Skip to main content
Pure Technical Services

Directory Services Setup and Configuration

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Directory Services provides secure FlashArray administration through role-based, multi-user access control.  

Support

Our Directory Services implementation is supported for the following: 

  • Windows Active Directory
  • OpenLDAP (Purity 4.7.0+ required)

Note: OpenLDAP 389DS is supported only on Purity v.5.2.0 and greater.

Role-Based Access Control

  • Directory Services Provides Role Based Access Control (RBAC) through integration with Windows Active Directory by using the groups defined in AD for restricting access to the FlashArray.
  • Designated Windows users may log into the Pure Array using their Windows domain credentials. 
  • Access is granted when a user in the Windows Domain is made a member of one of four Pure Groups which you will create in AD. To the FlashArray, each Group has its own level of access: Array Admin Access, Storage Admin Access, Ops Admin Access, and Read-only Access. (For more detailed information, please visit RBAC Command Access List - Role Based Access Controls KB).

 Security

  • There are no shared logins. With Directory Services, a user will use their own Windows Credentials to log into the FlashArray.
  • You can limit access. Activity and level of activity can be controlled remotely by assigning Windows User accounts as members to Pure Groups in Active Directory.
  • Access can be granted to or revoked from users remotely from within Active Directory.
  • There is support for SSL and TLS (ldaps://) to encrypt passwords.

 Audit Trail

Audit trails are provided by the user. They track logins and activity.

Prerequisites

Requirements

  • The FlashArray must be of a Purity version that supports Directory Services (3.2.0+).
  • The FlashArray must be able to see the Windows domain controller(s).   

Constraints

  • "Security Groups" must be used with your Directory Services configuration.
    Note: "There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. (For more information, see this TechNet article on Group Types).
  • Groups must have a common name (CN). Don't use an OU as a group. OUs don't set memberOf attributes, which are used to restrict FlashArray access.
  • Making someone's group their "Primary Group" in AD will also remove the memberOf attribute. Therefore the feature will not work if the configured group in Directory Services is a user's Primary Group.  (This is not default and can usually be ignored).
  • All designated Pure Groups must exist within the same OU.
  • sAMAccountNames must not be a local linux user of the Pure FlashArray. These include: 

    ['root', 'daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp', 'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup', 'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog', 'mysql', 'messagebus', 'avahi', 'postfix', 'sshd', 'snmp', 'ntp', 'os76', 'pureuser', pureeng, pureadmin]

  • All Windows Domain Controller "URIs" (addresses) that you specify in the config must be in the same domain, and be either parent or child domain, not both.  Purity currently supports only a single domain, though up to 30 domain controllers can be defined.
  • All Domain Controller URIs must either be ldaps or ldap, no mixing is supported.
  • Bind User account and all intended AD login users must all be under the same exact domain as the domain specified for the BaseDN and URI (see below).
  • The Bind User must not have “Read Member Of” denied.
  • User must NOT be a member of the standard "Protected Users Security Group" (see https://docs.microsoft.com/en-us/win...security-group).

Setup and Configuration

Defining or Creating the Organizational Unit (OU) and Pure Groups in Windows Active Directory

Before configuring Directory Services on the FlashArray side, certain objects need to be created in Active Directory. 

  1. In Active Directory, create or define an Organizational Unit (OU). You may use an existing OU. If you decide to create a new OU, it can be named virtually anything. After creating the OU, you may gather the address by using dsquery,  as in the following example:
C:\Users\Administrator>dsquery ou -name *pure*
"OU=PureGroups,OU=SANManagers,DC=testdrive,DC=local"

From that output, you'll need only note OU=PureGroups,OU=SANManagers for filling out the Group Base information in the Directory Services Configuration. The following shows what the structure in AD may look like:

Screenshot 2023-03-27 at 16.53.30.png

  1. In Active Directory, create the Pure Groups. You'll now need to populate the OU with Pure Groups. It's wise to use a descriptive name for the groups. The Groups can be it can be named virtually anything. The example below uses the following: pureadminpurestorage, pureops, and purereadonly. These groups must exist within the OU created or defined above, in Step 1. Later in the configuration of the array side, you'll define these groups. Make note of them.

undefined

undefined

  1. In Active Directory, define users as members of the Pure Groups. This can be accomplished by adding individual users or by adding existing groups as a members of the Pure Groups. When an existing group is added to the new Pure Groups, they automatically inherit permissions of the parent group.
    Note: Do not make a user a member of more than a one Pure Group. If you do this, the user's permissions on the FlashArray will be restricted to the lowest group.

