP service name: test LDAP service URI: ldaps://server.ldap.com Users base DN: dc=ldap,dc=com FQDN: ldap.com User search filter: (&(objectClass=userSecurityInformation)(cn=[USER]) (memberOf=[GROUP])) Username DN format: CN=[USER],OU=People,DC=ldap,DC=com Authorizer DN: cn=authorizer_user,ou=Autorizer,dc=ldap,dc=com LDAP service has 1 configured groups. Role: Administrator Group DN: cn=scaleio_QA,ou=People,dc=ldap,dc=com ------------------------------------------------------------

Configure LDAP authentication on an MDM node for a Windows-based LDAP server Use the following procedure to configure LDAP authentication using the PowerFlex CLI (SCLI) when the LDAP server is Windows based.

About this task

For instructions on accessing the CLI and detailed information regarding the following commands, see CLI command details on page 33.

Steps

1. Perform the following configurations on the MDM:

scli --add_ldap_service --ldap_service_uri --ldap_base_dn

28 Configuring LDAP authentication on the PowerFlex MDM

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

scli --assign_ldap_groups_to_roles --ldap_service_id -- administrator_role_dn

scli --set_user_authentication_method

scli --login --username --password --ldap_authentication

For example:

scli --add_ldap_service --ldap_service_uri "ldaps://example.ldaps.local" -- ldap_base_dn "OU=OU1,DC=ldaps,DC=local"

scli --assign_ldap_groups_to_roles --ldap_service_id d39003a500000000 -- administrator_role_dn "CN=SIO_GRP_1,OU=OU1,DC=ldaps,DC=local"

scli --set_user_authentication_method --native_and_ldap_authentication

scli --login --username sio_1@ldaps.local --password password --ldap_authentication

2. Verify the configuration:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: d39003a500000000 LDAP service URI: ldaps://example.ldaps.local Users base DN: ou=ou1,dc=ldaps,dc=local LDAP service has 1 configured groups. Role: Administrator Group DN: CN=SIO_GRP_1,OU=OU1,DC=ldaps,DC=local ------------------------------------------------------------

Configuring authentication when FQDN is configured

About this task

In cases where the Windows LDAP server is configured with a subdomain, use the --ldap_fqdn parameter when adding an LDAP service.

Steps

1. Add the LDAPS server as a service with a global catalog port and matching FQDN to both the parent and child domain:

scli --add_ldap_service --ldap_service_uri --ldap_base_dn --ldap_fqdn

For example:

scli --add_ldap_service --ldap_service_uri "ldaps://win12r2-dc.ldaps.local" -- ldap_base_dn "dc=ldaps,dc=local" --ldap_fqdn "[sio.,]ldaps.local"

Configuring LDAP authentication on the PowerFlex MDM 29

2. Assign a group from the parent domain to any user role:

scli --assign_ldap_groups_to_roles --ldap_service_id -- monitor_role_dn

For example:

scli --assign_ldap_groups_to_roles --ldap_service_id "7fff533400000000" -- monitor_role_dn "CN=grp_1,OU=ou1,DC=sio,DC=ldaps,DC=local"

3. Assign a group from the child domain to any user role:

scli --assign_ldap_groups_to_roles --ldap_service_id -- administrator_role_dn

For example:

scli --assign_ldap_groups_to_roles --ldap_service_id "7fff533400000000" -- administrator_role_dn "CN=SIO_GRP_1,OU=SIO_ou_1,DC=ldaps,DC=local"

4. Assign the user authentication method.

scli --set_user_authentication_method

For example:

scli --set_user_authentication_method --native_and_ldap_authentication

5. Verify the configuration:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: 7a4b7b5b00000000 LDAP service name: N/A LDAP service URI: ldaps://win12r2-dc.ldaps.local Users base DN: ou=sio_ou_1,dc=ldaps,dc=local User search filter: (&(objectClass=user)(sAMAccountName= ) (memberOf:1.2.840.113556.1.4.1941:= )) LDAP service has 1 configured groups. Role: Administrator Group DN: CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=local

Using LDAP with PowerFlex An LDAP user defined as an Administrator is limited to Administrator operations, such as adding users , but is not able to invoke any Configurator commands. You can overcome this limitation one of two ways: Assign an LDAP group to several PowerFlex roles. Assign each LDAP group to each PowerFlex role.

The following examples show how to use each method when configuring LDAP authentication on the MDM.

30 Configuring LDAP authentication on the PowerFlex MDM

Example of LDAP use with PowerFlex

This example shows how to configure LDAP so that the user John.Doe will be assigned both the FrontendConfigure role and Monitor of the system.

Local Domain

Assign John.Doe (a local user) to the FrontendConfigure role.

Because Monitor is nested in FrontendConfigure, John.Doe has all the desired privileges.

LDAP domain - LDAP group to multiple PowerFlex roles

Create and associate LDAP groups with multiple PowerFlex roles. You can do this for all roles by creating parallel groups in LDAP.

1. In LDAP, create the following LDAP group: FrontendConfigure_LDAP_Group

2. Assign John.Doe@example.ldaps.local to the above LDAP group. 3. In PowerFlex, associate FrontendConfigure_LDAP_Group to both the FrontendConfigure role and the Monitor role. In this

way, FrontendConfigure_LDAP_Group has the same privileges as the local FrontendConfigure role, and therefore will have the desired privileges.

