Configuring remote authentication with LDAP

Use the Configure Remote Authentication wizard to configure the storage system for remote authentication with a direct connection to an LDAP server.

Before you begin

The following prerequisites apply to configuring remote authentication with a direct connection to an LDAP server.
  • Access to create users and groups on your remote authentication server is required.
  • A primary LDAP repository URI is required.
  • A secondary LDAP repository URI is optional.
  • A user search base is required.

Procedure

  1. Ensure that the local security administrator role is mapped to a user account that is managed by a remote authentication server. For more information, see Creating a remote mapping for the security administrator role.
    Warning: The security administrator must map the security administrator role to a remote user before remote authentication is enabled on the storage system. If remote authentication is enabled without a remote mapping for the security administrator role, the security administrator will be locked out of the storage system and unable to use the recovery key if the system loses access to encryption key servers.
  2. Log in to the DS8000® Storage Management GUI as a user with administrator privileges.
  3. Select Access > Remote Authentication to open the Remote Authentication page.
  4. Click Configure Remote Authentication to open the Remote Authentication wizard.
  5. On the Remote Authentication page, select Direct LDAP.
    Note: Select Import Configuration to import a remote authentication configuration file that contains the settings for a remote authentication policy that uses a direct LDAP connection. For more information, see Using a remote authentication configuration file.
  6. On the LDAP Server Type page, select an LDAP server type.
  7. On the Configure LDAP servers page, enter connection information for the LDAP server.
    LDAP Servers
    Enter the server name and port number of the LDAP server. You can add up to eight servers. If transport layer security (TLS) is enabled, the default LDAP server port number is 636. If TLS is not enabled, the default port number is 389.
    Security
    Select TLS to use TLS with the LDAP server. To use TLS, you must either upload a truststore file that holds signer certificates for the LDAP servers or retrieve the signer certificates from the LDAP servers.

    To upload a truststore file, click Upload Truststore to open the Upload Truststore window and select a truststore file and enter an optional password for the file.

    To retrieve signer certificates from the LDAP server, click Retrieve Certificates to open the Retrieve Certificates window and display the certificates. Click Accept to complete the retrieval process.

    Authentication
    Select an authentication type.
    Simple
    Bind authentication that uses a distinguished name (DN) and password. The bind user DN should be a functional ID with a bind password that never expires. If the password can expire, you should reset the password before it expires or configure the authentication policy to allow access to the local administrator on the storage system.
    Bind DN or User
    Enter a DN or user name for bind authentication.
    For example, you can enter common name (CN) and domain component (DC) values:
    CN=Administrator,CN=users,DC=mycompany,DC=com
    For Microsoft Active Directory LDAP servers, you can enter the following values:
    User123
    Administrator@company.com
    Bind password
    Enter the password for bind authentication.
    Anonymous
    Bind authentication that uses a zero-length DN and a zero-length password. The Directory Information Tree (DIT) provides authentication for user credentials.
    Direct authentication
    Authentication that uses a DN without initial binding or lookup.
    User DN placeholder
    Enter a DN placeholder value that represents the user name that is authenticated. You must use either of the placeholders {USERNAME} or {0}, but you cannot use both placeholders in a string. If you specify a bind DN placeholder, lookup values such as the user name attribute, user search base, and user name filter are ignored.
    For example, you can enter a placeholder value with an email domain:
    {USERNAME}@company.com
    For Microsoft Active Directory LDAP servers, you can enter a placeholder value:
    {USERNAME}
    {0}
    For Resource Access Control Facility (RACF) LDAP servers, you can enter the following values:
    racfid={USERNAME},profiletype=users,cn=racf
    racfid={0},profiletype=users,cn=racf
    Group DN placeholder
    Enter an optional DN placeholder value that represents a group name that is authenticated as part of a user name. You must use either of the placeholders {GROUPNAME} or {0}, but you cannot use both placeholders in a string. If you specify a group DN placeholder, lookup values such as the group name attribute, group membership attribute, group search base, and group name filter are ignored.
    For example, if the directory contains an entry such as memberOf: cn=group1,cn=groups,o=company,0=com, you can enter the following placeholder value:
    groupdnph=cn={0},cn=groups,o=company,0=com
  8. On the Configure lookup method for LDAP servers page, enter authentication lookup information for group and user names.
    User search base
    Enter the base distinguished name (DN) for user lookup.
    For example, you can enter organization (O) and common name (CN) values:
    o=users,cn=company,cn=com
    User name attribute
    Enter user name attributes for lookup.
    For example, you can enter the following values:
    cn
    racfid
    uid
    mail
    displayName
    givenName
    Group search base
    Enter the group base DN for group lookup. Leave blank to use the User search base.
    For example, you can enter organization (O) and common name (CN) values:
    o=groups,cn=company,cn=com
    Group name attribute
    Enter group name attributes for lookup.
    For example, you can enter the following values:
    cn
    ou
    Group membership attribute
    Enter the name of a group that includes the base group. You can enter a comma separated list of attributes. The LDAP server evaluates each attribute by considering the group as a property of user, and the user as a property of the group. All matches will be returned.
    For example, you can enter the following values:
    member
    memberOf
    memberUid,member
    Filters
    Select this option to use a filter for user and group names. The filters override entries for the Group name attribute and User name attribute fields.
    User name filter
    Enter attributes for a user name filter. You can use one of the placeholders {USERNAME} or {0}, but you cannot use both.
    For example, you can enter the following placeholder value:
    (&(sAMAccountName={0})(|(country=us)(country=ca)))
    (mail={USERNAME})
    Group name filter
    Enter attributes for a group name filter. You can use one of the placeholders {GROUPNAME} or {0}, but you cannot use both.
    For example, you can enter the following placeholder value:
    (&(cn={0})(|(objectcategory=group)(objectclass=group)))
    (cn={GROUPNAME})
  9. On the Enable Local Administrator page, click Enable to use the local authentication Administrator role on the storage system in addition to LDAP authentication. If you choose to enable the local Administrator, you must enter the User Name and Password for the Administrator role on the storage system.
  10. On the Configure Authentication Mappings page, map local roles that are defined on the storage system to users or groups on the LDAP server. Select an LDAP account Type, the LDAP user or group name, and the associated Role on the storage system.
  11. On the Administrator Verification page, enter the User Name and Password for the LDAP user account that is mapped to the Administrator role on the storage system.
  12. On the Summary page, review the LDAP configuration information and click Finish to enable LDAP authentication.