Configuring an LDAP user for a managed domain

To ensure that proper LDAP authentication is used in a storage system managed domain, you must create a user with the storage integration administrator role on the Active Directory server.

1. Start the XIV management GUI and log in as a storage administrator.
2. Go to Systems > System Settings > LDAP. The LDAP dialog box is displayed.

   

3. On the General tab, enable the LDAP use and select the Microsoft Active Directory, as a directory service. Then, click Update.
4. Go to the LDAP Servers tab, and verify that the FQDN and IP address of the Active Directory server are correct.
5. Go to the User Credentials tab, and define the service user (xivuser in the example) and its password. This user is bound to the Active Directory service. It retrieves credentials data, which is stored in the LDAP directory. Then, click Update.

   

6. Go to the Role Mapping tab, and set the necessary values for the user attributes, group attributes, and roles. Pay attention to the Storage Integration Admin Role setting (xivstorageintegrationadmin in the example). This parameter, along with the managed domain name, is used as a group name on the Active Directory server. Then, click Update.

   

   Note: On the Role Mapping tab, the values of the Storage Admin Role and Storage Integration Admin Role parameters appear truncated. The full value designations are as follows: Storage Admin Role: CN=xivstorage,CN=Users,DC=hsg,DC=test,DC=com. Storage Integration Admin Role: CN=xivstorageintegrationadmin,CN=Users,DC=hsg,DC=test,DC=com.

7. Start your Active Directory management software and go to the group configuration section.
8. In the group configuration section, add a new group with the following attributes:
   • Group name: xivstorageintegrationadmin@dana-domain. The group name must be the same as the Storage Integration Admin Role setting on XIV (xivstorageintegrationadmin) and it must include the name of the XIV managed domain (dana-domain).
   • Description: StorageIntegrationAdmin
   • Group type: Security
   • Group scope: Global

   

9. Go to the user configuration section, create a new user and add it to the xivstorageintegrationadmin@dana-domain group. The user should have the following attributes:
   • Full name: danasia
   • User UPN logon: danasia@hsg.test.com
   • User SamAccountName logon: hsg\* danasia
   • Description: StorageIntegrationAdmin
   • Member of: xivstorageintegrationadmin@dana-domain

   

10. Use the following XCLI commands to verify the LDAP configuration:
    • Run the ldap_mode_get command to make sure that the LDAP authentication is active:

      >>ldap_mode_get
      Mode
      ----------
      Active

    • Run the ldap_test command to verify that the LDAP user xivuser has been configured correctly:

      >>>> ldap_test fqdn=hsg-ad1.hsg.test.com user=xivuser password=<password>
      command 0:
      administrator:
          command:
              code = "SUCCESS"
              status = "0"
              status_str = "Command completed successfully"
      aserver = "DELIVERY_SUCCESSFUL"

    • Run the ldap_test command again to verify that the LDAP storage integration admin user danasia has been configured correctly:

      >>>> ldap_test fqdn=hsg-ad1.hsg.test.com user=danasia password=<password>
      command 0:
      administrator:
          command:
              code = "SUCCESS"
              status = "0"
              status_str = "Command completed successfully"
      aserver = "DELIVERY_SUCCESSFUL"

11. Start Spectrum Control Base and go to Setting > Storage Credentials. The Storage Credentials dialog box is displayed.

    

12. In the Storage Credentials dialog box, enter the user name defined on the Active Directory server (danasia), define a password, and select the Directory account check box to specify that the credentials are stored on the Active Directory server.
13. Click Apply to finish.