Adding a Storage System to an LDAP Domain

Prerequisites

The LDAP server or Windows Active Directory (AD) domain server has been installed and deployed.

When configuring the LDAP server, you can select LDAP Server or Windows AD Domain Server as the server type.

Procedure

1. Log in to DeviceManager.
2. Choose Settings > Permission Settings > Domain Authentication Server Settings.
3. Configure the LDAP server.
   1. Select the ID of the domain authentication server to be configured, and click Properties.

      If LDAP is used, go to 3.b. If LDAPS is used, ensure that the CA certificate file of the corresponding domain server has been imported to the storage system.

      • If Windows AD domain authentication is used, import the CA certificate of the AD domain server to the storage system before selecting LDAPS. For details, see How Can I Import the Windows AD Domain Server's CA Certificate to the Storage System?
      • If LDAP domain authentication is used, import the CA certificate of the LDAP domain server to the storage system before selecting LDAPS. Apply for a CA certificate that matches the LDAP domain server's certificate from a third-party certificate authority.
      • If you select domain authentication server 0, ensure that the CA certificate file of the domain authentication certificate has been imported to the storage system.
      • If you select domain authentication server 1, ensure that the CA certificate file of domain authentication extended certificate 1 has been imported to the storage system.
      • If you select domain authentication server 2, ensure that the CA certificate file of domain authentication extended certificate 2 has been imported to the storage system.
      • If you select domain authentication server 3, ensure that the CA certificate file of domain authentication extended certificate 3 has been imported to the storage system.

      For details, see contents related to security certificate management in the Security Configuration Guide specific to your product model and version.

   2. Click Add.

      The Add IP Address dialog box is displayed.

   3. In IP Address, enter the IP address of the LDAP server to be added.
   4. Click OK.

      The IP address is added to the IP Address list.

      To remove an IP address, select the IP address from the IP Address list and click Remove.

   5. Set the basic parameters of the LDAP server. Table 5-5 describes the related parameters.
      Table 5-5 LDAP server parameters

      Parameter	Description	Value
      Port	Port ID of the server. The default port ID of the LDAP server is 389, and the default port ID of the LDAPS server is 636.	[Value range] An integer ranging from 1 to 65535 [Example] 636
      Server Type	Type of a server. Client hierarchy information is stored on a domain authentication server. Users are authenticated by the domain authentication server when they attempt to access shared resources.	[Value range] The value can be Windows AD domain server or LDAP server. [Example] LDAP server
      Protocol	Encryption protocol used for domain authentication. NOTE: LDAP is vulnerable to security risks. You are advised to select the LDAPS protocol. Before selecting the LDAPS protocol, import the CA certificate file of the LDAP domain server.	[Value range] The value can be LDAP or LDAPS. [Example] LDAPS
      Base DN	Root directory of a server. Each entry stored in LDAP databases requires a unique identification. The unique identification of each entry in LDAP databases is called its Distinguished Name (DN). The top of the directory tree is the root, that is, the base DN.	[Example] cn=My Application,ou=applications,dc=bigcorp,dc=com
      Bind DN	Binding directory of a server. The LDAP client initiates a connection request and attempts to establish a session to the LDAP server. This process is also known as binding. During the binding, the client can specify users to access directory information on the server. To access contents, you must search in this directory.	[Value range] The default access account is an administrator account. If you use another account, you need to ensure that it has the permissions of accessing the domain service of the LDAP server. Account names cannot contain spaces. [Example] cn=My Application,ou=applications,dc=bigcorp,dc=com
      Bind Password	Password used for accessing the bond directory.	[Value range] A character string containing 1 to 63 characters [Example] password
      Confirm Bind Password	Confirmed password for accessing the bond directory. NOTE: Confirm Bind Password must be consistent with Bind Password.	[Example] password
      User Directory	Directory for a created domain user. NOTE: You can obtain User Directory using the following methods: Obtaining LDAP Configuration Data in Windows Obtaining LDAP Configuration Data in Linux	[Example] ou=Users,dc=bigcorp,dc=com
      Group Directory	Directory for a created domain user group.	[Example] ou=Groups,dc=bigcorp,dc=com

   6. Click Advanced to set the advanced parameters of the LDAP server. Table 5-6 describes the related parameters.

   Table 5-6 Advanced parameters of an LDAP server

   Parameter	Description	Value
   User ID Properties	ID properties of a user. This parameter defines the ID of a storage user object and allows the query of a specific user based on the given ID.	[Example] uidNumber [Default value] uidNumber (LDAP server) uSNCreated (AD server)
   User Name Properties	Name properties of a user. This parameter defines the name of a storage user object and allows the query of a specific user based on the given name.	[Example] uid [Default value] uid (LDAP server) sAMAccountName (AD server)
   User Object Type	Type of a user object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.	[Example] posixAccount [Default value] posixAccount (LDAP server) User (AD server)
   Group ID Properties	ID properties of a group. A group can be composed of many users. This parameter defines the ID of a storage group object and allows the query of a specific group based on the given ID.	[Example] gidNumber [Default value] gidNumber (LDAP server) uSNCreated (AD server)
   Group Name Properties	Name properties of a group. This parameter defines the name of a storage group object and allows the query of a specific group based on the given name.	[Example] cn [Default value] gidNumber (LDAP server) sAMAccountName (AD server)
   Group Member Properties	Member properties of a group. This parameter defines a member of a storage group.	[Example] uniqueMember [Default value] uniqueMember (LDAP server) Member (AD server)
   Group Object Type	Type of a group object. Each entry under the LDAP directory is associated with one or more object types, including user, group, email, and maintenance terminal.	[Example] groupOfUniqueNames [Default value] groupOfUniqueNames (LDAP server) Group (AD server)

   To restore a server to default settings, click Restore Default Settings.

4. Confirm the LDAP server configuration.
   1. Click Save.

      The Execution Result dialog box is displayed, indicating that the operation succeeded.

   2. Click Close. You have completed the server settings.

   After you configure the LDAP server on the storage system, you need to log in to the storage system using the LDAP user name or LDAP user group name. Therefore, you need to create the LDAP user name or LDAP user group name on the storage system.

5. To add the storage system to more domain authentication servers, repeat operations in Step 3 and Step 4.

   After the storage system is added to the LDAP domain, you can log in to the storage system as an LDAP user. For details, see Logging In to DeviceManager or Logging In to the CLI.