No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Administrator Guide 15

OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, and 6800 V3 Storage System V300R003

Routine maintenance activities are the most common activities for the storage device, including powering on or off the storage device, managing users, modifying basic parameters of the storage device, and managing hardware components. This document applies to the system administrators who are responsible for carrying out routine maintenance activities, monitoring the storage device, and rectifying common device faults.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Creating an LDAP User or User Group

Creating an LDAP User or User Group

After the LADP server or Windows AD domain server is deployed, you can create an LDAP user or user group.

Configuration Process

This section introduces the process of configuring an LDAP user or user group.

Figure 3-1 shows the process.
Figure 3-1  Process of configuring an LDAP user or user group

Configuring Domain Authentication for a Storage System

This section describes how to configure domain authentication for a storage system.

Preparing Windows AD Domain Configuration Data

Collect configuration data of a Windows AD domain server in advance to add storage systems to the AD domain.

  1. Log in to the Windows AD domain server, open the Active Directory Users and Computers software on the Windows AD domain server, and view and record related parameters on the software page.
  2. Obtain the Base DN information. As shown in the figure, icp.com corresponds to Base DN on the configuration page of the storage system, that is, dc=icp,dc=com.

  3. Obtain the Bind DN information.
    1. Set the advanced features of the AD domain server to be visible. On the menu bar of the Active Directory Users and Computers software, click View, and select Advanced Features.

    2. Select the Users folder under icp.com.

    3. The Administrator is used as an example. Right-click Users, and select Properties.

    4. In the displayed properties box, click Attribute Editor, select the distinguishedName property, and click View to obtain the Bind DN information. The queried Bind DN record is cn=Administrator,cn=Users,dc=icp,dc=com.

      NOTE:

      The Attribute Editor option is available only after you select the Advanced Features when setting the advanced features of the AD domain server to be visible.

  4. Obtain the User Directory information. (This information is required when an LDAP user is created.)
    1. The Administrator under Users is used as an example. Select the Users folder under icp.com, and right-click Properties.

    2. In the displayed properties box, click Attribute Editor, select the distinguishedName property, and click View to obtain the User Directory information. The queried User Directory record is cn=Users,dc=icp,dc=com.

  5. Obtain the Group Directory information. (This information is required when an LDAP user group is created.)
    1. The Domain Admins user group under Users is used as an example. Select the Domain Admins user group, and right-click Properties.

    2. In the displayed properties box, click Attribute Editor, select the distinguishedName property, and click View to obtain the Group Directory information. The queried Group Directory record is cn=Domain Admins,cn=Users,dc=icp,dc=com.

  6. For the IP Address and Bind Password of the AD domain server, contact the Windows AD domain server administrator.
NOTE:

For details about how to create AD domain users and groups on the AD domain controller, see How to create AD domain users and groups on the AD domain controller?.

Preparing the Configuration Data of an LDAP Domain

Collect the configuration data of an LDAP domain server in advance to add storage systems to the LDAP domain.

LDAP Domain Parameters

LDAP data is organized in a tree structure that clearly lays out organizational information. A node on this tree is called as Entry. Each Entry has a distinguished name (DN). The DN of an Entry is composed of the Base DN and RDN. The Base DN refers to the position of the parent node where the Entry resides on the tree, and the RDN refers to an attribute that distinguishes the Entry from others such as UID or CN.

LDAP directories function as file system directories. For example, directory dc=redmond,dc=wa,dc=microsoft,dc=com can be regarded as the following path of a file system directory: com\microsoft\wa\redmond. In another example of directory cn=user1,ou=user,dc=example,dc=com, cn=user1 indicates a username and ou=user indicates the organization unit of an Active Directory (AD), that is, user1 is in the user organization unit of the example.com domain.

The following figure shows data structure of an LDAP server:

Table 3-10 describes meanings of LDAP entry acronyms.
Table 3-10  Meanings of LDAP entry acronyms

Acronym

Meaning

o

Organization

ou

Organization Unit

c

Country Name

dc

Domain Component

sn

Surname

cn

Common Name

What OpenLDAP Is?