LDAP domain - LDAP group to one PowerFlex role

Associate each LDAP group with one PowerFlex role:

1. In LDAP, create these LDAP groups: FrontendConfigure_LDAP_Group Monitor_LDAP_Group

2. Assign John.Doe@ example.ldaps.local (an LDAP user) to both LDAP groups. 3. In PowerFlex, associate FrontendConfigure_LDAP_Group to the FrontendConfigure role, and assign Monitor_LDAP_Group

to the Monitor role.

John.Doe@example.ldaps.local will have all the desired privileges.

Cross domain authentication

When there are two or more LDAP servers with a trusted relationship, a user from one server (user_ldap_server) can be associated with a group (vxflex_group) that is configured in the second server (group_ldap_server). The group in the second server is associated with a role in the PowerFlex system.

About this task

For PowerFlex to allow this user to log in, perform the following steps:

Steps

1. Add the user_ldap_server as an LDAP service in PowerFlex.

2. Assign the powerflex_group (that belongs to the group_ldap_server) to PowerFlex, and associate it with the desired role.

Results

From now on, any user from the user_ldap_server can log in to PowerFlex with the role associated with powerflex_group that belongs to group_ldap_server.

Configuring LDAP authentication on the PowerFlex MDM 31

Example of cross domain authentication

This example demonstrates the configuration performed in PowerFlex.

About this task

The example assumes that a user is a defined user in user_ldap. In addition, a group named powerflex_monitor_group is defined in group_ldap.

The following steps show how to enable access to PowerFlex systems for users in the user_ldap server (e.g., John Doe) who are part of the powerflex_monitor_group defined in group_ldap.

Steps

1. Add user_ldap as an LDAP service.

Linux LDAP server example:

scli --add_ldap_service --ldap_service_uri "ldaps://server.ldap.com" --ldap_base_dn "dc=ldap,DC=com" --ldap_service_name "linux_ldap" -- username_dn_format "CN=[USER],OU=People,DC=ldap,DC=com" --search_filter_format "(&(objectClass=userSecurityInformation)(cn=[USER])(memberOf=[GROUP]))"

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

Output similar to the following should appear:

Successfully added an LDAP service. Object ID fe97b19a00000000 with Name: linux_ldap, URI: ldaps://server.ldap.com and base DN: dc=ldap,DC=com

Windows LDAP server example:

scli --add_ldap_service --ldap_service_uri "ldaps://example.ldaps.local" -- ldap_base_dn "OU=OU1,DC=ldaps,DC=local" --ldap_service_name "windows_ldap"

Output similar to the following should appear:

Successfully added an LDAP service. Object ID fe97b19b00000001 with Name: windows_ldap, URI: ldaps://example.ldaps.local and base DN: OU=OU1,DC=ldaps,DC=local

2. Assign the powerflex_monitor_group group to the Monitor role:

scli --assign_ldap_groups_to_roles -- ldap_service_name "example_ldap" --monitor_role_dn "CN=powerflex_monitor_group,OU=powerflex_ou,DC=group_ldap,DC=example,DC=com"

The following output should appear:

Assignment of roles to LDAP groups completed successfully

3. Check the settings:

scli --query_user_authentication_properties

Output similar to the following should appear:

------------------------------------------------------------ System has 1 configured LDAP services ------------------------------------------------------------ LDAP service ID: fe97b19a00000000 LDAP service name: linux_ldap LDAP service URI: ldaps://server.ldap.com Users base DN: dc=ldap,DC=com LDAP service has 1 configured groups. Role: Monitor

32 Configuring LDAP authentication on the PowerFlex MDM

Group DN: CN=powerflex_monitor_group,OU=powerflex_ou,DC=group_ldap,DC=example,DC=com ------------------------------------------------------------

4. Set the authentication method:

scli --set_user_authentication_method --ldap_authentication

The following output should appear:

Authentication method changed successfully

5. Log in using the desired user name:

scli --login --username "JohnDoe@example.ldaps.local" --password -- ldap_authentication

Output similar to the following should appear:

Logged in. User role is Monitor. System ID is 31bf07056dd2f5d7

CLI command details This section explains how to access and log in to the CLI. It also provides detailed information regarding the commands used to configure LDAP authentication on the PowerFlex MDM.

Using the CLI

The PowerFlex CLI (SCLI) is installed as part of the MDM component and can be found in the following path: scli All CLI commands use the following format:

scli [--mdm_ip ]

For more information, see PowerFlex CLI Reference Guide.

add_ldap_service

Add the service to the MDM to be used for authentication. In return, the user receives the ID of the LDAP service.

NOTE: LDAP should be configured on all the MDMs in the system in order to support switch ownership scenarios.

NOTE: PowerFlex systems support authentication by up to eight LDAP servers. When multiple LDAP servers are used, add

each one separately using this command.

Syntax

scli --add_ldap_service --ldap_service_uri --ldap_base_dn [--ldap_fqdn ] [--ldap_service_name <LDAP_NAME>] [--username_dn_format ] [--search_filter_format ] [--authorizer_dn ] [--authorizer_password

NOTE: --ldap_fqdn, --username_dn_format, and --search_filter_format parameters are used when the

LDAP server is running on Linux.

Configuring LDAP authentication on the PowerFlex MDM 33

Parameters

--ldap_service_uri URI of the LDAP service:

:// : [ ]

Where:

Defines the connection protocol: LDAPS: Secure LDAP connection (recommended) LDAP: non-secure LDAP connection

LDAP hostname

LDAP service port (optional, default: 389 for LDAP and 636 for LDAPS)

This parameter must start with ldap:// or ldaps:// followed by the host name.

Example: ldaps://my.ldaphost.com:636

When using the global catalog, one should specify the port number of the global catalog. The standard ports for global catalog are 3268 (non-secure) and 3269 (secure).

