Skip to main content
Pure1 Support Portal

pureds

Name

pureds, pureds-disable, pureds-enable, pureds-list, pureds-setattr, pureds-test — manages FlashArray integration with a directory service

Synopsis

pureds disable [--check-peer]

pureds enable [--check-peer]

pureds list [--certificate] [--groups] [ --cli | --csv | --nvp ] [--notitle] [--page] [--raw]

pureds setattr [--array-admin-group ARRAY-ADMIN-GROUP] [--auto-fetch] [--base-dn BASE-DN] [--bind-password] [--bind-username BIND-USERNAME] [--certificate] [--group-base GROUP-BASE] [--readonly-group READONLY-GROUP] [--storage-admin-group STORAGE-ADMIN-GROUP] [--trust] [--uri URI-LIST]

pureds test

Options

-h | --help

Can be used with any command or subcommand to display a brief syntax description.

--array-admin-group ARRAY-ADMIN-GROUP

Common Name (CN) of the directory service group containing administrators with full privileges to manage the FlashArray. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "pureadmins,OU=PureStorage", where pureadmins is the common name of the directory service group.

--auto-fetch

Attempts to get CA certificate data from the configured URI or the first URI in the list if more than one URI is configured. This option is only used with the --certificate option.

--base-dn BASE-DN

Base of the Distinguished Name (DN) of the directory service groups. The base DN should consist of only Domain Components (DCs). Specify "DC=" for each domain component and separate multiple DCs by commas.

--bind-password

Displays a prompt from which the password of the bind-username account is entered interactively.

--bind-username BIND-USER

Username used to bind to and query the directory.

For Active Directory, enter the username - often referred to as the user login name - of the account that is used to perform directory lookups. The username cannot contain the characters " [ ] : ; | = + * ? < > / \, and cannot exceed 20 characters in length.

For OpenLDAP, enter the full DN of the user. For example, "CN=John,OU=Users,DC=example,DC=com".

--certificate

Displays a prompt from which CA certificate data is entered interactively. The data must be PEM formatted (Base64 encoded) and include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. The certificate cannot exceed 3000 characters in total length. To clear the certificate, enter blank lines at the prompt.

--check-peer

Used with pureds enable or pureds disable, the check-peer option toggles server authenticity enforcement with the configured CA certificate. Therefore, this option can only be enabled if CA certificate data has been provided. If this option is enabled and certificate data is cleared, it will revert back to disabled.

--group-base GROUP-BASE

Specifies where the configured groups are located in the directory tree. This field consists of OUs that, when combined with the base DN attribute and the configured group CNs, complete the full DN of each groups. The group base should specify "OU=" for each OU and multiple OUs should be separated by commas. The order of OUs should get larger in scope from left to right. In the following example, SANManagers contains the sub-organizational unit PureGroups: "OU=PureGroups,OU=SANManagers".

--readonly-group READONLY-GROUP

Common Name (CN) of the configured directory service group containing users with read-only privileges on the FlashArray. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "purereadonly,OU=PureStorage", where purereadonly is the common name of the directory service group.

--storage-admin-group STORAGE-ADMIN-GROUP

Common Name (CN) of the configured directory service group containing administrators with storage related privileges on the FlashArray. The name should be the Common Name of the group without the "CN=" specifier. If the configured groups are not in the same OU, also specify the OU. For example, "pureusers,OU=PureStorage", where pureusers is the common name of the directory service group.

--trust

Can be used with pureds setattr --certificate to skip certificate chain trust verification.

--uri URI-LIST

Comma-separated list of up to 30 URIs of the directory servers.

Each URI must include the scheme ldap:// or ldaps:// (for LDAP over SSL), a hostname, and a domain name or IP address. For example, ldap://ad.company.com configures the directory service with the hostname "ad" in the domain "company.com" while specifying the unencrypted LDAP protocol.

