LDAP authentication can be tricky when using unsecured ports. As you already know, Primera and 3PAR arrays use by default unsecured LDAP port 389. In our previous article we talked about HPE Primera LDAP Active Directory Integration. This article will focus on configuring LDAP over SSL (port 636) for Primera and StoreServ (3PAR) arrays.
LDAP transactions, including sensitive data, i.g. passwords can be captured easily using Wireshark. In addition, Microsoft will soon (Q2/2020) cease to support unsigned LDAP implementations.
I assume you already have defined AD groups to map with user roles, and you have the root certificate in your possession.
- Log in to your Primera / 3par array using CLI
- Additionally, remove any existing LDAP configuration
setauthparam -f -clearall
- Next, we will configure LDAP over SSL for Primera and 3PAR OS.
For detailed information about the usage, read HPE Primera OS 4.0 Command Line Interface Reference Guide.
setauthparam -f ldap-type MSAD setauthparam -f ldap-server <192.168.80.10> setauthparam -f ldap-server-hn <LDAPSERVER.STORCOM.COM> setauthparam -f ldap-port 636 setauthparam -f ldap-ssl 1 setauthparam -f ldap-reqcert 1
- Copy the plain text of the root certificate of your company. Paste it in CLI using the command. The – sign will prompt you to enter the text.
Press Enter twice to complete.
setauthparam -f ldap-ssl-cacert -
- Continue by configuring the following LDAP parameters. Bear in mind that GSSAPI SASL mechanism is not available with certificates. Instead, DIGEST-MD5 is used to authenticate against an Active Directory LDAPS.
setauthparam -f binding sasl setauthparam -f sasl-mechanism DIGEST-MD5 setauthparam -f kerberos-realm <STORCOM.COM> setauthparam -f accounts-dn "OU=Admin ,DC=STORCOM,DC=COM" setauthparam -f account-obj user setauthparam -f account-name-attr sAMAccountName setauthparam -f memberof-attr memberOf
- Finally, map the AD groups with the user roles on Primera / 3PAR OS
setauthparam -f super-map "CN=Storage Admin,OU=SecGroup,DC=STORCOM,DC=COM"
- To test LDAPS authentication, use the command checkpassword
STORPRIM01 cli% checkpassword STORUSER password:
Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list.3PAR, HPE Primera, LDAPS