NOTE: No extra validation is performed at this stage.

--ldap_base_dn Base Distinguished Name (DN) of users in the domain. Must be a valid DN containing the DC substring. For example, if a user corporate login is johnd@ecme.corp.com, the DC string would be DC=ecme, DC=corp, DC=com.

NOTE: Configuring multiple LDAP servers with the same base DN is not supported.

NOTE: On Active Directory Windows servers, use the dsquery tool to find LDAP Base DN

information. To see available options, in the command line type dsquery /?

On Linux servers, from the command line, use ldapsearch. (ldapsearch may need to be installed.)

--ldap_fqdn The FQDN is used to identify the LDAP service. By default it is derived from the base-DN, but there are cases that it must be defined explicitly.

If you want to support multiple FQDNs for one service, this parameter can contain a list of sub-strings in square brackets. For example: [us.,eu.,as.,]dell.ldap will include users with the following suffixes: us.dell.ldap, eu.dell.ldap, as.dell.ldap, dell.ldap.

--ldap_service_name LDAP service name

--username_dn_format The username format in DN format (must contain [USER] as a place holder for the username)

--search_filter_format A search filter for the LDAP query. This is required only if it is different from the default. It must contain [USER] and [GROUP] as place holders for username and group-DN. Example: (&(objectClass=user)(sAMAccountName=[USER]) (memberOf:1.2.840.113556.1.4.1941:=[GROUP]))

--authorizer_dn The authorizer username for groups search

--authorizer_password Password of the authorizer user

34 Configuring LDAP authentication on the PowerFlex MDM

Examples

scli --add_ldap_service --ldap_service_uri "ldaps://ldaps.ecme.com:636" --ldap_base_dn "OU=SIO_OU_1,DC=ldaps,DC=local"

where:

ldaps://ldaps.ecme.com is the host name of the authentication server.

636 is the port number. OU=SIO_OU_1 is a specific organizational unit group defined in the Active Directory.

DC=ldaps, DC=local are the domain component parts of the Base DN.

scli --add_ldap_service --ldap_service_uri ldaps://ldaps.ecme.com:3269 --ldap_base_dn ou=sio_ou_1,dc=ldaps,dc=ecme,dc=com --ldap_fqdn [na.,eu.,as.,]ldaps.ecme.com

where:

The access will be to the global catalog through port 3269. ou=sio_ou_1 is a specific organizational unit group defined in the Active Directory.

dc=ldaps,dc=ecme,dc=com are the domain component parts of the Base DN.

The following FQDNs servers will be mapped to the same URI ldaps://ldaps.ecme.com(): ldaps://na.ldaps.ecme.com, ldaps://eu.ldaps.ecme.com, ldaps://as.ldaps.ecme.com, and ldaps://ldaps.ecme.com.

add_ldap_service (PowerFlex 3.0.x and earlier)

Add the service to the MDM to be used for authentication. In return, the user receives the ID of the LDAP service. Use these commands in PowerFlex 3.0.x and earlier.

NOTE: PowerFlex systems support authentication by up to eight LDAP servers. When multiple LDAP servers are used, add

each one separately using this command.

Syntax

scli --add_ldap_service --ldap_service_uri --ldap_base_dn [--ldap_service_name <LDAP_NAME>] [--username_dn_format ] [--authorizer_dn ] [--authorizer_password [--object_class_attribute ] [--user_attribute_name ] [--member_of_attribute_name ] [--disable_recursive_search]

The following command parameters were deprecated in PowerFlex 3.5 and replaced with the --search_filter_format parameter:

--object_class_attribute --user_attribute_name --member_of_attribute_name --disable_recursive_search

When configuring LDAP authentication for PowerFlex 3.5 or later, see the relevant task and CLI information.

Parameters

--ldap_service_uri URI of the LDAP service:

:// : [ ]

Where:

Configuring LDAP authentication on the PowerFlex MDM 35

Defines the connection protocol: LDAPS: Secure LDAP connection (recommended) LDAP: non-secure LDAP connection

LDAP hostname

LDAP service port (default: 636)

Example: ldaps://my.ldaphost.com:636

NOTE: No extra validation is performed at this stage.

--ldap_base_dn Base Distinguished Name (DN) of users in the domain. Must be a valid DN containing the DC substring. For example, if a user corporate login is johnd@ecme.corp.com, the DC string would be DC=ecme, DC=corp, DC=com.

NOTE: On Active Directory Windows servers, use the dsquery tool to find LDAP Base DN

information. To see available options, in the command line type dsquery /?

On Linux servers, from the command line, use ldapsearch. (Ldapsearch may need to be installed.)

--ldap_service_name LDAP service name

--username_dn_format The username format in DN format (must contain an asterisk (*) as a place holder for the username)

--authorizer_dn The authorizer username for groups search

--authorizer_password Password of the authorizer user

--object_class_attribute Object class attribute used to identify a user. It is used in the search filter. Default: user.

--user_id_attribute_name Attribute name that defines the user ID and is used in the search filter. Default: sAMAccountName.

--member_of_attribute_name Attribute name that defines the contained group and is used in the search filter. Default: memberOf.

--disable_recursive_search Disable recursive search

Example

scli --add_ldap_service --ldap_service_uri "ldaps://ldaps.ecme.com" --ldap_base_dn "OU=SIO_OU_1,DC=ldaps,DC=local"

where:

ldaps://ldaps.ecme.com is the host name of the authentication server. OU=SIO_OU_1 is a specific organizational unit group defined in the Active Directory. DC=ldaps and DC=local are the domain component parts of the Base DN.

assign_ldap_groups_to_roles

Map LDAP groups to PowerFlex system roles.