The following images show the addition of users to a Security Group and the addition of a group to a Pure Group:

Screenshot 2023-03-27 at 15.04.56.pngScreenshot 2023-03-27 at 15.05.26.png

Defining or Creating the Bind User in Windows Active Directory

The next step before configuring Directory Services on the FlashArray is to create a User that is used to perform directory lookups, not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user.  Purity does not require any extra permissions for the Bind user and a non-privileged account with the default users will do for our requirements.  However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed.  If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services.  If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

The following images indicate how an User called purebinduser was created, as an example:

undefined

undefined

FlashArray-Side Configuration Using the FlashArray GUI: Purity Versions 5.3.x and Above

Note: Initial configuration of Directory Services must be done as the local pureuser account. To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.

  1. Click from the Settings tab, click Access tab, and then,from the Directory Service section, click on Roles. to configure the Security Groups mentioned on the previous sections of this document.

Screenshot 2023-03-27 at 15.29.47.png

  1. Enter the names of each Group and its corresponding Group Base corresponding to the assigned role in the Flash Array. In our example, the group pureadmin is given the array_admin role, the group purestorage is given the storage_admin role, the group pureops is given the ops_admin role, and finally the group purereadonly is given the readonly role. Save the information when completed.

undefined

  1. Next, click on Configuration to proceed with the Directory Service configuration. Ensure that Array Management is highlighted on the right.

Screenshot 2023-03-27 at 15.44.14.png

  1. Fill in the blanks with the information gathered from Active Directory.
Field Input
Enabled Select the check box to leverage the directory service to perform user account and permission level searches.
 URIs

Enter the universal resource identifier (URI).

The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port.

For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.

Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains.  

Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com

Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com 

Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com  

Note: The URI entry auto-fills the Base DN which is case sensitive. Please be sure to match the case used in AD.

Base DN

Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.comthe Base DN would be:  “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI.

Note: The case must match the case used in AD.

Bind User

Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-privileged account with the default users will do for our requirements. However, if you use permissions/ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged.

Bind Password

Enter the password for the bind user account.

Note: If this password expires or changes, you will need to update it here.

User Login Attribute

Enter the logon name attribute used in your Directory domain. The logon name must be 20 or fewer characters and be unique among all security principal objects within the domain.

It defaults to sAMAccountName for ActiveDirectory, or uid for other directory services.

User Object Class

Enter the object class used in your Domain domain that define the accounts.

It defaults to User for AD, posixAccount or shadowAccount for OpenLDAP, posixAccount for posix compliant servers, or person for all others.

Check Peer Select the check box to validate the authenticity of the directory servers using the CA Certificate (TLS will be used to secure the connection).
When using ldap:// in the URI, this box had no effect until 6.4.8; starting with 6.4.9, this box will always force certification validation with TLS. However, it is recommended to keep this box unchecked when using ldap://. When using ldaps://, unchecking this box will allow self-signed certificates.

The following is an example of completed fields:

undefined

When using LDAPS:

undefined

  1. Press Save.

undefined

undefined

  1. Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
    1. Optional: To import the certificate, select “Edit." 
      Screenshot 2023-03-27 at 16.22.55.png
    2. After selecting "Edit" a dialog box will open.  Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch certificate from" to auto-fetch the cert and then select "Save" at bottom of the dialog box to continue.

undefinedundefined

undefined

  1. If everything looks correct, click Test.

Screenshot 2023-03-27 at 16.33.41.png

undefined
View the test results:

  • If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
  • Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects?  If so, remove that restriction.
  • If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
  1. After a completed successful test result, you may enable Directory Services.

