Tag Archive : LDAP

/ LDAP

LDAP(s) Configuration on Brocade switches

26/10/2021 | SAN | No Comments

Brocade LDAPs

 

In this tutorial we will go through the steps that need to be followed in order to implement LDAP(s) Microsoft Active Directory on Brocade SAN switches.
Authenticating with a local user on any network devices is not only time consuming, but also very dangerous in terms of security.

Before making any changes to your infrastructure, it is always recommended to make a copy of your switch configuration. Always make sure to perform changes onto testing devices before replicating them to your production environment.

On Fabric OS we have the possibility to use LDAP or LDAPS. As you can tell by its name, LDAP is the simple & unsecure protocol, and LDAPS uses certificates to perform the secure authentication.

Certificate for LDAPs service

  1. Log in to your switch using an priviledged account
  2. To list the available certificate on the switch, use the command:
    seccertmgmt show --all
  3. To create the Certificate Signing Request (.csr) use:
    seccertmgmt generate -csr ldap
  4. Note the file name created in the previous step. File should end with .csr extension.
  5. To export the CSR file from the switch use the following command. Make sure to have any FTP client ready for transfer.
    seccertmgmt export -csr ldap -protocol ftp
  6. Have the CSR file signed by your certificate administrator.
  7. First, we will import the CA (root & intermediate) bundled certificate.
    seccertmgmt import -ca -client ldap
  8. If you don’t know how to combine root & intermediate CA certificate, please check Enable HTTPS protocol on Brocade switches under Combining Root and Intermediate certificate.
  9. Next, we will import the bundled certificate again, under server role. Use the same file as on step 6.
    seccertmgmt import -ca -server ldap
  10. Finally, we will import the switch/client certificate that we exported in the previous step, and which should be signed by our certificate administrator.
    seccertmgmt import -cert ldap
  11.  At this point, we have completed LDAP certificates, we can continue with implementation.

Switch authentication methods

There are several methods to authenticate on the switch but we will make use of two. We will use LDAPS as primary authentication and Local DB as secondary. The secondary authentication comes in force if LDAP does not respond or if a local account & password is matched.

To see the current configuration use:

aaaconfig --show
Fabric OS - Show authentication methods
Brocade – Show authentication methods

To add an LDAP server to the switch use the following command:

aaaconfig --add <LDAP server FQDN> -conf ldap -d <domain name>

Where <LDAP server FQDN> is the Fully Qualified Domain Name of the LDAP server, for example ldap1.storcom.com

Where <domain name> is the domain name where the LDAP server resides in.

Finally, we will configure LDAP as primary authentication method, and local database as secondary:

aaaconfig --authspec "ldap;local"

LDAP supported configurations

In the picture below we see different authentication configurations. In this tutorial we will use Option 3: LDAPv3 with TLS and Certificate over port 389

LDAP Authentication Supported Configurations
Brocade LDAP Authentication Supported Configurations

LDAPS implementation

Prior to performing any other configuration, we will have to create authentication groups in LDAP, or Active Directory in our case. Make sure to create the desired groups in AD so that we can make the link between them and the switch configuration.

In this example I have created an AD group called “STORCOM FOS Admins”. This LDAP group will be mapped against the local admin role on the switch.

To map the LDAP group with the SAN switch role, use the following command:

ldapcfg --maprole "STORCOM FOS Admins" admin

To add extra attributes, for example domain ID’s, use the following command:

ldapcfg -- mapattr "STORCOM FOS Admins" -l "admin=1-128" -h 128 -c admin

For more available attributes, please check Brocade Fabric OS Command Reference.

To see the existing role mappings, use:

ldapcfg --show

To unmap a role, use:

ldapcfg --unmaprole "STORCOM FOS Admins" admin

Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.

Primera Web GUI

In this article we will focus on integrating HPE Primera into Active Directory. Instead of logging into the array using local users, we can configure Primera (or StoreServ) array to use LDAP authentication. Furthermore, Primera supports several LDAP authentications, such as Microsoft Active Directory, OpenLDAP or Red Hat Directory Server.

There are 3 methods that allow us to configure our array to use external (LDAP or AD) authentication.
To begin with, we will start by creating the security groups in Active Directory. If you’re not familiar with AD, here is a good read for you Active Directory Security Groups.

In my case, I have created the following security groups:

  • HPE Primera Admin: AD Group which has full admin rights (super)
  • HPE Primera Browse: AD Group which has only read access (browse)

Feel free to be more creative with group names 😉

Configuring Primera LDAP / AD authentication using Web GUI

  1. Navigate to your Primera UI portal and log in with your admin account
  2. Click on Settings then select LDAP configuration
  3. On the right pane, click on + Create
  4. Select Microsoft Active Directory as LDAP Type
  5. Accounts DN: This is the directory where your AD users reside in. I.g. OU=Users,DC=STORCOM,DC=COM
  6. Under Binding, select GSSAPI
  7. Enter Kerberos Realm, i.g.: STORCOM.COM
  8. Under Connection Details, enter the IP Address of my LDAP server.
  9. Enter LDAP Server name. It’s the FQDN of my AD Server, i.g: SERVER01.STORCOM.COM
  10. Finally, under Authorizations you can associate your AD Groups with Primera roles.
  11. Click on Add Authorizations, and select super-map under Authorization Group
  12. The group distinguished name is the group where the admin members will be placed in. In my case it is: CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM

Integrating Active Directory authentication using Primera CLI

In the next steps we are going to configure the same using Primera CLI. Hence it is important to have understanding of CLI. A great article can be found here HPE Primera OS 4.0 Command Line Interface Reference Guide.

setauthparam -f ldap-type MSAD
setauthparam -f accounts-dn "OU=Users,DC=STORCOM,DC=COM"
setauthparam -f binding sasl
setauthparam -f sasl-mechanism GSSAPI
setauthparam -f kerberos-realm STORCOM.COM
setauthparam -f kerberos-server 192.168.1.10
setauthparam -f ldap-server 192.168.1.10
setauthparam -f ldap-server-hn SERVER01.STORCOM.COM
setauthparam -f ldap-port 389
setauthparam -f super-map "CN=HPE Primera Admin,OU=FunctionalGroups,DC=STORCOM,DC=COM"

To remove the whole authentication config, use setauthparam -f -clearall
Additionally, to only remove a specific parameter, use setauthparam -f -clear <parameter name> for example:

setauthparam -f -clear ldap-port

Configuring Primera LDAP using SSMC

The third method to configure Primera or StoreServ is to use LDAP is using StoreServ Management Console.

  1. Navigate to SSMC and log in with your admin account.
  2. Under Security, select LDAP
  3. Click on + Create LDAP configuration
  4. Select the system and eventually follow the steps above. The same steps are executed as configuring LDAP using Primera Web GUI.

See other articles about HPE Primera: Implementing CA Certificates on HPE Primera UI.

Any suggestion or question? Leave a reply below, or contact us. Make sure to also subscribe to our mailing list. No spam. Promised!