OpenLDAP is a free and open implementation of LDAP that is now widely used in various popular Linux releases. OpenLDAP requires licenses.

OpenLDAP mainly consists of the following four components:
  • slapd: an independent LDAP daemon
  • slurpd: an independent LDAP update and replication daemon
  • Library implementing LDAP
  • Tool software and illustration client
The OpenLDAP installation package can be found here on the Userbooster website.
NOTE:
The OpenLDAP installation package is not provided on the OpenLDAP website. The installation package supports the following Windows operating systems: Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, Windows 7, Windows 8, and Windows Server 2012.
Obtaining LDAP Configuration Data in Windows

Using OpenLDAP as an example, the following steps describe how to obtain LDAP configuration data.

  1. Open the OpenLDAP installation directory.
  2. Find the slapd.conf system configuration file.
  3. Use the text editing software to open the configuration file and search for the following fields:
    suffix   "dc=example,dc=com"
    rootdn  "cn=Manager,dc=example,dc=com"
    
    rootpw    XXXXXXXXXXXX
    
    • dc=example,dc=com corresponds to Base DN on the storage system configuration page.
    • cn=Manager,dc=example,dc=com corresponds to Bind DN on the storage system configuration page.
    • XXXXXXXXXXXX corresponds to Bind Password on the storage system configuration page. If the password is the ciphertext, contact LDAP server administrators to obtain the password.
  4. Find configuration files (with .ldif as the file name extension) of users and user groups that need to access storage systems.
    NOTE:

    LDAP Interchange Format (LDIF) is one of the most common file formats for LDAP applications. It is a standard mechanism that represents directories in the text format, and it allows users to import data to and export data from the directory server. LDIF files store LDAP configurations and directory contents, and you can obtain parameter information from LDIF files.

  5. Use text editing software to open the configuration file and find the DNs of a user and a user group that correspond to User Directory and Group Directory respectively on the storage system configuration page.
    #root on the top
    dn: dc=example,dc=com
    dc: example
    objectClass: domain
    objectClass: top
    #First organization unit name: user
    dn: ou=user,dc=example,dc=com
    ou: user
    objectClass: organizationalUnit
    objectClass: top
    #Second organization unit name: groups
    dn: ou=group,dc=example,dc=com
    ou: groups
    objectClass: organizationalUnit
    objectClass: top
    #The first user represents user1 that belongs to organization unit user in the organizational structure topology.
    dn: cn=user1,ou=user,dc=example,dc=com
    cn: user1
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    sn: user1
    uid: user1
    uidNumber: 2882
    gidNumber: 888
    homeDirectory: /export/home/ldapuser
    loginShell: /bin/bash
    userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
    #The second user represents user2 that belongs to organization unit user in the organizational structure topology.
    dn: cn=user2,ou=user,dc=example,dc=com
    cn: user2
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    sn: client
    uid: client
    uidNumber: 2883
    gidNumber: 888
    homeDirectory: /export/home/client
    loginShell: /bin/bash
    userPassword: {ssha}eoWxtWNl8YbqsulnwFwKMw90Cx5BSU9DRA==xxxxxx
    #The first user group represents group1 that belongs to organization unit group in the organizational structure topology. The group contains user1 and user2.
    dn: cn=group1,ou=group,dc=example,dc=com
    cn: group1
    gidNumber: 888
    memberUid: user1#Belongs to the group.
    memberUid: user2#Belongs to the group.
    objectClass: posixGroup
    
Obtaining LDAP Configuration Data in Linux

Using OpenLDAP as an example, the following steps describe how to obtain LDAP configuration data.