Screenshot 2023-03-27 at 16.36.07.png

  1. Click Save to complete the setup.

FlashArray-Side Configuration Using the CLI

The CLI command pureds is used to configure the Secure Array Administration with Multi-User Access Control.

Note: These commands vary depending on Purity version. Use the help menu to view your valid commands: pureds -h:as in the following examples:

pureuser@flasharray1> pureds list
Name        URI  Base DN  Bind User  Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
data        -    -        -          -              False       False    -                     -
management  -    -        -          -              False       False    -                     -
pureuser@flasharray1>
pureuser@flasharray1> pureds setattr --help
usage: pureds setattr [-h] [--uri URI] [--base-dn BASE_DN] [--bind-user BIND_USER] [--bind-password] [--readonly-group READONLY_GROUP] [--storage-admin-group STORAGE_ADMIN_GROUP] [--array-admin-group ARRAY_ADMIN_GROUP]
                      [--group-base GROUP_BASE] [--ca-certificate] [--trust] [--auto-fetch] [--user-login-attribute USER_LOGIN_ATTRIBUTE] [--user-object-class USER_OBJECT_CLASS]
                      [SERVICE-NAME]
positional arguments:
  SERVICE-NAME          service name, only one service name at a time. (Ex: management or data)
optional arguments:
  -h, --help            show this help message and exit
  --uri URI             comma separated directory server URIs (Ex: ldaps://ad.company.com)
  --base-dn BASE_DN     base DN of directory service (Ex: DC=company,DC=com)
  --bind-user BIND_USER
                        sAMAccountName to use for doing lookups in Active Directory (Ex: ldapreader). Full Distinguished Name of the bind user for doing lookups in OpenLDAP (Ex: "cn=ldapreader,dc=company,dc=com")
  --bind-password       use prompt to set password of bind-user account
  --readonly-group READONLY_GROUP
                        (deprecated) use "pureds role setattr"
  --storage-admin-group STORAGE_ADMIN_GROUP
                        (deprecated) use "pureds role setattr"
  --array-admin-group ARRAY_ADMIN_GROUP
                        (deprecated) use "pureds role setattr"
  --group-base GROUP_BASE
                        (deprecated) use "pureds role setattr"
  --ca-certificate      use prompt to enter PEM format CA certificate (including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines)
  --trust               skip certificate chain trust verification
  --auto-fetch          download and confirm the server certificate. Use with --ca-certificate.
  --user-login-attribute USER_LOGIN_ATTRIBUTE
                        User login attribute in your LDAP structure. Typically, the attribute field that holds the user's unique login name. Defaults to sAMAccountName for Active Directory, or uid for other directory services.
  --user-object-class USER_OBJECT_CLASS
                        Value of the object class used for the LDAP user. Defaults to User for AD, posixAccount or shadowAccount for OpenLDAP, or person for all others.
pureuser@flasharray1> pureds role setattr --help
usage: pureds role setattr [-h] [--group GROUP] [--group-base GROUP_BASE] ROLE ...
positional arguments:
  ROLE                  role name (readonly, ops_admin, storage_admin, or array_admin)
optional arguments:
  -h, --help            show this help message and exit
  --group GROUP         CN of the group
  --group-base GROUP_BASE
                        OU path to configured groups
pureuser@flasharray1>
  1. Set the role for the Groups created previously in your Active Directory Domain.
pureuser@flasharray1> pureds role setattr readonly --group purereadonly --group-base OU=PureGroups,OU=SANManagers
Name      Group         Group Base
readonly  purereadonly  OU=PureGroups,OU=SANManagers

pureuser@flasharray1> pureds role setattr ops_admin --group pureops --group-base OU=PureGroups,OU=SANManagers
Name       Group    Group Base
ops_admin  pureops  OU=PureGroups,OU=SANManagers

pureuser@flasharray1> pureds role setattr storage_admin --group purestorage --group-base OU=PureGroups,OU=SANManagers
Name           Group        Group Base
storage_admin  purestorage  OU=PureGroups,OU=SANManagers

pureuser@flasharray1> pureds role setattr array_admin --group pureadmin --group-base OU=PureGroups,OU=SANManagers
Name         Group      Group Base
array_admin  pureadmin  OU=PureGroups,OU=SANManagers