The LDAP service must be configured before using this command. Once you have mapped the roles, you can assign users in the Active Directory to the relevant LDAP groups.

36 Configuring LDAP authentication on the PowerFlex MDM

NOTE: To enable LDAP users to use the PowerFlex GUI or vSphere Plug-in, you must assign all LDAP groups the Monitor

role.

Syntax

scli --assign_ldap_groups_to_roles (--ldap_service_id | -- ldap_service_name ) [--administrator_role_dn] [--security_role_dn] [--backend_config_role_dn] [--frontend_config_role_dn] [--monitor_role_dn] [--allow_overwrite]

Parameters

--ldap_service_id ID of the LDAP service

--ldap_service_name Name of the LDAP service

--administrator_role_dn LDAP group that has users with administration privileges

--security_role_dn LDAP group that has users with security privileges

--backend_config_role_dn LDAP group that has users with backend configuration privileges

--frontend_config_role_dn LDAP group that has users with frontend configuration privileges

--monitor_role_dn LDAP group that has users with monitoring privileges

--allow_overwrite Overwrites the role's LDAP group

Example

scli --assign_ldap_groups_to_roles --ldap_service_id 0xAABBCCDDEEFF0011 --administrator_role_dn "CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=ecme,DC=com" -- monitor_role_dn "CN=SIO_GRP_2,OU=SIO_OU_1,DC=ldaps,DC=ecme,DC=com"

set_user_authentication_method

Set the user authentication method for the system.

CAUTION: Use this command with caution. The operation is complex to roll back.

NOTE: For details about setting up LDAP, refer to the PowerFlex User Roles and LDAP Usage Technical Notes.

Configuring LDAP authentication on the PowerFlex MDM 37

Syntax

scli --set_user_authentication_method (--ldap_authentication | --native_authentication | --native_and_ldap_authentication | allow_ldap_without_admin) [--i_am_sure]

Parameters

--ldap_authentication LDAP-based authentication method where users are managed on an LDAP-compliant server. Configure LDAP service and LDAP user before switching to this authentication method.

--native_authentication Native authentication method where users are managed locally in the system

--native_and_ldap_authentication A hybrid authentication method. Both LDAP and local users may log in to the system after it is set.

--allow_ldap_without_admin

Allow setting LDAP athentication method even if there is no LDAP service with administrator role.

--i_am_sure Skip the safety questions for command execution. (For example: This could damage the stored data. Are you sure?)

Example

scli --set_user_authentication_method --native_and_ldap_authentication --i_am_sure

query_user_authentication_properties

Retrieve information about LDAP services configured in the system.

Syntax

scli --query_user_authentication_properties

Parameters

None.

Example

scli --query_user_authentication_properties

38 Configuring LDAP authentication on the PowerFlex MDM

Additional PowerFlex CLI commands for LDAP

This section contains additional PowerFlex CLI commands used to maintain and modify LDAP authorization on the MDM.

remove_ldap_group_from_role_assignment Remove LDAP groups from LDAP user role assignments.

Syntax

scli --remove_ldap_group_from_role_assignment (--ldap_service_id | -- ldap_service_name ) [--administrator_role] [--security_role] [--backend_config_role] [--frontend_config_role] [--monitor_role]

Parameters

--ldap_service_id ID of the LDAP service

--ldap_service_name Name of the LDAP service

Options:

(choose at least one of the following)

--administrator_role LDAP group containing users with administration privileges

--security_role LDAP group containing users with security privileges

--backend_config_role LDAP group that containing with backend configuration privileges

--frontend_config_role LDAP group that containing with frontend configuration privileges

--monitor_role LDAP group that containing with monitoring privileges

Example

scli --remove_ldap_group_from_role_assignment --ldap_service_id 0xAABBCCDDEEFF0011 -- administrator_role "CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=ecme,DC=com"

6

Additional PowerFlex CLI commands for LDAP 39

rename_ldap_service Assign a name to, or rename, an LDAP service.

Syntax

scli --rename_ldap_service (--ldap_service_id | --ldap_service_name ) --new_name

Parameters

--ldap_service_id ID of LDAP service

--ldap_service_name Name of LDAP service

--new_name New name to be assigned to the LDAP service

Example

scli --rename_ldap_service --ldap_service_name prevLSName --new_name newLSName

remove_ldap_service Remove an LDAP service from the system.

Syntax

scli --remove_ldap_service (--ldap_service_id | --ldap_service_name | --remove_all)

Parameters

--ldap_service_id ID of the LDAP service

--ldap_service_name Name of the LDAP service

--remove_all Remove all LDAP services.

Example

scli --remove_ldap_service --ldap_service_name ldap1

40 Additional PowerFlex CLI commands for LDAP

Configuring LDAP authentication on the PowerFlex Gateway

This section explains how to configure LDAP authentication for the PowerFlex Gateway/PowerFlex Installer.

Preliminary configurations Before configuring LDAP authentication on the PowerFlex Gateway, ensure that the system meets the following prerequisites: You have prepared both the LDAP server and the server on which the PowerFlex package is to be installed. For instructions,

see Preparing PowerFlex servers for use with LDAP on page 13. The PowerFlex Gateway package has been deployed on the server.

FOSGWTool basics FOSGWTool is a gateway-related command line script that enables you to run PowerFlex Gateway-commands.