  1. Log in to an LDAP server as user root.
  2. Run the cd /etc/openldap command to go to the /etc/openldap directory.
    linux-ldap:~ # cd /etc/openldap
    linux-ldap:/etc/openldap #
  3. Run the ls command to view system configuration file slapd.conf and the configuration file (with .ldif as the file name extensions the file name extension) of users and user groups who want to access storage systems.
    linux-ldap:/etc/openldap #ls
    example.ldif ldap.conf schema slap.conf slap.con slapd.conf
  4. Run the cat command to open system configuration file slapd.conf where you can view related parameters.
    linux-ldap:/etc/openldap #cat slapd.conf
    
    suffix   "dc=example,dc=com"
    rootdn  "cn=Manager,dc=example,dc=com"
    
    rootpw    XXXXXXXXXXXX
    
    • dc=example,dc=com corresponds to Base DN on the storage system configuration page.
    • cn=Manager,dc=example,dc=com corresponds to Bind DN on the storage system configuration page.
    • XXXXXXXXXXXX corresponds to Bind Password on the storage system configuration page. If the password is in cipher text, contact LDAP server administrators to obtain the password.
  5. Run the cat command to open the example.ldif file. Find the DNs of a user and a user group that correspond to User Directory and Group Directory respectively on the storage system configuration page. For details about description of parameters, see Example of LDIF Files in Windows.
Setting Domain Authentication Server Information

To centrally manage user information, DeviceManager allows users to log in to the storage device in LDAP server authentication mode.

Prerequisites

The LDAP domain server or Windows AD domain server has been deployed.

Context

The LDAP protocol is a TCP/IP network protocol that enables users to access Directory System Agents (DSAs). LDAP functionalities are somewhat reduced from X.500 DAP specification.

The complexity of network management, especially user management, increases as the number of network applications grows. Most systems that provide a single service implement authentication in "username-password" mode. However, each user has different permissions for various network applications, which means that each user requires a different username and password for each application. In this condition, users need to enter different usernames and passwords to access different applications. To address this issue, directory services are provided by the LDAP through the following mechanism.

The principal purpose of LDAP-based authentication applications is to set up a directory-oriented user authentication system, that is, an LDAP environment. When a client user needs to access applications under the environment, the LDAP server compares the username and password sent by the client with corresponding authentication information in the directory database for identity verification.

For new-generation storage applications, client hierarchy information is stored in the LDAP server, and the users who attempt to access the storage device will be authenticated by the LDAP server.

LDAP over SSL (LDAPS): indicates that the system uses LDAP over SSL to communicate with the LDAP domain server if the LDAP domain server supports SSL.
NOTE:
Before selecting the LDAPS protocol, import the CA certificate file for the LDAP domain server.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > Domain Authentication Server Settings.
  3. Configure an LDAP server.
    1. Click Add.

      The Add IP Address dialog box is displayed.

    2. In IP Address, enter the IP address of the LDAP server to be added.
    3. Click OK.

      The IP address is added to the IP Address list.

      NOTE:

      To remove an IP address, select the IP address from the IP Address list and click Remove.

    4. Set basis parameters of the LDAP server. Table 3-11 describes related parameters.



      Table 3-11  LDAP server parameters

      Parameter

      Description

      Value

      Port

      Port number of a server.

      The default port number of the LDAP server is 389, and the default port number of the LDAPS server is 636.

      [Value Range]

      The value ranges from 1 to 65535.

      [Example]

      636

      Server Type

      Type of a server.

      Client hierarchy information is stored on an LDAP server. Users are authenticated by the LDAP server when they attempt to access shares.

      [Value Range]

      The value can be Windows AD domain server or LDAP server.

      [Example]

      LDAP server

      Protocol

      Encryption protocol.
      NOTE:

      Security risks arise if the protocol is set to LDAP. You are advised to select the LDAPS protocol.

      [Value Range]

      The value can be LDAP or LDAPS.

      [Example]

      LDAPS

      Base DN

      Root directory of a server.

      Each entry stored in LDAP databases requires a unique identification. The unique identification of each entry in LDAP databases is called its Distinguished Name (DN). The top hierarchy in an LDAP directory tree is called the Base DN.

      [Rule]

      A DN consists of relative distinguished names (RDNs) that are separated by commas (,) and in the basic format of key=value. The value starts with a letter, digit, or underscore (_) only. For example, testDn=testDn,xxxDn=xxx.

