HiCommand LDAP authentication setup

We discussed about HiCommand and that the default user account is system with the password of "manager"... However, that is not very secure so we are looking to add new users and grant them permission on different components. However, we could take advantage of LDAP authentication so we can enable HDS to peform LDAP queries to AD.

This way, users can authenticate using their AD username and passwords avoiding the need to manage a different set of users. Just only thing to keep in mind though... Make sure the username you are trying to add does not already exists as a "internal" authentication user. You will need to remove that username and recreate it if you want to add him.

HiCommand

The setup is very simple, just follow the following process:

Built-in system account cannot be used with LDAP, only local. Please note that dsquery are active directory commands, might not work on your server but are not needed we are using them only for verification in this example. Also, not all AD's use Certificates to perform authentication, please confirm with your AD team if you need to enable the certificates or not. If not, skip the OPTIONAL fields. All red text represent commands that need to be run from the Command Prompt.

    1. Create a binding account on AD server which will be used by HCS for reading AD directories when appropriate HCS users require their authentication and authorization. This AD account will be used to query AD. Make sure that this account is not locked, expired or deleted. You can use the following command to make sure all is ok with the account.
      dsquery user –samid hds_bind "CN=hds_bind,OU=Users,OU=Company,DC=company_domain,DC=com"

 

    1. [SKIP if using existing AD groups] You can create three groups on AD server. They will be used to authorize HCS users’ rights. Alternatively you can use a group that already exists, but you need to get the Distinghued Name (ask this to your AD guys, they will tell your Distinguished Name for your group/groups). In this example we have 3 groups used for different purposes.dsquery group -name *HCS*
      "CN=HCS_Admin_Group,OU=Managed_Groups,OU=Company,DC=company_domain,DC=com"
      "CN=HCS_Modify_Group,OU=Managed_Groups,OU=Company,DC=company_domain,DC=com"
      "CN=HCS_View_Group,OU=Managed_Groups,OU=Company,DC=company_domain,DC=com"

 

    1. All existing AD accounts which are going to be used in appropriate roles on HCS (for example storage admins will be part of HCS_Admin_Group above) need to be assigned into appropriate newly created on AD HCS related groups.

 

    1. OPTIONAL:Export a security certificate from AD server. A certificate must show same value in its CN name as host name value in “exauth.properties” file (see below).

 

    1. Open a command line interface to the Hicommand Device Manager cmd and specify the user account used to query the AD for authenticating LDAP queries. Rememeber get the dn (distinguished name) from your Active Directory guys. In this case we use an account called hds_bind with the pasword hds_bind_password
      :
      D:\Program Files (x86)\HiCommand\Base\bin>hcmdsldapuser /set /dn “CN=hds_bind,OU=Generic_IDs,OU=Users,OU=Company,DC=company_domain,DC=com" /pass hds_bind_password /name AD_SERVER.company_domain.com
      KAPM05250-I Registration of the information-search user has finished.

 

    1. All the LDAP configuration in completed in the file caleld exauth.properties. Please note that Edit “exauth.properties” file in D:\Program Files (x86)\HiCommand\Base\conf (Please note there is also a exauth.properties in the d:\Program Files (x86)\HiCommand\Base\sample\conf, don't edit this one, the correct on sits in \base\conf\). A very important note. The way the config is done is by assigning a "label" to your server. USE THAT LABEL IN ALL THE FIELDS BELLOW. If you decide to call your auth.server.name=DCPROD01.mycompany.LOCAL then all next fields will be in the format auth.ldap.DCPROD01.mycompany.LOCAL.option=value Check the bold text bellow to see what you need to change if you decide to change the name. A lot of admins change the server_name but not the rest of the field. So again, if you want to change the auth.server.name (represented bellow in italic bold text), make sure you change it all around.auth.server.type=ldap
      auth.server.name=AD_SERVER.company_domain.com
      auth.group.mapping=true
      auth.ldap.AD_SERVER.company_domain.com.protocol=tls
      auth.ldap.AD_SERVER.company_domain.com.host=actual_DNS_name_for_your_AD_Server
      auth.ldap.AD_SERVER.company_domain.com.port=389
      auth.ldap.AD_SERVER.company_domain.com.timeout=15
      auth.ldap.AD_SERVER.company_domain.com.attr=sAMAccountName
      auth.ldap.AD_SERVER.company_domain.com.basedn=dc=company_domain,dc=com
      auth.ldap.AD_SERVER.company_domain.com.retry.interval=1
      auth.ldap.AD_SERVER.company_domain.com.retry.times=20
      auth.ldap.AD_SERVER.company_domain.com.domain.name=company_domain.com
      auth.ldap.AD_SERVER.company_domain.com.dns_lookup=true

 