To use FOSGWTool, enter the appropriate path based on the gateway's operating system, and append the commands to the end of the path. FOSGWTool is located at:

Linux:

/opt/emc/scaleio/gateway/bin/FOSGWTool.sh Windows:

C:\Program Files\EMC\ScaleIO\Gateway\bin\FOSGWTool.bat

Configure LDAP authorization on the PowerFlex Gateway Use the following task to configure LDAP authorization on a PowerFlex Gateway.

Prerequisites

Ensure the PowerFlex Gateway server is configured for LDAPS/LDAP connectivity, as described in Preparing PowerFlex servers for use with LDAP on page 13.

About this task

You can configure up to eight LDAP servers. When adding multiple LDAP servers, ensure that the list for each parameter in the reset_ldap_properties command is the same length. Items in lists should be separated by ";". When multiple LDAP servers are used, you must import each server's certificate into the gateway's truststore.

NOTE: The FOSGWTool --set_ldap_properties command that existed in previous PowerFlex versions has been

deprecated, and is now supported for only a single LDAP server. You cannot use it to add multiple LDAP servers.

Steps

1. Add the LDAP parameters to the PowerFlex Gateway when no authorizer is configured:

If an authorizer is configured (Linux LDAP servers only), skip to the next step.

7

Configuring LDAP authentication on the PowerFlex Gateway 41

Syntax:

FOSGWTool.sh --reset_ldap_properties [--server_url_list ] [--base_dn_list ] [--group_name_list ] [--dn_format_list ] [--filter_list ] [--create_default_lockbox]

NOTE: The FOSGWTool for Windows is FOSGWTool.bat.

Linux LDAP server example: Corrected example:

FOSGWTool.sh --reset_ldap_properties --server_url_list "ldap://server.ldap.com" --base_dn_list "dc=ldap,dc=com" --group_name_list "CN=scaleio_QA,ou=People,dc=ldap,dc=com" -- dn_format_list "CN= ,OU=People,DC=ldap,DC=com" --filter_list "(&(objectClass=userSecurityInformation)(cn= )(memberOf= ))"

Windows LDAP server example:

FOSGWTool.sh --reset_ldap_properties --server_url_list "ldaps://win08r2- dc.ldap.local;ldaps://win12r2-dc.ldaps.local" --base_dn_list "DC=ldap,DC=local;DC=ldaps,DC=local" --group_name_list "CN=SIO_OU_1_ADMIN_GRP,OU=SIO_OU_1,DC=ldap,DC=local;CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldap s,DC=local"

NOTE: Ensure that the list for each parameter in the command is the same length (up to eight items per list). Items in

lists should be separated by ";".

NOTE: If the default lockbox already exists, omit the --create_default_lockbox option.

If a previous LDAP configuration exists, an error message is returned. To confirm overwriting of the configuration, issue the command again, with the flag --i_am_sure appended to the command.

2. Add the LDAP parameters to the gateway when an authorizer is configured on a Linux LDAP server:

Syntax:

FOSGWTool.sh --reset_ldap_properties [--server_url_list ] [--base_dn_list ] [--group_name_list ] [--dn_format_list ] [--filter_list ] [--authorizer_dn_list ] [--authorizer_password_list ] [-- create_default_lockbox]

Example:

FOSGWTool.sh --reset_ldap_properties --create_default_lockbox --server_url_list "ldap://server.ldap.com" --base_dn_list "dc=ldap,dc=com" --group_name_list "cn=scaleio_QA,ou=People,dc=ldap,dc=com" --dn_format_list "CN= ,OU=People,DC=ldap,DC=com" --filter_list "(&(objectClass=*)(cn= )(memberOf= ))" --authorizer_dn_list "cn=authorizer_user,ou=Authorizer,dc=ldap,dc=com" --authorizer_password_list "Password1" --i_am_sure

Example for multiple Linux LDAP servers.

FOSGWTool.sh --reset_ldap_properties --create_default_lockbox --server_url_list "ldap://linux.ldaps.local;ldap://server.ldap.com" --base_dn_list "dc=ldaps,dc=local;dc=ldap,dc=com" --group_name_list "CN=SIO_GRP_1,OU=SIO_OU_1,dc=ldaps,dc=local;cn=scaleio_QA,ou=People,dc=ldap,dc=com" --dn_format_list " CN= ,OU=People,dc=ldaps,dc=local;CN= ,OU=People,dc=ldap,dc=com" filter_list "(&(objectClass=*)(cn= )(memberOf= ));(&(objectClass=*) (cn= )(memberOf= ))" --authorizer_dn_list "cn=authorizer_user,ou=Autorizer,dc=ldaps,dc=local;cn=authorizer_user,ou=Autorizer,d c=ldap,dc=com" --authorizer_password_list="Password1;Password2" --i_am_sure

NOTE: Ensure that the list for each parameter in the command is the same length (up to eight items per list). Items in

lists should be separated by ";".

NOTE: If the default lockbox already exists, omit the --create_default_lockbox option.

42 Configuring LDAP authentication on the PowerFlex Gateway

If a previous LDAP configuration exists, an error message is returned. To confirm overwriting of the configuration, issue the command again, with the flag --i_am_sure appended to the command.

3. Optionally view the existing lockbox configuration:

Linux gateway:

/opt/emc/scaleio/gateway/bin/FOSGWTool.sh --query_ldap_properties Windows gateway:

C:\Program Files\EMC\ScaleIO\Gateway\binio\FOSGWTool.bat --query_ldap_properties

Edit the gatewayUser.properties file If only LDAP authentication will be used, and native authentication will be disabled, edit the gatewayUser.properties file using the following task. If local authentication is not disabled, skip this task.

