topic Re: LDAP Authentication Issues in HPE 3PAR StoreServ Storage

LDAP Authentication Issues

L1nklight — Thu, 13 Nov 2014 15:56:26 GMT

I am having some issues with setting up authentication. I am doing the checkpassword command with one of my domain accounts and the "searching LDAP using:" looks questionable. The filter seems to be attempting to filter on objectClass group not user and I am not sure why. I am currently trying to authenticate to an Windows 2012 R2 Active Directory Server. I have included some screen shots with vital info redacted.

showauthparam:

checkpassword:

Re: LDAP Authentication Issues

L1nklight — Mon, 17 Nov 2014 19:55:35 GMT

So I ended up having to punt on this one. I went through the CLI reference guide for 3.2.1 MU1 and I found the command to clear all auth params. I ran the following command:

setauthparams -f -clearall

Once I did that I ran through the setauthparams again. I used the following commands, in the following order:

setauthparam -f ldap-server <ipaddress of domain controller to use>

setauthparam -f ldap-server-hn <DNS_Hostname of DC, case insensitive>

setauthparam -f kerberos-realm <LDAP_Service name, case sensitive. Use LDP.exe on DC and pull value from the output connecting to the DC>

setauthparam -f binding sasl

setauthparam -f sasl-mechanism GSSAPI

setauthparam -f accounts-dn <dn path, you can pull DN path from adsi or the attributes tab in ADUC if you have advanced mode enabled>

setauthparam -f account-obj user (This value needs to be "user" specifically for AD)

setauthparam -f account-name-attr sAMAccountName (if you look at page 22 on the CLI Admins Reference guide for 3.2.1 MU1 this value says "sAMAccount". This is completely wrong. Windows AD requires sAMAccountName)

setauthparam -f memberof-attr memberOf

setauthparam -f <map_param> <map_value, DN of group that you wish to reference in AD>

In some writeups the following is listed as a required command

setauthparams -f account-group group

Do not use that command. It triggers the filter for parsing Active Directory to change to "group" instead of authenticating per user. That's essentially what was throwing off my AD configuration.

Re: LDAP Authentication Issues

Prakash Singh_1 — Mon, 24 Nov 2014 05:32:50 GMT

Hi,

Very well Self Solved..:)

Here is the script to set up LDAP:

Just replace the info with the customers info

REM assuming all windows default security params

REM setauthparam	ldap-server <IP-Address>
REM setauthparam	ldap-server-hn <DNS-hostname>
REM setauthparam	kerberos-realm	<LDAP-ServiceName> - CASE SENSITIVE

REM setauthparam binding sasl
REM setauthparam sasl-mechanism GSSAPI

REM setauthparam accounts-dn <dn-path>
REM setauthparam account-obj user (tells the LDAP client to search for users) REM setauthparam account-name-attr SAMAccountName REM setauthparam memberof-attr memberOf REM checkpassword


---- REM EXAMPLE USING THE LAB MACHINES ----
REM assuming all default windows params
REM clear out all old params

setauthparam -f clearall
setauthparam -f		ldap-server 192.168.47.100
setauthparam -f		ldap-server-hn mktg-admin0.3par-mktg.3pardata.com
setauthparam -f		kerberos-realm 3PAR-MKTG.3PARDATA.COM

setauthparam -f 	binding sasl
setauthparam -f 	sasl-mechanism GSSAPI

setauthparam -f 	accounts-dn cn=Users,dc=3par-mktg,dc=3pardata,dc=com
setauthparam -f 	account-obj user 
setauthparam -f 	account-name-attr sAMAccountName
setauthparam -f 	memberof-attr memberOf
setauthparam super-map "cn=Domain Admins,cn=Users,dc=3par-mktg,dc=3pardata,dc=com"

Regards,

PS