If specifying a domain name, it should be resolvable by the configured DNS servers. See puredns(1) for more information.

If specifying an IP address, for IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits.

For IPv6, specify the IP address in the form [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx], where xxxx is a hexadecimal number representing a group of 16 bits. Enclose the entire address in square brackets ([]). Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

If the scheme of the URIs is ldaps://, SSL is enabled. SSL is either enabled or disabled globally, so the scheme of all supplied URIs must be the same. They must also all have the same domain.

If base DN is not configured and a URI is provided, the base DN will automatically default to the domain components of the URIs.

Optionally specify a port. If a port number is specified, append it to the end of the address. Default ports are 389 for ldap, and 636 for ldaps. Non-standard ports can be specified in the URI if they are in use.

Options that control display format:

--cli

Displays output in the form of CLI commands that can be issued to reproduce the current configuration. The --cli output is not meaningful when combined with immutable attributes.

--csv

Lists information in comma-separated value (CSV) format. The --csv output can be used for scripting purposes and imported into spreadsheet programs.

--notitle

Lists information without column titles.

--nvp

Lists information in name-value pair (NVP) format, in the form ITEMNAME=VALUE. Argument names and information items are displayed flush left. The --nvp output is designed both for convenient viewing of what might otherwise be wide listings, and for parsing individual items for scripting purposes.

--page

Turns on interactive paging.

--raw

Displays the unformatted version of column titles and data. For example, in the purearray monitor output, the unformatted version of column title us/op (read) is usec_per_read_op. The --raw output is used to sort and filter list results.

Description

FlashArrays can integrate with an existing directory service to allow multiple users to log in and use the array and to provide role-based access control. Integrating with an existing directory service, such as Microsoft Active Directory or OpenLDAP, leverages the directory to maintain credentials, group/password policy and handle authentication.

Directory Service User Authentication

Configuring and enabling the Pure Storage Directory Service changes the FlashArray to use the directory when performing user account and permission level searches. If a user is not found locally, the directory servers are queried.

Logging in to the FlashArray requires <username>@<FlashArray name>, where <username> represents the sAMAccountname for Active Directory or uid for OpenLDAP, and <FlashArray name> represents the name or the IPv4 or IPv6 address of the FlashArray.

For IPv4, specify the IP address in the form ddd.ddd.ddd.ddd, where ddd is a number ranging from 0 to 255 representing a group of 8 bits.

For IPv6, specify the IP address in the form [xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx], where xxxx is a hexadecimal number representing a group of 16 bits. Enclose the entire address in square brackets ([]). Consecutive fields of zeros can be shortened by replacing the zeros with a double colon (::).

A "bind" account must be configured to allow the FlashArray to read the directory. It is good practice for this account to not be tied to any actual person and to have different password restrictions, such as password never expires. This should also not be a privileged account, since only read access to the directory is required. One or more URIs are configured to be connected to and queried. Configuring more than one URI provides redundancy if a single directory server is unable to handle directory queries.

Accounts with usernames that conflict with local accounts will not be authenticated against the directory. These account names include, but are not limited to:

  • pureuser

  • os76

  • root

  • daemon

  • sys

  • man

  • mail

  • news

  • proxy

  • backup

  • nobody

  • syslog

  • mysql

  • ntp

  • avahi

  • postfix

  • sshd

  • snmp

For Active Directory, users with disabled accounts will not have access to the FlashArray.

The Domain Component (DC) base of the Distinguished Name (DN), the Organizational Unit (OU) base of the configured groups, and the Common Names (CN) of the groups themselves build the unique Distinguished Name (DN) of the groups.

For example, "CN=purereadonly,OU=PureGroups,OU=SAN,OU=IT,OU=US,DC=mycompany,DC=com" is the full, unique name of the configured read-only group "purereadonly" at the group base "OU=PureGroups,OU=SAN,OU=IT,OU=US" and with base DN "DC=mycompany,DC=com".

To enable the Pure Storage Directory Service, at least one group must be configured, and to access the FlashArray, a user must be a member of at least one of the configured groups.

For Active Directory, two types of groups are supported: security groups and distribution groups. Distribution groups are used only with email applications to distribute messages to collections of users. Distribution groups are not security enabled. Security groups assign access to resources on your network. All groups configured on the FlashArray must be security groups.

Role-Based Access Control

Role-based access control is achieved by configuring groups in the directory that correspond to the following permission groups (roles) on the array:

  • Read Only Group. Read Only users have read-only privileges to run commands that convey the state of the array. Read Only users cannot alter the state of the array.

  • Storage Admin Group. Storage Admin users have all the privileges of Read Only users, plus the ability to run commands related to storage operations, such as administering volumes, hosts, and host groups. Storage Admin users cannot perform operations that deal with global and system configurations.

  • Array Admin Group. Array Admin users have all the privileges of Storage Admin users, plus the ability to perform array-wide changes. In other words, Array Admin users can perform all FlashArray operations.

Users in the --readonly-group group have access to execute commands that convey the state of the FlashArray, but cannot alter this state. Users in the --storage-admin-group group have access to execute commands related to storage operations, such as purevol create or purehost connect, but do not have access to commands dealing with global, system configuration such as purearray rename, purenetwork setattr, or pureds disable. Users in the --array-admin-group group can execute all FlashArray CLI commands.

Users of more than one group have privileges corresponding to the least privileged group. In other words, a user who is belongs to both a Read Only group and an Array Admin group will have read-only privileges.

If all groups are part of a common Organizational Unit (OU), then only a single group base is required. If, however, the groups are not a part of a common OU, then specify the OU as part of the group name. OUs are typically nested, getting more specific in purpose with each nested OU.

The FlashArray supports nested groups. For group configurations based on the shadowAccount class, groups must have the full DN of members in the member attribute. For group configurations based on the posixAccount class, groups must have the uid of members in the memberUid attribute. A user must be a member of a configured group to be able to log in to the array.

When a user logs in to the FlashArray, only CLI actions the user has permission to execute will be visible. Similarly in the GUI, actions the user does not have permission to execute will be grayed out or otherwise disabled. The permission level of an individual user is cached locally to prevent frequently binding and querying the directory. The cache entries expire after a time limit at which point the directory is queried again and the cache entry is updated. Cache entries can be refreshed on demand using the pureadmin refresh command. Cache entries are also automatically updated when starting a new session.

Certificates

If the configured directory servers have been issued certificates, the certificate of the issuing certificate authority can be stored on the FlashArray to validate the authenticity of the directory servers. When performing directory queries, the certificate presented by the server is validated using CA certificate.

Server authenticity is only enforced if check-peer is enabled. Checkpeer may only be enabled if a CA certificate has been configured.

Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate must be PEM formatted (Base64 encoded) and include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. The certificate cannot exceed 3000 characters in total length.

When certificate data with valid syntax is supplied, the certificate trust is checked to determine if the certificate is self-signed or signed by a trusted root certificate authority. If the trust cannot be determined, the certificate data can still be saved, but server authenticity enforcement using the certificate may fail.

As a convenience, the Pure Storage Directory Service can attempt to automatically fetch CA certificate data from the directory server. If certificate data is successfully retrieved from the server, it undergoes the same trust check as manually entered certificate data, however if trust cannot be determined the operation will not continue. If certificate data is successfully retrieved and the CA certificate is trusted, a final prompt to confirm the data is displayed.

pureds Subcommands

The pureds disable subcommand disables the directory service. This will stop any users in the directory from logging in. If used with the --check-peer option, server authenticity enforcement using a certificate is disabled, but the directory service status remains unchanged.

The pureds enable subcommand enables the directory service. This will allow users in the directory to log in. At a minimum, a URI, base DN, bind user and bind pw, and at least one group must be configured before the Pure Storage Directory Service can be enabled. If used with the --check-peer option, server authenticity enforcement using the configured CA certificate is enabled, but the directory service status remains unchanged. A certificate must be configured before enabling the --check-peer option.

The pureds list subcommand displays the current base configuration. Alternatively, if the --groups option is specified, group configuration consisting of the group names and group base is displayed. If the --certificate option is specified, currently configured CA certificate data is displayed.

The pureds setattr subcommand can be used to set or clear URIs, base DN, bind user, bind password, read-only group, user group, admin group, group base, and certificate data.

The pureds test subcommand tests the current configuration by running a series of tests. This command can be run at any time. Running the command verifies that the URI can be resolved and that we can bind and query the tree using the bind user credentials. It also verifies that it can find all the configured groups to ensure the Common Names and group base are correctly configured. If --check-peer is enabled, the initial bind and query test is repeated while enforcing server authenticity using the CA certificate. Additionally, the tests to find configured groups also enforce server authenticity.

Examples

Example 1

pureds setattr --uri ldaps://[2001:0db8:85a3::ae26:8a2e:0370:7334]
               --base-dn DC=mycompany,DC=com --bind-username ldapreader
      

Sets the URI to IPv6 address 2001:0db8:85a3::ae26:8a2e:0370:7334 and the scheme to ldaps:// to enable SSL. Also sets the base DN to be the correct Domain Components and sets the bind username as the username used to bind to and query the directory.

Example 2

pureds setattr --uri ldaps://ad1.mycompany.com,ldaps://ad2.mycompany.com
               --base-dn DC=mycompany,DC=com
               --bind-username CN=John,OU=Users,DC=mycompany,DC=com
      

Sets the URI to both ad1.mycompany.com and ad2.mycompany.com and the scheme to ldaps:// to enable SSL. Also sets the base DN to be the correct Domain Components and sets the bind username as the username used to bind to and query the directory.

Example 3

pureds setattr --group-base OU=PureGroups,OU=SAN,OU=IT,OU=US
               --readonly-group purereadonly --storage-admin-group pureusers
               --array-admin-group pureadmins
      

Sets the group base to be the nested Organizational Units where the groups can be found in the tree. Also sets the groups to be the Common Names of the directory groups. Combined with Example 1, the full Distinguished Name of the read-only group would be: "CN=purereadonly,OU=PureGroups,OU=SAN,OU=IT,OU=US,DC=mycompany,DC=com"

Example 4

pureds setattr --group-base OU=PureGroups,OU=SAN,OU=IT
               --readonly-group purereadonly,OU=US
               --storage-admin-group pureusers,OU=Asia
               --array-admin-group pureadmins,OU=Europe
      

Sets the group base to be the nested Organizational Units where the groups can be found in the tree. Also sets the groups to be the Common Names of directory groups belonging to different Organizational Units.

Example 5

pureds setattr --bind-password
Enter bind password:
Retype bind password:
      

Shows the interactive prompt for entering a password for the bind user account. The password is not shown while typing, so a confirmation prompt is presented. If the passwords do not match, no change is made.

Example 6

pureds test
Feature Status: Disabled

Testing from ct0:
Resolving ad1.mycompany.com...                                 PASSED
Searching ldaps://ad1.mycompany.com...                         PASSED
Searching for group CN=purereadonly...                         PASSED
Searching for group CN=pureusers...                            PASSED
Searching for group CN=pureadmins...                           PASSED

Resolving ad2.mycompany.com...                                 PASSED
Searching ldaps://ad2.mycompany.com...                         PASSED
Searching for group CN=purereadonly...                         PASSED
Searching for group CN=pureusers...                            PASSED
Searching for group CN=pureadmins...                           PASSED

pureds enable
      

Shows successful output of testing the current configuration and enabling the service following the successful test.

Author

Pure Storage Inc.