Configuring 3PAR to use Active Directory Authentication

Rather than logging on with local user accounts you can use AD to authenticate users and determine what rights they have within the 3PAR system. I have split the post into 2 parts, the first part describes the commands you are going to use and the second half shows a script which you can just amend for use in your environment.

Viewing Current Configuration

Show the current authentication settings

showauthparam

If you want to clear out all current settings and start again

setauthparam –f –clearall

Commands Breakdown

The commands you are going to run will fall under three sections; configuring the connection parameters, configuring the binding (authentication) parameters and finally configuring the account location parameters. I have made the text bold to show the commands you would need to customise for your environment, the other commands will remain standard.

1 Connection settings

  • IP address of DC that will handle authentication setauthparam ldap-server <IP_address of DC>
  • DNS hostname of DC used for authentication setauthparam ldap-server-hn <DNS_HostName
  • Set Kerberos realm (domain name) setauthparam kerberos-realm <LDAP_ServiceName eg MYDOMAIN.COM>

 

2 Configure authentication parameters. These commands won’t change and will just be as below in a standard AD implementation

  • setauthparam binding sasl
  • setauthparam sasl-mechanism GSSAPI

 

3 Configure account parameters

  • Location of user accounts setauthparam accounts-dn <dn_path eg “OU=Users,DC=mydomain,DC=com >
  • setauthparam account-obj user
  • setauthparam -f account-name-attr sAMAccountName
  • setauthparam memberof-attr memberOf
  • Provides Super user rights to the specified group setauthparam super-map “CN=3ParAdministrators,OU=groups,DC=mydomain,DC=com”
  • Provides browse user rights to the specified group setauthparam browse-map “CN=3ParRead,OU=groups,DC=mydomain,DC=com”   

 

AD Script

Below I have laid out all the commands together in an example script. As always please use at your own risk and note the first line of code clears out your current authentication configuration. The parts in bold are what you will need to change, everything else should remain the same in a standard Windows environment. Make sure your kerberos-realm matches AD (its case sensitive)

Setauthparam -f -clearall

setauthparam -f ldap-server 10.10.10.10

setauthparam -f ldap-server-hn DC1.mydomain.com

setauthparam -f kerberos-realm MYDOMAIN.COM

setauthparam -f binding sasl

setauthparam -f sasl-mechanism GSSAPI

setauthparam -f accounts-dn “OU=Users,DC=mydomain,DC=com”

setauthparam -f account-obj user

setauthparam -f account-name-attr sAMAccountName

setauthparam -f memberof-attr memberOf

setauthparam -f super-map “CN=3ParAdministrators,OU=groups,DC=mydomain,DC=com”

setauthparam -f browse-map “CN=3ParRead,OU=groups,DC=mydomain,DC=com”

 

Check Configuration

Once you have ran the script you can check the results from the CLI by typing checkpassword <username> and then entering your AD password. The system will then return the results of if the LDAP lookup was successful.

 

 

 

 

 

 

 

 

 

 

 

Published by

8 thoughts on “Configuring 3PAR to use Active Directory Authentication

  1. Good post, Richard. Just a heads up, the #3 point up top has a copy/paste typo, I think. The 3parRead group is getting authorized for super-map instead of browse-map. Your script has it right, just the step is off.

      1. Gladly. When I tried to configure this in the SSMC, it stated that the ldap-server-hn was optional and that ldap-server supported FQDNs and multiple entries as of 3.2.1 MU2, which I’m running. However, when I try to configure it w/o ldap-server-hn and/or with ldap-server using FQDNs, I get “+ internal system error communicating with authentication helper daemon: invalid response”. Have you seen any of this?

Leave a Reply

Your email address will not be published. Required fields are marked *