  1. Set the URI to point to the active directory server:
pureuser@flasharray1> pureds setattr --uri ldaps://windows1.testdrive.local
Name        URI                               Base DN                Bind User  Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldaps://windows1.testdrive.local  DC=testdrive,DC=local  -          -              False       False    -        

Note that this auto-populated the BaseDN. The default is derived from the domain in the URI. You may also enter more than one URI. Up to 30 can be entered, comma separated.  They must all use ldaps or ldap. The DCs must be members of the same domain. For example:

pureuser@flasharray1> pureds setattr --uri "ldaps://mydomaincontroller.mycompany.com,ldaps://<wbr/>mydomaincontroller2.mycompany.com,ldaps://mydomain<wbr/>controller3.mycompany.com"
  1. Set the bind credentials by adding the sAMAccountName (username) of the binduser (aka ldap reader account) and the beinduser's password:
pureuser@flasharray1> pureds setattr --bind-user purebinduser
Name        URI                               Base DN                Bind User     Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldaps://windows1.testdrive.local  DC=testdrive,DC=local  purebinduser  -              False       False    -                     -
pureuser@flasharray1> pureds setattr --bind-password
Enter bind password:
Retype bind password:
Name        URI                               Base DN                Bind User     Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldaps://windows1.testdrive.local  DC=testdrive,DC=local  purebinduser  ****           False       False    -                     -
pureuser@flasharray1> pureds setattr --user-login-attribute sAMAccountName --user-object-class User
Name        URI                               Base DN                Bind User     Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldaps://windows1.testdrive.local  DC=testdrive,DC=local  purebinduser  ****           False       False    sAMAccountName        User
  1. Set the attribute for Group Base. You may enter just "OU=PureGroups" as the group, but in this scenario, there was an existing OU which became a sub OU.  Our group-base is now "OU=PureGroups,OU=SANManagers":
pureuser@flasharray1> pureds setattr --base-dn DC=testdrive,DC=local
Name        URI                               Base DN                Bind User  Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldaps://windows1.testdrive.local  DC=testdrive,DC=local  -          -              False       False    -                     -To test the configuration, enter the following:
  1. To test the configuration, enter the following:
pureuser@flasharray1> pureds test
Output
Feature Status: Disabled
Testing from ct0:
Resolving windows1.testdrive.local...                                    PASSED
Searching ldaps://windows1.testdrive.local...                            PASSED
Searching for group CN=purereadonly...                                   PASSED
Searching for group CN=pureops...                                        PASSED
Searching for group CN=purestorage...                                    PASSED
Searching for group CN=pureadmin...                                      PASSED
pureuser@flasharray1>
  1. Once the test results are successful, you can proceed to enable the configuration:
pureuser@flasharray1> pureds enable
URI                               Base DN                Bind User     Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
ldaps://windows1.testdrive.local  DC=testdrive,DC=local  purebinduser  ****           False       True     sAMAccountName        User
pureuser@flasharray1> 

You may now access the FlashArray from the CLI or GUI using a Windows Account that's a member of one of the Pure Groups in AD.

Screenshot 2023-03-27 at 17.12.53.png

(TLS Support) Configuring a Certificate via CLI

After all other configuration is completed using the steps above, you can import the certificate(s).

