Active Directory authentication with local authorization

You can set up remote LDAP authentication for users, with local user authorization, using Active Directory.

Note: Active Directory authentication with local authorization applies only to BladeCenter units deployed in an Active Directory environment.

When using Active Directory authentication with local authorization, the Active Directory servers are used only to authenticate users, verifying the credentials for a user. There is no authorization information stored on the Active Directory server for a given user; the advanced management module stored group profiles must be configured with authorization information.

Authorization information used to configure the group profiles can be obtained by retrieving membership information for a user from the Active Directory server. This membership information gives the list of groups to which a user belongs (nested groups are supported). The groups specified on the Active Directory server are then compared to the group names locally configured on the advanced management module. For each group that matches, the user is assigned permissions from that group. That is, for each group name that is locally configured on the advanced management module, there is a corresponding authorization profile that is also configured for that group.

The advanced management module supports up to 16 locally-configured group names. Each group name is limited in length to 63 characters. One of the following attributes must be configured as the group name in order to match the group membership information retrieved from the Active Directory servers:

To configure Active Directory authentication with local authorization for the advanced management module, complete the following steps:

  1. In the navigation pane, click MM Control → Network Protocols.
  2. Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section.
  3. Select Use LDAP Servers for Authentication Only (with local authorization).
  4. The domain controllers (DC) to be used for authentication can either be manually configured or discovered dynamically via DNS SVR records.
    • Select Use DNS to find LDAP Servers to dynamically discover the domain controllers based on DNS SVR records (see step 5).
    • Select Use Pre-Configured LDAP Servers (default) to manually configure the domain controllers (see step 6).
  5. If you are using DNS to dynamically discover the domain controllers, configure the following settings; then, go to step 7.
    Graphic illustrating the LDAP client setup page for Active Directory authentication with local authorization using DNS.
    Domain Name
    The fully qualified domain name of the domain controller. The domain name is needed to find the domain controller.
    Active Directory Forest Name
    This optional parameter is used to discover global catalogs (GC). Global catalogs are required for users who belong to universal groups in cross-domains. In environments where cross-domain group membership does not apply, this field can be left blank.
  6. If you are manually configuring the domain controllers and global catalogs, configure the LDAP Server Host Name or IP Address and Port fields; then, go to step 7. Up to four domain controllers can be configured using an IP address or a fully qualified hostname. Global catalog servers are identified using port number 3268 or 3269: any other port number indicates that a domain controller is being configured.
    Graphic illustrating the LDAP client setup page for Active Directory authentication with local authorization using pre-configured servers.
  7. If you are using group authorization profiles, view or configured them by clicking Group Profiles; then, return to the MM Control → Network Protocols page and scroll to the Lightweight Directory Access Protocol (LDAP) Client section.
    Graphic illustrating the LDAP client setup page for Active Directory authentication with local authorization using pre-configured servers.
  8. Configure the following Miscellaneous Parameters:
    Root DN
    This optional parameter is used to configure the base distinguished name (DN) of the Active Directory server (for example, dn=companyABC,dn=com). In most cases, this field is left blank, although it can be useful for debugging purposes.

    The advanced management module normally uses the RootDSE query to find the base distinguished name of an Active Directory server with which it communicates. This base distinguished name is then used for subsequent searches. The base distinguished name is derived from the defaultNamingContext and rootDomaintNamingContext attributes retrieved from the RootDSE query. When the base distinguished name is set using the Root DN field, it overrides the defaultNamingContext and rootDomaintNamingContext attributes.

    Binding Method
    For initial binds to the domain controller server, select one of the following options:

    w/ Configured Credentials: Fill in the client distinguished name (Client DN) and Password to be used for the initial bind. If this bind fails, the authentication process also fails. If the bind is successful, a search will attempt to find a user record that matches the client distinguished name entered in the Client DN field. The search typically looks for common attributes that might match the userid presented during the login process. These attributes include displayName, sAMAccountName, and userPrincipalName. If the UID search attribute field is configured, the search also includes this attribute.

    If the search is successful, then a second bind is attempted, this time with the user distinguished name (retrieved from the search) and the password presented during the login process. If the second bind attempt succeeds, the authentication portion succeeds and group membership information for the user is retrieved and matched against the locally configured groups on the advanced management module. The matched groups will define the authorization permissions assigned to the user.

    w/ Login Credentials: The initial bind to the domain controller server is made using the credentials presented during the login process. If this bind fails, the authentication process also fails. If the bind is successful, a search will attempt to find the user record. Once located, group membership information for the user is retrieved and matched against the locally configured groups on the advanced management module. The matched groups will define the authorization permissions assigned to the user.

  9. To enable or disable SSL between the advanced management module and the Active Directory server, click LDAP section of the security page.
    Graphic illustrating the LDAP section of the security page.
Parent topic: Configuring LDAP