HPE Storage Tech Insiders
cancel
Showing results for 
Search instead for 
Did you mean: 

Nimble OS 3.1 – Active Directory Integration

rdm99

By Ryan Matthews


Nimble is committed to improving security and accountability for Nimble OS. In the summer of 2014 with Nimble OS 2.1 we improved from just a single administrative login to multiple administrative logins with role-based access control (Nimble OS 2.1, Part 8: Role-Based Access Control). A year later in Nimble OS 2.3 we enhanced things again with the introduction of true Audit Logging (Nimble OS 2.3 – Audit Log) which allowed customers to better track which administrators were making which changes. Until today however all administrative users needed to be created and managed locally on the array. This challenge was compounded for customers with multiple arrays. With the release of Nimble OS 3.1 we are announcing the capability to use Microsoft Active Directory (AD) to create and manage administrative users. This enhancement allows customers to have a single source of truth for administrative control across the entire organization including Nimble Storage arrays.

Using the AD integration is really quite simple:


1. Use the local "admin" login on the array to join the Active Directory domain. This will require an AD user account with privileges to join the domain. It is accessible under "Administration->Security->Microsoft Active Directory".

Screen Shot 2016-02-12 at 8.30.01 AM.png

2. Create groups in AD for the user roles that you intend to use on the Nimble array (i.e. Nimble-PowerUser-Group, Nimble-Administrator-Group)

3. On the array, under "Administration->Security->Users and Groups" click "Add->Group" to create local groups that map array management roles (Administrator, PowerUser, Operator, Guest) to AD groups created in step 2

Screen Shot 2016-02-12 at 8.32.48 AM.png

Once configured, the array will check with AD at login time to confirm whether the user attempting to login has provided a valid password. If the user successfully authenticates the array checks whether they are a member of one of the mapped groups. If the user is in one of the mapped groups they will be logged in with the appropriate privileges based on the role associated with the mapped group. With the exception of "admin", AD will be checked BEFORE any local accounts ensuring that password and security policies can be enforced. Nimble's Audit Logging facility will track AD logins just the same as it tracks local logins:

Screen Shot 2016-02-12 at 8.36.21 AM.png

This new capability will make it much easier to manage Nimble arrays in environments with lots of administrators and in environments with a large number of Nimble arrays while simultaneously improving security compliance in the many environments that use AD as a single source of truth for authentication and authorization. We’re excited to ship Nimble OS 3.0, and deliver this new functionality to every customer that has ever bought a Nimble array. Let us know what you think.

About the Author

rdm99

Comments
sydac45

Hello Ryan, thanks for the rundown of this functionality. We'll be very glad to eliminate the need for local logins!

keithharris119

I'm unable to add AD groups and save them through the GUI. Any advice on how to resolve this or find more information? I receive an error that the "request could not be understood by the server". I have created groups for Nimble RBAC in AD, and the "test connection" succeeds in the Nimble GUI under the AD join section. Thanks for your help!NimAD_Fail.JPG

james_c_stein42

Getting the following:

failed to lookup dc info for domain over rpc

Capture.PNG

Verified that DNS is setup correctly on the array. Account used has no problems adding computer accounts to the domain.

btallen2296

I'm running into the same issue.  Any suggestions here?  Any idea if you were able to resolve this?

james_c_stein42

One of my colleagues opened a ticket with nimble regarding this issue and the end word was AD integration requires SMBv1 which we have disabled. In light of the recent SMB security issues it won't be turned back on for this.

btallen2296

That is exactly what I was told. We won’t be turning it on just to enable AD integration either. Nimble needs to come up with a better way to handle this.

Brian Allen

Systems Engineer III

<https://www.towerfcu.org>

7901 Sandy Spring Road, Laurel, MD 20707

301-497-7000 ext. 7317

brian.allen@towerfcu.org<mailto:brian.allen@towerfcu.org>

towerfcu.org<https://www.towerfcu.org>

james_c_stein42

He was told the SMBv2 is in the works. But no timeline for it.

Events
Apr 24 - 25, 2018
Online
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
June 19 - 21
Las Vegas, NV
HPE Discover 2018 Las Vegas
Visit this forum and learn about all things Discover 2018 in Las Vegas, Nevada, June 19 - 21, 2018.
Read more
View all