Configure LDAP over SSL for Primera and 3PAR

Home / Configure LDAP over SSL for Primera and 3PAR

LDAP over SSL for Primera and 3PAR

LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.

LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.

I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.

  1. Log in to your Primera / 3par array using CLI
  2. Additionally, remove any existing LDAP configuration
    setauthparam -f -clearall
  3. Next, we will configure LDAP over SSL for Primera and 3PAR OS.
    For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.

    setauthparam -f ldap-type MSAD
    
    setauthparam -f ldap-server <192.168.80.10>
    
    setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM>
    
    setauthparam -f ldap-port 636
    
    setauthparam -f ldap-ssl 1
    
    setauthparam -f ldap-reqcert 1
  4. Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
    Press Enter twice to complete.

    setauthparam -f ldap-ssl-cacert -
  5. Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
    setauthparam -f binding sasl
    
    setauthparam -f sasl-mechanism DIGEST-MD5
    
    setauthparam -f kerberos-realm <STORCOM.COM>
    
    setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM"
    
    setauthparam -f account-obj user
    
    setauthparam -f account-name-attr sAMAccountName
    
    setauthparam -f memberof-attr memberOf
  6. Finally, map the AD groups with the user roles on Primera / 3PAR OS
    setauthparam -f super-map 
    "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
  7. To test LDAPS authentication, use the command checkpassword

    STORPRIM01 cli% checkpassword STORUSER 
    
    password:

Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.

, ,

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *