Adding a Storage System to a Domain (Applicable to V300R006C50 and Later)

Prerequisites

The LDAP domain server or Windows AD domain server has been deployed.

Procedure

1. Log in to DeviceManager.
2. Choose Settings > Permission Settings > Domain Authentication Server Settings.
3. Configure an LDAP server.
   1. Select the ID of the domain authentication server that you want to configure and click Properties.

      If you select LDAP, go to 3.b. If you select LDAPS, ensure that the CA certificate files of domain authentication servers described below have been imported into storage systems.

      • If Windows AD domain authentication is used, import the CA certificate of the AD domain server to the storage system before selecting LDAPS. For details, see How Can I Import the Windows AD Domain Server's CA Certificate to the Storage System?
      • If LDAP domain authentication is used, import the CA certificate of the LDAP domain server to the storage system before selecting LDAPS. Apply for a CA certificate that matches the LDAP domain server's certificate from a third-party certificate authority.
      • If you select domain authentication server 0, ensure that the storage system has the CA certificate of Domain authentication certificate.
      • If you select domain authentication server 1, ensure that the storage system has the CA certificate of Domain authentication extension certificate 1.
      • If you select domain authentication server 2, ensure that the storage system has the CA certificate of Domain authentication extension certificate 2.
      • If you select domain authentication server 3, ensure that the storage system has the CA certificate of Domain authentication extension certificate 3.

      For details, see "Managing the Security Certificate" in the Security Configuration Guide specific to your product.

   2. Click Add.

      The Add IP Address dialog box is displayed.

   3. In IP Address, enter the IP address of the LDAP server to be added.
   4. Click OK.

      The IP address is added to the IP Address list.

      To remove an IP address, select the IP address from the IP Address list and click Remove.

   5. Set basic parameters of the LDAP server.

      Table 10-7 describes related parameters.

      Table 10-7 Basic parameters of the LDAP server

      Parameter	Description	Value
      Port	Port number of a server. The default port number of the LDAP server is 389, and the default port number of the LDAPS server is 636.	[Value Range] The value ranges from 1 to 65535. [Example] 636
      Server Type	Type of a server. Client hierarchy information is stored on an LDAP server. Users are authenticated by the LDAP server when they attempt to access shares.	[Value Range] The value can be Windows AD domain server or LDAP server. [Example] LDAP server
      Protocol	Encryption protocol. NOTE: Security risks arise if the protocol is set to LDAP. You are advised to select the LDAPS protocol. Before selecting the LDAPS protocol, import the CA certificate file for the LDAP domain server.	[Value Range] The value can be LDAP or LDAPS. [Example] LDAPS
      Base DN	Root directory of a server. Each entry stored in LDAP databases requires a unique identification. The unique identification of each entry in LDAP databases is called its Distinguished Name (DN). The top hierarchy in an LDAP directory tree is called the Base DN. NOTE: The dc field must not be blank. If the value of dc is not planned, it can be set to any value.	[Example] cn=My Application,ou=applications,dc=bigcorp,dc=com
      Bind DN	Name of a bond directory. The LDAP client initiates a connection request and attempts to establish a session with the LDAP server. This process is also known as binding. During the bonding, the client can specify users for them to access directory information on the server. To access content, you must search in this directory.	[Value Range] The default access account is an administrator account. If you use other account, you need to ensure that it has permissions to access the domain service of the LDAP server. An account name cannot contain any spaces. [Example] cn=My Application,ou=applications,dc=bigcorp,dc=com
      Bind Password	Password for accessing the bond directory.	[Value Range] It must contain 1 to 63 characters. [Example] password
      Confirm Bind Password	Confirm the password for accessing the bond directory. NOTE: Confirm Bind Password must be consistent with Bind Password.	[Example] password
      User Directory	Directory of a created domain user. NOTE: You can obtain the User Directory using the following methods: Obtaining LDAP Configuration Data on Windows Obtaining LDAP Configuration Data on Linux	[Example] ou=Users,dc=bigcorp,dc=com
      Group Directory	Directory of a created domain user group.	[Example] ou=Groups,dc=bigcorp,dc=com

   6. Click Advanced and set advanced parameters of the LDAP server.
      Table 10-8 describes related parameters.

      Table 10-8 Advanced parameters of the LDAP server

      Parameter	Description	Value
      User ID Properties	ID properties of a user. This parameter defines the ID of a storage user object and allows the query of a specific user based on the given ID.	[Example] uidNumber [Default] uidNumber (LDAP server) uSNCreated (AD server)
      User Name Properties	Name properties of a user. This parameter defines the name of a storage user object and allows the query of a specific user based on the given name.	[Example] uid [Default] uid (LDAP server) sAMAccountName (AD server)
      User Object Type	Type of a user object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.	[Example] posixAccount [Default] posixAccount (LDAP server) user (AD server)
      Group ID Properties	ID property of a group. A group can be composed of many users. This parameter defines the ID of a storage group object and allows the query of a specific group based on the given ID.	[Example] gidNumber [Default] gidNumber (LDAP server) uSNCreated (AD server)
      Group Name Properties	Name property of a group. This parameter defines the name of a storage group object and allows the query of a specific group based on the given name.	[Example] cn [Default] gidNumber (LDAP server) sAMAccountName (AD server)
      Group Member Properties	Member property of a group. This parameter defines a member of a storage group.	[Example] uniqueMember [Default] uniqueMember (LDAP server) member (AD server)
      Group Object Type	Type of a group object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.	[Example] groupOfUniqueNames [Default] groupOfUniqueNames (LDAP server) group (AD server)

      To restore a server to default settings, click Restore Default Settings.

4. Confirm the operation.
   1. Click Save.

      The Execution Result dialog box is displayed, indicating that the operation succeeded.

   2. Click Close. You have completed the server settings.

   After you configure the LDAP server on the storage system side, you need to log in to the storage system using the LDAP user name or LDAP user group name. Therefore, you need to create the LDAP user name or LDAP user group name on the storage system.

5. To add more domain servers, repeat step 3 and step 4.