  1. Enter the following command:
pureuser@flasharray1> pureds setattr --ca-certificate
Please enter certificate data followed by Enter and then Ctrl-D:

-----BEGIN CERTIFICATE-----
MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0
ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx
MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY
j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx
VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc
WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r
HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH
QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3
FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk
AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF
AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O
BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF
WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl
c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i
YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB
AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E
T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD
ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp
dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0
ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB
gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0
MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4
ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW
r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv
nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ
KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og
kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA==
-----END CERTIFICATE-----
CA Certificate Data
-----BEGIN CERTIFICATE-----
MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0
ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx
MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY
j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx
VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc
WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r
HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH
QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3
FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk
AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF
AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O
BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF
WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl
c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i
YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB
AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E
T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD
ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp
dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0
ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB
gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0
MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4
ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW
r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv
nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ
KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og
kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA==
-----END CERTIFICATE-----
pureuser@flasharray1>

Alternatively, you may use the --auto-fetch switch to fetch the certificate from the Domain Controller.

pureuser@flasharray1> pureds setattr --ca-certificate --auto-fetch
Attempting to automatically fetch certificate from windows1.testdrive.local:636...

-----BEGIN CERTIFICATE-----
MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF
ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0
ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx
MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY
j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx
VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc
WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r
HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH
QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3
FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk
AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF
AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O
BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF
WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl
c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i
YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB
AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E
T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD
ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp
dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0
ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB
gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0
MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4
ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW
r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv
nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ
KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og
kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA==
-----END CERTIFICATE-----
pureuser@flasharray1>
  1. To enable the certificate:
pureuser@flasharray1> pureds enable --checkpeer
URI                               Base DN                Bind User     Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
ldaps://windows1.testdrive.local  DC=testdrive,DC=local  purebinduser  ****           False       True     sAMAccountName        User
pureuser@flasharray1> 
  1. To test the settings:
pureuser@flasharray1> pureds test
Output
Feature Status: Disabled
Testing from ct0:
Resolving windows1.testdrive.local...                                    PASSED
Searching ldaps://windows1.testdrive.local...                            PASSED
Searching for group CN=purereadonly...                                   PASSED
Searching for group CN=pureops...                                        PASSED
Searching for group CN=purestorage...                                    PASSED
Searching for group CN=pureadmin...                                      PASSED
pureuser@flasharray1>

Additional Information

Integration with FreeIPA

FreeIPA has some notable differences in its implementation on the FlashArray.

Base DN
In order for the FlashArray to accept CN= in the Base DN, you may need to upgrade Purity to the latest version. The Base DN should look something like this:

CN=accounts,DC=dev,DC=company,DC=com

Group Base
The Group Base should look something like this, since FreeIPA doesn't support OUs:

CN=groups

So for example:

> pureds list
Name        URI                           Base DN                                   Bind User                                                                       Bind Password  Check Peer  Enabled  User Login Attribute  User Object Class
management  ldap://ipa1.dev.company.com   CN=accounts,DC=dev,DC=company,DC=com      UID=ldap_checker,CN=users,CN=accounts,DC=dev,DC=company,DC=com                  ****           False       True     uid                   posixAccount
            ldap://ipa2.dev.company.com  

> pureds list --groups
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
purereadonly     purestorageadmin     pureadmins         CN=groups 

Users should not be members of more than one security group, or the login will fail.

You can test what permissions the FlashArray will find with "pureadmin list username --force". The --force requires the FlashArray to bypass cached permissions (permissions are stored for a user for 30 minutes) and query the domain controller again.

Integration with LDAP Server, Using Data Service

To integrate FlashArray with a LDAP server using the data service, you can use the following commands:

> pureds setattr data --base-dn dc=mydomain,dc=com --bind-user cn=admin,dc=mydomain,dc=com --uri ldap://192.168.20.2 --bind-password

> pureds enable data 

FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions Between 5.0.x and 5.2.x.

Note: Initial configuration of Directory Services must be done as the local pureuser account. To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.

  1. Click from the System tab, click Directory Services from the Users menu in the left panel.
  2. Click on Edit. A dialog displays.

edit ds settings.png

blank config.png

  1. Fill in the blanks with the information gathered from Active Directory.
Field Input
Enabled Select the check box to leverage the directory service to perform user account and permission level searches.
 URI

Enter the universal resource identifier (URI)

The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port.

For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.

Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains.  

Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com

Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com 

Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com  

Note: The URI entry auto-fills the Base DN which is case sensitive. Please be sure to match the case used in AD.

