The EMC XtremIO Storage Array supports LDAP users’ authentication. Once configured for LDAP authentication, the XMS redirects users’ authentication to the configured LDAP or Active Directory (AD) servers and allows access to authenticated users only. Users’ XMS permissions are defined, based on a mapping between the users’ LDAP/AD groups and XMS roles.
The XMS server LDAP Configuration feature allows using single or multiple servers for the external users’ authentication for their login to the XMS server.
The LDAP operation is performed once when logging with external user credentials to an XMS server. The XMS server operates as an LDAP client and connects to an LDAP service running on an external server. The LDAP Search is performed using the pre-configured LDAP Configuration profile and the external user login credentials.
If the authentication is successful, the external user logs in to the XMS server and accesses the full or limited XMS server functionality (according to the XMS Role that was assigned to the AD user’s Group). The external user’s credentials are saved in the XMS server cache and a new user profile is created in the XMS User Administration configuration. From that point, the external user authentication is performed internally by the XMS server without connecting to an external server. The XMS server will re-perform the LDAP Search only after the LDAP Configuration Cache time expires or at the next successful external user login if the external user credentials were removed from the XMS server User Administration manually.
Here is the list of mandatory parameters:
- Bind DN – A full Distinguished Name of a user that has permissions for querying groups and perform searches on behalf of other users
CN=DirectoryBind,OU=ServiceAccounts,OU=Administration,DC=internal,DC=vstrong,DC=local
- Bind Password – A password for the Bind DN
- Search Filter – An LDAP expression that defines which user object attribute is checked against which part of the user input
(sAMAccountName={username})
- Cache Expire – The time in hours (1 to 24) before the cached user authentication expires and re-authentication is required
- Server URLs – LDAP server addresses. Format can be either
ldap://<IP>
orldap://<hostname>
,ldaps://
,ldaptls://
ldaps://ADC001.internal.vstrong.local:3269
- Active Directory Groups – XMS roles assignment to DS groups (represented by their DN)
CN=XtremIOAdmin,OU=Groups,OU=Administration,DC=internal,DC=vstrong,DC=local
nice