LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.
LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.
I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.
- Log in to your Primera / 3par array using CLI
- Additionally, remove any existing LDAP configuration
setauthparam -f -clearall
- Next, we will configure LDAP over SSL for Primera and 3PAR OS.
For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.
setauthparam -f ldap-type MSAD setauthparam -f ldap-server <192.168.80.10> setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM> setauthparam -f ldap-port 636 setauthparam -f ldap-ssl 1 setauthparam -f ldap-reqcert 1
- Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
Press Enter twice to complete.
setauthparam -f ldap-ssl-cacert -
- Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
setauthparam -f binding sasl setauthparam -f sasl-mechanism DIGEST-MD5 setauthparam -f kerberos-realm <STORCOM.COM> setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM" setauthparam -f account-obj user setauthparam -f account-name-attr sAMAccountName setauthparam -f memberof-attr memberOf
- Finally, map the AD groups with the user roles on Primera / 3PAR OS
setauthparam -f super-map "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
- To test LDAPS authentication, use the command checkpassword
STORPRIM01 cli% checkpassword STORUSER password:
Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.
thank you for the post. basically the configuration is working. i just had to use 3269 because of multidomain.
so with this config i can login via ssh to my 3par systems with my AD account. but on ssmc im no longer able to login with my ad account. ssmc tells me “Failed to authenticate user XXXXXXX on any configured arrays.”
when i move back to LDAP, then SSMC login with AD account is working again. any idea?
my second problem is, i also wanted to migrate from single domain-Controller entry, to our loadbalancer. over the LB we allready run hundret of other ldap and ldaps clients, but 3par is not able to use it. there is a line with “kerberos”. i cant see any kerberos packets, but if 3par is really using port 88 for authentication and authorization, this could be the reason. so far i dont have a kerberos LB running.
Thanks for stopping by.
Unable to log in to your SSMC console is most probably due to an inexisting root certifiate on your SSMC console.
You can add it by logging to your SSMC (as Administrator Console), Actions > Manage Certificates > Add Certificate.
I AM NOT ABLE TO INTEGRATE LDAP WITH PRIMERA, ERROR OUTPUT PASTED BELOW.
bEFORE INTEGRATION, PORTS 389 & 636 WAS OPENED. LDAP GROUP WITH ADMIN PRIVLEGE WAS CREATED IN ad
primerablgm cli% checkpassword xxxx_xx
+ attempting authentication and authorization using system-local data
+ authentication denied: unknown username
+ attempting authentication and authorization using LDAP
+ authentication denied: could not connect to server: “00.00.00.00” on port 00.00.00.00:636
user xxxx_xx is not authenticated or not authorized