Month: March 2020

Home / Month: March 2020

Configure LDAP over SSL for Primera and 3PAR

04/03/2020 | Storage | 3 Comments

LDAP over SSL for Primera and 3PAR

LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.

LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.

I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.

  1. Log in to your Primera / 3par array using CLI
  2. Additionally, remove any existing LDAP configuration 
    setauthparam -f -clearall
  3. Next, we will configure LDAP over SSL for Primera and 3PAR OS.
    For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.

    setauthparam -f ldap-type MSAD

setauthparam -f ldap-server <192.168.80.10>

setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>

setauthparam -f ldap-port 636

setauthparam -f ldap-ssl 1

setauthparam -f ldap-reqcert 1
  4. Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
    Press Enter twice to complete.

    setauthparam -f ldap-ssl-cacert -
  5. Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS. 
    setauthparam -f binding sasl

setauthparam -f sasl-mechanism DIGEST-MD5

setauthparam -f kerberos-realm <STORCOM.COM>

setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM"

setauthparam -f account-obj user

setauthparam -f account-name-attr sAMAccountName

setauthparam -f memberof-attr memberOf
  6. Finally, map the AD groups with the user roles on Primera / 3PAR OS 
    setauthparam -f super-map 
"CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
  7. To test LDAPS authentication, use the command checkpassword

    STORPRIM01 cli% checkpassword STORUSER 

password:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.

Read More
By dardan