      [Format]

      xxx=yyy, separated by commas (,).

      [Example]

      cn=My Application,ou=applications,dc=bigcorp,dc=com

      Bind DN

      Name of a bond directory.

      The LDAP client initiates a connection request and attempts to establish a session to the LDAP server. This process is also known as binding. During the bonding, the client can specify users for them to access directory information on the server. To access content, you must search in this directory.

      [Value Range]

      The default access account is an administrator account. If you use other account, you need to ensure that it has permissions of accessing to the domain service of the LDAP server.

      [Example]

      cn=My Application,ou=applications,dc=bigcorp,dc=com

      Bind Password

      Password for accessing the bond directory.

      [Value Range]

      It must contain 1 to 63 characters.

      [Example]

      password

      Confirm Bind Password

      Confirm the password for accessing the bond directory.
      NOTE:

      Confirm Bind Password must be consistent with Bind Password.

      [Example]

      password

      User Directory

      Directory of a created domain user.
      NOTE:
      You can obtain the User Directory using the following methods:

      [Example]

      ou=Users,dc=bigcorp,dc=com

      Group Directory

      Directory of a created domain user group.

      [Example]

      ou=Groups,dc=bigcorp,dc=com

    5. Click Advanced and set advanced parameters of the LDAP server. Table 3-12 describes related parameters.



      Table 3-12  LDAP server advanced parameters

      Parameter

      Description

      Value

      User ID Properties

      ID properties of a user. This parameter defines the ID of a storage user object and allows the query of a specific user based on the given ID.

      [Example]

      uidNumber

      [Default]

      • uidNumber (LDAP server)
      • uSNCreated (AD server)

      User Name Properties

      Name properties of a user. This parameter defines the name of a storage user object and allows the query of a specific user based on the given name.

      [Example]

      uid

      [Default]

      • uid (LDAP server)
      • sAMAccountName (AD server)

      User Object Type

      Type of a user object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

      [Example]

      posixAccount

      [Default]

      • posixAccount (LDAP server)
      • user (AD server)

      Group ID Properties

      ID property of a group. A group can be composed of many users. This parameter defines the ID of a storage group object and allows the query of a specific group based on the given ID.

      [Example]

      gidNumber

      [Default]

      • gidNumber (LDAP server)
      • uSNCreated (AD server)

      Group Name Properties

      Name property of a group. This parameter defines the name of a storage group object and allows the query of a specific group based on the given name.

      [Example]

      cn

      [Default]

      • gidNumber (LDAP server)
      • sAMAccountName (AD server)

      Group Member Properties

      Member property of a group. This parameter defines a member of a storage group.

      [Example]

      uniqueMember

      [Default]

      • uniqueMember (LDAP server)
      • member (AD server)

      Group Object Type

      Type of a group object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.

      [Example]

      groupOfUniqueNames

      [Default]

      • groupOfUniqueNames (LDAP server)
      • group (AD server)
      NOTE:

      To restore a server to default settings, click Restore Default Settings.

  4. Confirm the operation.
    1. Click Save.

      The Execution Result dialog box is displayed, indicating that the operation succeeded.

    2. Click Close. You have completed the server settings.

    NOTE:

    After you have finished configuring the LDAP server on the storage system side, you need to log in to the storage system using the LDAP user name or LDAP user group name. Therefore, you need to create the LDAP user name or LDAP user group name on the storage system.

(Optional) Generating and Exporting a Certificate on the Storage System

This section describes how to generate and export a certificate required for configuring domain authentication on the storage system.

Context

  • The certificate generated on the storage system is not signed and requires to be signed on the signature server.
  • If you use a third-party tool to export certificate request files, save the exported private key file as well. These files, together with the signed certificate and CA certificate, are imported to the storage system when the certificates are verified on the storage system.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Set Certificate Type to Domain authentication certificate and click Generate and Export.

    The Save As dialog box is displayed. Select a path to save the certificate and click Save.

Follow-up Procedure

After the domain authentication certificate is exported, sign the signature on it.