    1. OPTIONAL Import AD certificate into HCS. Keystore “ldapcacert” which is just a file below does not exist on the moment of this command runs. The AD_SERVER.cer is the file we exported earlier in step 4.
      D:\Program Files (x86)\HiCommand\Base\bin>hcmdskeytool -import -alias AD_SERVER -file .\AD_SERVER.cer -keystore "D:\Program Files (x86)\HiCommand\Base\conf\sec\ldapcacerts"
      Enter keystore password: passphrase
      Owner: CN=AD_SERVER.company_domain.com, O=Company, L=City, ST=State, C=Country_code
      Issuer: ISSUER_DETAILS
      Serial number: SN_NUMBER
      Valid from: DATES_FROM-TO
      Certificate fingerprints:
      MD5: Sequence _1
      SHA1: Sequence_2
      Trust this certificate? [no]: y
      Certificate was added to keystore

 

    1. You need to restart HCS services:
      D:\Program Files (x86)\HiCommand\Base\bin>hcmdssrv /stop
      D:\Program Files (x86)\HiCommand\Base\bin>hcmdssrv /start

 

    1. Verify communications between HCS and AD server by issuing the following command (AD_registered_user is one of storage admins’ account, AD_registered_user_password is AD_registered_user’s password):
      D:\Program Files (x86)\HiCommand\Base\bin>hcmdscheckauth /user AD_registered_user /pass AD_registered_user_password

      KAPM15003-I The configuration check of Phase1 will now start.
      type : ldap
      server : AD_SERVER.company_domain.com
      KAPM15227-I Group linkage is enabled.
      KAPM15004-I The result of the configuration check of Phase1 was normal.
      KAPM15003-I The configuration check of Phase2 will now start.
      KAPM15006-I The configuration of the server AD_SERVER.company_domain.com will now be checked.
      KAPM15007-I The result of the configuration check of the server AD_SERVER.company_domain.com was normal.
      KAPM15004-I The result of the configuration check of Phase2 was normal.
      KAPM15228-W The external authentication group was not linked to because an authentication user was found on the DBMS.
      KAPM15003-I The configuration check of Phase3 will now start.
      KAPM15010-I The connection to the server AD_SERVER.company_domain.com will now be checked. (host = AD_SERVER.company_domain.com, port = 389, protocol = tls)
      KAPM15011-I The server AD_SERVER.company_domain.com can be connected to normally.
      KAPM15004-I The result of the configuration check of Phase3 was normal.
      KAPM15245-I A connection was successfully established. (server name = AD_SERVER.company_domain.com)

 

    1. Now, that we have LDAP connectivity between our AD and HCS we need to tell HCS how to use the groups. Go to HCS GUI, Administration tab and open “Users an permissions” view. “Groups” folder must be expandable. Expand it, find AD server name, click on it and invoke “Add groups” function / button.
      hdad2
      In the wizard window, paste CN name of the first AD group created above:
      CN=HCS_Admin_Group,OU=Managed_Groups,OU=Groups,OU=Company,DC=company_domain,DC=com
      Before clicking OK button, verify that this group is confirmed by AD by clicking on “Check DN” button. Register all the rest groups in this manner.
      hdad3
    2. Once you are done adding the AD groups, you will be able to find them under Groups. Expand Groups under Users and Permissions and you will see your AD servername in the list. Expand it then you will be able to see your groups. Click on the group you want to change the permissions then click the Change Permissions button on the top.
      hdad4
    3. Now you can change the permissions for what applications you need to grant the Admin/Modify/Execute or View rights.
      hdad5
    4. Once this is done you need to create the users and specify what resources they might see. A common confusion is that once LDAP authentication is complete, all users in that group inherit admin right or whatever rights you assigned. The reality is that they inherit the right to use the applications but not the rights to see the resources. To allow them to see the resources you need to add them in a resource group. Close the Users and Permissions group and open User Groups under the main Adminstration tab. Click the LDAP Group then click on Add Resource Groups.
      hdad8

 

    1. If you have multiple Resource Groups (different arrays, etc) chose it here, otherwise select All Resources and Click on the Role dropdown to select the Role (Admin/Modify/View)
      hdad9
      Click Ok and you are ready to go.

 

    1. If for whatever reason you want to assign different permissions for resorces to your users in the same group then you need to first add the LDAP users. Go into Users and Permissions -> Expand Users and click Add User. Fill in the userid and make sure that it matches the AD (active directory) userid. No need for a password, and you can specify Full Name, email and/or description. Once you click ok if everything is allright you should see your username with authentication type of LDAP next to it.
      hdad6
      hdad7

 

    1. Now, rather then opening the LDAP usergroup, click on the Admin Group and the click on Add Users. You will see your newly added users in the dropdown. Select them and add them.
      hdad10hdad11

 

  1. Logout and then try to login using your AD username and password. No need for specification of domain or to use the user@domain format. You should be ready to go

Thx to Alexander on community.hds.com for starting the thing that drove this as well https://community.hds.com/message/7499?tstart=0#7499

 

3 comments

  1. Do you have any idea why the “group” options is not visible on our HCS under user and permission?

  2. Muhammad Sarfraz

    Hi i have configured as above but while testing phase1 and phase2 is normal but on third phase geting KAPM15246-E A connection attempt has faild. Can someone suggest,
    Muhammadsarfraz@live.com

  3. Muhammad Sarfraz

    on checks64checkaut.exe on third phase it is giving error the specified user was not found. can you please support.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.