In this article we will focus on integrating HPE Primera into Active Directory. Instead of logging into the array using local users, we can configure Primera (or StoreServ) array to use LDAP authentication. Furthermore, Primera supports several LDAP authentications, such as Microsoft Active Directory, OpenLDAP or Red Hat Directory Server.
There are 3 methods that allow us to configure our array to use external (LDAP or AD) authentication.
To begin with, we will start by creating the security groups in Active Directory. If you’re not familiar with AD, here is a good read for you Active Directory Security Groups.
In my case, I have created the following security groups:
- HPE Primera Admin: AD Group which has full admin rights (super)
- HPE Primera Browse: AD Group which has only read access (browse)
Feel free to be more creative with group names 😉
Configuring Primera LDAP / AD authentication using Web GUI
- Navigate to your Primera UI portal and log in with your admin account
- Click on Settings then select LDAP configuration
- On the right pane, click on + Create
- Select Microsoft Active Directory as LDAP Type
- Accounts DN: This is the directory where your AD users reside in. I.g. OU=Users,DC=STORCOM,DC=COM
- Under Binding, select GSSAPI
- Enter Kerberos Realm, i.g.: STORCOM.COM
- Under Connection Details, enter the IP Address of my LDAP server.
- Enter LDAP Server name. It’s the FQDN of my AD Server, i.g: SERVER01.STORCOM.COM
- Finally, under Authorizations you can associate your AD Groups with Primera roles.
- Click on Add Authorizations, and select super-map under Authorization Group
- The group distinguished name is the group where the admin members will be placed in. In my case it is: CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM
Integrating Active Directory authentication using Primera CLI
In the next steps we are going to configure the same using Primera CLI. Hence it is important to have understanding of CLI. A great article can be found here HPE Primera OS 4.0 Command Line Interface Reference Guide.
setauthparam -f ldap-type MSAD setauthparam -f accounts-dn "OU=Users,DC=STORCOM,DC=COM" setauthparam -f binding sasl setauthparam -f sasl-mechanism GSSAPI setauthparam -f kerberos-realm STORCOM.COM setauthparam -f kerberos-server 192.168.1.10 setauthparam -f ldap-server 192.168.1.10 setauthparam -f ldap-server-hn SERVER01.STORCOM.COM setauthparam -f ldap-port 389 setauthparam -f super-map "CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM"
To remove the whole authentication config, use setauthparam -f -clearall
Additionally, to only remove a specific parameter, use setauthparam -f -clear <parameter name> for example:
setauthparam -f -clear ldap-port
Configuring Primera LDAP using SSMC
The third method to configure Primera or StoreServ is to use LDAP is using StoreServ Management Console.
- Navigate to SSMC and log in with your admin account.
- Under Security, select LDAP
- Click on + Create LDAP configuration
- Select the system and eventually follow the steps above. The same steps are executed as configuring LDAP using Primera Web GUI.
See other articles about HPE Primera: Implementing CA Certificates on HPE Primera UI.
Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!HPE Primera, LDAP