Steps

1. Using a text editor, open the gatewayUser.properties file.

The gatewayUser.properties file is located in the following directory on the PowerFlex Gateway server:

Linux: /opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes Windows: C:\Program Files\EMC\ScaleIO\Gateway\webapps\ROOT\WEB-INF\classes\

2. Change the gateway-admin.disable.local.login property to "true":

gateway-admin.disable.local.login=true.

3. Save and close the file.

4. Restart the PowerFlex Gateway service:

On a Linux server run:

service scaleio-gateway restart On a Windows server: From the Windows Services window, restart the EMC ScaleIO Gateway.

Results

When the configuration is complete, you must log in to the PowerFlex Gateway using LDAP user credentials. For example:

user: sio_1@ldaps.local, password: password

Configure a secured connection Configure a secured connection to the LDAP servers by adding the LDAPS servers' certificates to the PowerFlex Gateways truststore using the Java Keytool utility.

Prerequisites

Configure LDAP authorization on the PowerFlex Gateway server, as described in the previous task.

About this task

Keytool is a part of the Java (JRE or JDK) installation and can be found in the bin directory. For more information about using Keytool, default paths, and typical commands, see "Using Keytool to add certificates to external components" in the Configure and Customize PowerFlex Guide .

Configuring LDAP authentication on the PowerFlex Gateway 43

Steps

1. Add the LDAPS servers' certificates to the PowerFlex Gateways truststore.jks file.

keytool -import -trustcacerts -alias [unique_alias] -file [path_to_the_certificate_file] -keystore [path_to_certificates_folder]/truststore.jks

The truststore.jks is located at:

Linux: /opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/certificates/truststore.jks Windows: C:\Program Files\EMC\ScaleIO\Gateway\webapps\ROOT\WEB-

INF\classes\certificates\truststore.jks

For multiple LDAP servers, import all the certificates. The file name and location may be the same, but each certificate alias must be unique. Dell EMC recommends using the certificate's full subject. For example:

givenname=mdm, ou=asd, o=emc, l=hopkinton, st=massachusetts, c=us, cn=centos-6.4-adi5 If you add --storepass changeit to the command, you will not be asked to confirm the action using user credentials. For example:

keytool -import -trustcacerts -alias test -file "/tmp/scaleio.cer" --keystore "/opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/certificates/truststore.jks" -- storepass changeit

2. Restart the PowerFlex Gateway service:

On a Linux server run:

service scaleio-gateway restart On a Windows server: From the Windows Services window, restart the EMC ScaleIO Gateway.

3. Run the following command and confirm in the output that each LDAPS server's certificate was imported successfully into the truststore.jks file:

keytool -list -v keystore [truststore.jks_path]/truststore.jks -alias [unique_alias] storepass changeit

For example:

keytool -list -v keystore "/opt/emc/scaleio/gateway/webapps/ROOT/WEB-INF/classes/ certificates/truststore.jks" -alias test storepass changeit

FOSGWTool commands The following commands are used to configure LDAP authentication for the PowerFlex Gateway.

reset_ldap_properties

Save multiple LDAP servers in a lockbox. If explicity noted, create a lockbox first.

You can save the properties for up to eight LDAP servers. When adding multiple LDAP servers, ensure that the list for each parameter in the reset_ldap_properties command contains the same number of entries. Separate between entries in each list with an ";".

Syntax

FOSGWTool.sh --reset_ldap_properties [--server_url_list --base_dn_list --group_name_list [--dn_format_list >] [--filter_list ] [--authorizer_dn_list ] [-- authorizer_password_list ] [--create_default_lockbox]

44 Configuring LDAP authentication on the PowerFlex Gateway

NOTE: The FOSGWTool for Windows is FOSGWTool.bat.

Parameters

--server_url_list (Mandatory.) List of LDAP server URLs:

:// :

Where:

Defines the connection protocol: LDAPS for secure connection (recommended) , or LDAP for non-secured TCP connection

LDAP hostname

LDAP service port (optional)

Example: ldaps://win12r2-dc.ldaps.local;ldap://win08r2-dc.ldap.local

--base_dn_list (Mandatory.) List of base Distinguished Names (DN) of users in domains.

NOTE: On Active Directory Windows servers, use the dsquery tool to find LDAP Base DN

information. To see available options, in the command line type dsquery /?

On Linux servers, from the command line, use ldapsearch. (Ldapsearch may need to be installed.)

--group_name_list (Mandatory.) List of LDAP groups that contain users with administration privileges

--dn_format_list (Optional.) List of DN (Distinguished Names) formats. Relevant only for Linux servers. If not defined, default is used.

--filter_list (Optional.) List of filters (Distinguished Names). Relevant only for Linux servers. If not defined, default is used.

--authorizer_dn_list (Optional.) List of user DNs that are authorized to perform an LDAP server search

--authorizer_password_list (Mandatory if --authorizer_dn_list is define.) List of passwords corresponding to the list of Authorizer DNs. Because list items are separated with a semi-colon (;), passwords cannot contain the ";" character.