(Optional) Signing the Authentication Certificate and Exporting the CA Certificate

After a domain authentication certificate is exported, it takes effect only after it is signed by a third-party signing server. the CA certificate should be exported at the same time.

After the domain authentication certificate is exported, sign on the certificate based on actual conditions and export the CA certificate for follow-up procedures.

(Optional) Importing the Certificate and CA Certificate to the Storage System

This chapter introduces how to import the authentication certificate and CA certificate to the storage system to active the authentication certificate.

Prerequisites

  • The signed certificate and CA certificate already exist.
  • If the certificate file is exported and signed by a third-party tool, ensure that the private key file exists.

Context

If the certificate file is exported and signed by a third-party tool, import the private key file when you import and activate the certificate and CA certificate.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.
    1. After the certificate has been signed by the server, click Import and Activate.

      The Import Certificate dialog box is displayed.

    2. Set Certificate Type to Domain authentication certificate and import the signed certificate and CA certificate. Table 3-13 lists the parameters and the explanations.

      Table 3-13  Certificate parameters

      Parameter

      Description

      Value

      Certificate Type

      Type of a certificate

      [Example]

      Domain authentication certificate

      Certificate File

      Certificate file that has been exported and signed.

      [Example]

      None

      CA Certificate File

      Certificate file of a server.

      [Example]

      None

      Private Key File

      Private key file of a device.

      [Example]

      None

    3. Click OK.
      The Warning dialog box is displayed.
    4. Carefully read the content of the dialog box, select I have read and understood the consequences associated with this operation, and click OK.
      The Success dialog box is displayed.
    5. Click OK.
      The certificate has been successfully imported and activated.

Creating an LDAP User or User Group

To protect device stability and service data security, create different levels of users based on your requirements as a super administrator. This operation enables you to add LDAP users or user groups.

Prerequisites

A domain authentication server is available for creating LDAP users or LDAP user groups.

Context

The storage device defines the following levels of users:
  • Super administrator: The super administrator has full administrative permissions on the storage device, and is able to create the users at all user levels.
  • Administrator: An administrator user has partial administrative permissions on the storage device but cannot manage users, upgrade the storage device, modify system time, activate license files, Restart Device, Power Off Device.
  • Read-only user: A read-only user has only the access permission on the storage device. After logging in to the storage device, read-only users can only query information about the storage device.

For optimal reliability and security, create different user levels to control their operations on the system.

At most only 2 super administrator users are allowed to be created in the system.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settins > Permission Settings > User Management.
  3. In the right function pane, click Add.

    The Add User dialog box is displayed.

  4. Set user information.

    Select LDAP user or LDAP user group from the Type list and configure the information about LDAP users or LDAP user groups respectively.

    Table 3-14 describes related parameters.
    Table 3-14  LDAP user or LDAP user group parameters

    Parameter

    Description

    Value

    Username

    Name of a newly created LDAP user or LDAP user group.
    NOTE:

    The LDAP user or LDAP user group to be created must reside on the LDAP domain server. Otherwise, the login will fail.

    [Value range]

    • The username contains 1 to 64 characters.
    • The username cannot start or end with spaces, and cannot contain question marks (?), single quotation marks ('), or double quotation marks (").
    • The username must be unique among all users.

    [Example]

    user12

    Description

    Description of a newly created user.

    [Example]

    User

    Level

    Level of a newly created LDAP user or LDAP user group. Possible values are as follows:

    • Administrator: has partial system administration permissions. Specifically, they cannot manage users, upgrade storage devices, modify system time, activate license files, Restart Device, Power Off Device, or perform any import or export operation.
    • Read-only user: has only the access permission for the storage system and can perform queries only.

    [Example]

    Read-only user

  5. Confirm the user account creation.
    1. Click OK.

      The Success message box is displayed, indicating that the operation succeeded.

    2. Click OK.
Translation
Download
Updated: 2019-04-17

Document ID: EDOC1000084191

Views: 85625

Downloads: 2297

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next