Setup and Management of LDAP/AD (RBAC) on a Hedvig Storage Cluster

  • 11 January 2021
  • 0 replies
  • 24 views

Userlevel 3
Badge +4

LDAP is a supported function to manage distributed directory information services within Hedvig Storage Cluster

Setting up LDAP/AD Server

 

Action:

  • Log into any of the Hedvig Storage Node and select the LDAP/AD Configuration from the far-right corner

 

  • You will then be presented with a LDAP/AD configuration screen, depending on whether you choose to use "Use Domain Name" or not, different fields will be populated (Note - SSL can only be used when not using "Use Domain Name")

    • Hedvig RBAC is based on the concepts of:

      • Tenants, which are groups of users:

        • You can set up multiple tenants per cluster.

        • You can set up multiple servers per tenant.

      • Users assigned to these tenants:

        • You can set up multiple users per tenant.

        • Each user can belong to more than one tenant

Here are the details for each of the fields:

  • Tenant: This is a pre-configured Tenant that you would like to target an AD for.

    • To configure/add goto User Administration / Tenant Management

  • Server (mandatory): Select an existing server, or select Configure New Server/Domain Name.

    • In our case we're creating a new on

  • Use Domain Name (mandatory): Select this when you want to use a Domain Name, rather than a server port.

    • recommend using domain as this will be an indicator that the AD & DNS are configured correctl

      • eg. domain.local

  • Server: Displays the name of the existing server you selected, or is blank to enter a new server name.

    • This is optional when not using Domain Name

    • Port: Enter a port number for a new server, or, if needed, change the port number for an existing server. The default for LDAP is 389 and for LDAPS (LDAP over SSL) is 636.

    • Use SSL: To enable LDAP over SSL (LDAPS).

  • Naming Attribute (mandatory): The attribute that represents a user in LDAP.

    • Reference - https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties

    • User naming attributes identify user objects, such as logon names and IDs used for security purposes. The cn, name, and distinguishedName attributes are examples of user naming attributes

      • Example

        • userPrincipalName — the logon name for the user

        • objectGUID — the unique identifier of a user

        • sAMAccountName — a logon name that supports previous version of Windows

  • Admin Distinguished Name (mandatory): The distinguished name (DN) of the admin account

    • The details can be extracted using ldp.exe on the LDAP/AD Server

    • The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.

      • CN - will determine the canonical name of the Administrator

      • OU - this will determine the user group/container the Administrator is part of

      • DC - determines the domain

    • Example:

      • CN=Winston Wong,OU=MM,DC=xionlab,DC=internal

  • Admin Password (mandatory): The password of the admin account.

  • User Search Base (mandatory): The base for searching for users.

    • Reference - https://docs.microsoft.com/en-us/windows/win32/ad/querying-for-users

    • The search base defines the starting point for the search in the directory tree. For example, a user might need to query the entire directory, in which case the search base must specify the root of the directory service.

    • A search base comprises multiple objects separated by commas. These objects include:

      • cn: common name

      • ou: organizational unit

      • o: organization

      • c: country

      • dc: domain

    • For example, to search the MM containers in the domain (xionlab.internal), you would specify a search base of:

      • OU=MM,DC=xionlab,DC=internal

    • Prefer to target Organizational unit within your user search base, eg. for large organization with forests and domains, this will allow the LDAP to only query from a certain OU within a domain, eg. OU=hedvig,DC=domain,DC=internal

  • User Search Filter (mandatory): The path in which to search when a user tries to log in. If the user is not in this path, access will not be granted.

    • A filter specifies the conditions that must be met for a record to be included in the recordset (or collection) that results from a query

    • The following table documents the result of various combinations of clauses specifying values for objectCategory and objectClass:

      • Example

        • (objectCategory=person)

objectCategory

objectClass

Result

person

user

user objects

person

 

user and contact objects

person

contact

contact objects

 

user

user and computer objects

computer

 

computer objects

user

 

user and contact objects

 

contact

contact objects

 

computer

computer objects

 

person

user, computer, and contact objects

contact

 

user and contact objects

group

 

group objects

 

group

group objects

person

organizationalPerson

user and contact objects

 

organizationalPerson

user, computer, and contact objects

organizationalPerson

 

user and contact objects

  • Group Search Base: The base for searching for groups.

    • To limit the AD Tree target we use group search base, for large organization with forests and domains, this will allow the LDAP to only query from a certain Tree within a domain. Eg. DC=domain,DC=internal

    • Reference - https://docs.microsoft.com/en-us/windows/win32/ad/querying-for-groups-in-a-domain

    • Groups can be placed in any container or organizational unit in a domain as well as the root of the domain. Groups may not always be in one container. Therefore, it is necessary to search the entire domain to find all groups in the domain.

    • Example:

      • DC=xionlab,DC=internal

  • Group Search Filter: The path in which to search when a member of a group tries to log in. If the group is not in this path, access will not be granted.

    • Example:

      • (objectclass=group)

  • Group Member Attribute: The attribute name for specifying group members.

    • Example:

      • member

  • User Attribute Names: To customize LDAP/AD user attributes and assign them to Hedvig specific Fields (Name, Email & Mobile):

Once you are done press "Save Changes" to successfully configure the LDAP/AD Server

 

Example:

 

Configuring new LDAP User/Group

 

Once you have successfully configured the LDAP Server you will need to add LDAP users to give them the permission to access the Hedvig Storage Cluster

  • Log into any of the Hedvig Storage Node and select User Management from the far-right corner

 

  • Press "Add User"

 

  • Select "Add LDAP/AD Group" and then select the Group and then press "Next"

 

  • You will then be populated with a list of LDAP Users which will be added

 

  • Once you press "Run" this will add all the LDAP users to the System

 

Test Login

  • Once the LDAP users are configured, logout and test with the LDAP user credentials

 

  • If the login is successful you will notice your login user and your role in the rop right-hand corner

 


0 replies

Be the first to reply!

Reply