--i_am_sure Gives preemptive approval to the command

--create_default_lockbox Creates a lockbox with a random passphrase if one doesn't already exist

Single LDAP server example

FOSGWTool.sh --reset_ldap_properties --server_url_list "ldap://server.ldap.com" -- base_dn_list "dc=ldap,dc=com" --group_name_list "cn=scaleio_QA,ou=People,dc=ldap,dc=com" --dn_format_list "CN= ,OU=People,DC=ldap,DC=com" --filter_list "(&(objectClass=*) (cn= )(memberOf= ))

Configuring LDAP authentication on the PowerFlex Gateway 45

Multiple LDAPS server examples

FOSGWTool.sh --reset_ldap_properties --i_am_sure -- server_url_list "ldap://win12r2-dc.ldaps.local;ldap://server.ldap.com" -- base_dn_list "DC=ldaps,DC=local;dc=ldap,dc=com" --group_name_list "CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=local;cn=scaleio_QA,ou=People,dc=ldap,dc=com" -- dn_format_list ";CN= ,OU=People,DC=ldap,DC=com" --filter_list ";(&(objectClass=*) (cn= )(memberOf= ))

When adding multiple LDAP servers, ensure that the list for each parameter in the --reset_ldap_properties command is the same length. Items in lists should be separated with a ";".

NOTE: In the above example for multiple servers, the first server in the list is a Windows LDAP server, whereas the second

server in the list is a Linux LDAP server. Because the --dn_format_list and --filter_list parameters are relevant

only to Linux LDAP servers and not for Windows LDAP servers, an empty field followed by the ";" is used for the Windows

server's value in each of these parameter lists..

update_ldap_properties

Check whether the LDAP properties in the lockbox are configured in the format for earlier versions of PowerFlex. If an LDAP property, such as the group name, is detected in the old format, the command updates the property to the currently supported format.

Syntax

FOSGWTool.sh -update_ldap_properties

NOTE: The FOSGWTool for Windows is FOSGWTool.bat.

Example

FOSGWTool.sh -update_ldap_properties

query_ldap_properties

Query the properties of the LDAP servers in a lockbox.

Syntax

FOSGWTool.sh --query_ldap_properties

NOTE: The FOSGWTool for Windows is FOSGWTool.bat.

Example

FOSGWTool.sh --query_ldap_properties

46 Configuring LDAP authentication on the PowerFlex Gateway

Single LDAP server example

FOSGWTool.sh --query_ldap_properties

Lockbox contains 1 servers: Server url: ldap://win12r2-dc.ldaps.local Base dn:DC=ldaps,DC=local Group name:CN=SIO_GRP_1,DC=ldaps,DC=local

The parameters in format matching to --reset_ldap_properties command are: --server_url_list 'ldap://win12r2-dc.ldaps.local' --base_dn_list 'DC=ldaps,DC=local' --group_name_list 'CN=SIO_GRP_1,DC=ldaps,DC=local'

Multiple LDAP servers example

FOSGWTool.sh --query_ldap_properties

Lockbox contains 2 servers: Server url: ldap://win12r2-dc.ldaps.local Base dn: DC=ldaps,DC=local Group name: CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=local dnFormat: (empty) filter: (empty) Server url: ldap://server.ldap.com Base dn: dc=ldap,dc=com Group name: cn=scaleio_QA,ou=People,dc=ldap,dc=com dnFormat: CN= ,OU=People,DC=ldap,DC=com filter: (&(objectClass=*)(cn= )(memberOf= ))

The output corresponds to the following parameter configurations in the --reset_ldap_properties command:

--server_url_list "ldap://win12r2-dc.ldaps.local;ldap://server.ldap.com" --base_dn_list "DC=ldaps,DC=local;dc=ldap,dc=com" --group_name_list "CN=SIO_GRP_1,OU=SIO_OU_1,DC=ldaps,DC=local;cn=scaleio_QA,ou=People,dc=ldap,dc=com" --dn_format_list ";CN= ,OU=People,DC=ldap,DC=com" --filter_list ";(&(objectClass=*) (cn= )(memberOf= ))"

Configuring LDAP authentication on the PowerFlex Gateway 47

Configuring LIA to work with LDAP This section explains how to configure the PowerFlex Lightweight Installation Agent (LIA) to use LDAP authentication following PowerFlex deployment. It also contains instructions for adding LDAP servers for LIA LDAP authentication in an existing PowerFlex system.

NOTE: For instructions for configuring LDAP authentication for LIA during PowerFlex installation for a new deployment, see

the Dell EMC Deploy PowerFlex Guide.

Changing LIA authentication to LDAP Use the following procedure to change the LIA authentication method from native to LDAP in a PowerFlex system that was already deployed. LIA (Lightweight Installation Agent) is installed on every node during PowerFlex deployment. LIA is used to upgrade the component on which it is installed and is required for many maintenance operations.

LIA supports both native and LDAP authentication for authorization to upgrade a component. If native authentication was specified for LIA during initial PowerFlex Gateway installation, you can switch LIA authentication to LDAP after PowerFlex deployment.

NOTE: After you switch LIA authentication to LDAP you cannot change it back to native authentication.

Configure LDAP authentication for LIA on the PowerFlex Gateway

If Linux LDAP servers are used for authenticating LIA, add the Linux LDAP server parameters to the gatewayUser.properties file before switching the LIA authentication mode from native to LDAP in an existing PowerFlex system. If a Windows LDAP server is used, skip this task.

Steps

1. Log in to the PowerFlex Gateway server and open the gatewayUser.properties file, located at /opt/emc/scaleio/ gateway/webapps/ROOT/WEB-INF/classes, for editing.