Base DN

Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.comthe Base DN would be:

“DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI.

Note: The case must match the case used in AD.

Bind User

Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user.  Purity does not require any extra permissions for the Bind user and a non-privileged account with the default users will do for our requirements.  However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed.  If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services.  If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged.

Bind Password

Enter the password for the bind user account.

Note: If this password expires or changes, you will need to update it here.

Group Base

Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups:

OU=PureGroups,OU=SANManagers

All FlashArray configured group common names (CN) must exist in the same OU.

Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations.

Array Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser.

Storage Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations.

Read Only Group

Enter the common name (CN) of the group of users with read-only privileges on the FlashArray.

Note:  DO NOT enter the same group name in more than one field.  The permissions for the group will be locked down to the lowest level permissions.

Check Peer Select the check box to validate the authenticity of the directory servers using the CA Certificate (TLS will be used to secure the connection).
When using ldap:// in the URI, this box has no effect.
CA Certificate Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
  1. Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
    1. Optional: To import the certificate, select “Edit." 
      import cert.png
    2. After selecting "Edit" a dialog box will open.  Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch from server" to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.

select cert location.png

The following is an example of completed fields.

completed config.png

  1. If using LDAPS, click Check Peer.

enable check peer after importing cert.png

  1. If everything looks correct, click Save. To test it, click Test.

test ds.png
View the test results:
test.png

  • If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
  • Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD.  Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
  • If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
  1. After a completed successful test result, you may enable Directory Services.

enable.png

  1. Click Save to complete the setup.

FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 4.10.x and Prior

Initial configuration of Directory Services must be done from the local pureuser account. To do this, access the Purity GUI as the local pureuser account and then navigate to the Directory Service configuration page as follows:

  1. Click from the System tab, click Directory Services from the Configuration menu in the left panel.
  2. Click on Edit. A dialog displays.

GUI1.png

  1. Fill in the fields of the dialog with the information gathered from Active Directory.

GUI2.png

Use the following descriptions to fill in the fields in the Directory Service fields above.

Field Input
Enabled Select the check box to leverage the directory service to perform user account and permission level searches.
 URI

Enter the universal resource identifier (URI).

The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain.  You can optionally specify a port.

For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.

Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains.  

Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com

Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com 

Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com  

Note: The URI entry autofills the Base DN which is case sensitive. Please be sure to match the case used in AD.

Base DN

Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.comthe Base DN would be:

“DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI.

Note: The case must match the case used in AD.

Bind User

Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-privileged account with the default users will do for our requirements. However, if you use permissions/ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged.

Bind Password

Enter the password for the bind user account.

Note: If this password expires or changes, you will need to update it here.

Group Base

Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups:

OU=PureGroups,OU=SANManagers

All FlashArray configured group common names (CN) must exist in the same OU.

Note: Group Base is case sensitive and must match the case used in AD.  When entering the groups, don't use quotations.

Array Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser.

Storage Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations.

Read Only Group

Enter the common name (CN) of the group of users with read-only privileges on the FlashArray.

Note:  DO NOT enter the same group name in more than one field.  The permissions for the group will be locked down to the lowest level permissions.

Check Peer Select the check box to validate the authenticity of the directory servers using the CA Certificate (TLS will be used to secure the connection).
When using ldap:// in the URI, this box has no effect.
CA Certificate Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
  1. Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
    1. Optional: To import the certificate, select “Check Peer." Then import the certificates by selecting “change.” The Edit Certificate dialog box opens.

GUI3.png

  1. Choose each DC one by one from the drop-down menu. You may then enter the cert info manually, or click on Fetch from server to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.

dasetup8.png

The following is an example of completed fields:

GUI4.png

  1. If everything looks correct, click Save. To test it, click TestView the test results:

dasetup13.png

  • If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
  • Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD.  Is “Read Member Of” denied on any of the objects?  If so, remove that restriction.
  • If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
  1. After a completed successful test result, you may enable Directory Services.

dasetup13.png

  1. Click Save to complete the setup.