2. Under # properties for add lia ldap server, add the following properties, based on your LDAP server settings.

For PowerFlex Gateway 3.5 and later:

# properties for add lia ldap server lia.ldap.replicationExisting= lia.ldap.usernameDnFormat= lia.ldap.authorizerDn= lia.ldap.searchFilterFormat=

For example:

# properties for add lia ldap server lia.ldap.replicationExisting= lia.ldap.usernameDnFormat=CN=[USER],OU=People,DC=ldap,DC=com lia.ldap.authorizerDn= lia.ldap.searchFilterFormat=(&(objectClass=userSecurityInformation)(cn=[USER]) (memberOf=[GROUP]))

For PowerFlex Gateway 3.0.x:

# properties for add lia ldap server lia.ldap.objectClassAttr= lia.ldap.userIdAttrName= lia.ldap.memberOfAttrName= lia.ldap.replicationExisting=

8

48 Configuring LIA to work with LDAP

lia.ldap.disableRecursiveSearch= lia.ldap.usernameDnFormat= lia.ldap.authorizerDn=

For example:

# properties for add lia ldap server lia.ldap.objectClassAttr=userSecurityInformation lia.ldap.userIdAttrName=CN lia.ldap.memberOfAttrName=memberOf lia.ldap.replicationExisting= lia.ldap.disableRecursiveSearch=true lia.ldap.usernameDnFormat=CN=*,OU=People,DC=ldap,DC=com lia.ldap.authorizerDn=

3. Restart the PowerFlex Gateway service:

On a Linux server run:

/etc/init.d/scaleio-gateway restart On a Windows server: From the Windows Services window, restart the EMC ScaleIO Gateway.

Next steps

Continue to the next task to change the authentication method using the PowerFlex Installer.

Change LIA authentication method to LDAP

Use the PowerFlex Installer to switch LIA's authentication to LDAP on an existing PowerFlex system. You can switch LIA's authentication method from native to LDAP, but after you perform this task you will not be able to switch back to native authentication.

Prerequisites

If a Linux LDAP server is used, ensure that you have added the Linux server properties to the gatewayUser.properties file, as described in the previous task.

Steps

1. From a web browser, enter the IP address of the PowerFlex Gateway, and log in to the PowerFlex Installer.

2. On the Maintain tab, enter the following information:

a. Primary MDM IP address b. MDM admin username and password. c. LIA password

3. Click Retrieve system topology. The PowerFlex Installer displays a list of MDMs and their LIA authentication method.

4. On the Maintain tab, click Security Settings > Add LDAP server to LIA authentication list.

5. In the Add LDAP server to LIA authentication list window, enter the MDM admin password, and then fill in the LDAP server URI, group identifier, and BaseDN identifier.

Example for a Linux LDAP server:

LDAP Server URI: ldaps://server.ldap.com LDAP Group: cn=scaleio_QA,ou=People,dc=ldap,dc=com LDAPBaseDN: dc=ldap,dc=com

Example for a Windows LDAP server:

LDAP Server URI: ldaps://server.ldap.com LDAP Group: cn=scaleio_QA,ou=People,dc=ldap,dc=com LDAPBaseDN: dc=ldap,dc=com

6. Click Add LDAP server.

7. Click Security Settings > Change LIAs authentication method to LDAP.

Configuring LIA to work with LDAP 49

8. In the Change LIAs authentication method to LDAP for PowerFlex system window, enter the MDM admin password, and LDAP username and password.

9. Optionally select the Force LDAP authentication mode check box so that LDAP authentication is applied to all accessible LIAs.

10. Click Change LIAs authentication method to LDAP.

Results

LDAP is now set as the LIA authentication method, and credentials for an LDAP server have been added to the PowerFlex Gateway.

Add an LDAP server for LIA following system deployment PowerFlex supports up to eight LDAP servers for LIA authentication. The first LDAP server's credential are added to the PowerFlex Gateway when LDAP is configured as the LIA authentication method. Use the following procedure to add additional LDAP servers' credentials following PowerFlex deployment.

Steps

1. From a web browser, enter the IP address of the PowerFlex Gateway, and log in to the PowerFlex Installer.

2. On the Maintain tab, enter the following information:

a. Primary MDM IP address b. MDM admin username and password. c. LIA password

3. Click Retrieve system topology.

4. Click Security Settings > Add LDAP server to LIA authentication list.

5. In the Add LDAP server to LIA authentication list dialog box, enter the MDM admin password, and then fill in the LDAP server URI, group identifier, and BaseDN identifier.

Example for a Linux LDAP server:

LDAP Server URI: ldaps://server.ldap.com LDAP Group: cn=scaleio_QA,ou=People,dc=ldap,dc=com LDAPBaseDN: dc=ldap,dc=com

Example for a Windows LDAP server:

LDAP Server URI: ldaps://server.ldap.com LDAP Group: cn=scaleio_QA,ou=People,dc=ldap,dc=com LDAPBaseDN: dc=ldap,dc=com

6. Click Add LDAP Server.

Results

The LDAP server's credentials are added to the PowerFlex Gateway for LIA authentication.

Remove an LDAP server from LIA LDAP configuration Use the following procedure to remove an LDAP server from the PowerFlex Gateway's LIA LDAP configuration. If only one LDAP server is configured for LIA, you must add another server before removing the first one.

Steps

1. From a web browser, enter the IP address of the PowerFlex Gateway, and log in to the PowerFlex Installer.

2. On the Maintain tab, enter the following information:

a. Primary MDM IP address b. MDM admin username and password.

50 Configuring LIA to work with LDAP

Manualsnet FAQs

If you want to find out how the R640 Dell works, you can view and download the Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes on the Manualsnet website.

Yes, we have the User Roles And LDAP Usage Technical Notes for Dell R640 as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The User Roles And LDAP Usage Technical Notes should include all the details that are needed to use a Dell R640. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell VxFlex Ready Node R640 Solution User Roles And LDAP Usage Technical Notes as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.