Directory Services Setup and Configuration
Directory Services provides secure FlashArray administration through role-based, multi-user access control.
Support
Our Directory Services implementation is supported for the following:
- Windows Active Directory
- OpenLDAP (Purity 4.7.0+ required)
Note: OpenLDAP 389DS is supported only on Purity v.5.2.0 and greater.
Role-Based Access Control
- Directory Services Provides Role Based Access Control (RBAC) through integration with Windows Active Directory by using the groups defined in AD for restricting access to the FlashArray.
- Designated Windows users may log into the Pure Array using their Windows domain credentials.
- Access is granted when a user in the Windows Domain is made a member of one of three Pure Groups which you will create in AD. To the FlashArray, each Group has its own level of access: Admin Access, Limited User Access, and Read-only Access. (explained in detail below)
Security
- There are no shared logins. With Directory Services, a user will use their own Windows Credentials to log into the FlashArray.
- You can limit access. Activity and level of activity can be controlled remotely by assigning Windows User accounts as members to Pure Groups in Active Directory.
- Access can be granted to or revoked from users remotely from within Active Directory.
- There is support for SSL and TLS (ldaps://) to encrypt passwords.
Audit Trail
Audit trails are provided by the user. They track logins and activity.
Prerequisites
Requirements
- The FlashArray must be of a Purity version that supports Directory Services (3.2.0+)
- The FlashArray must be able to see the Windows domain controller(s).
Constraints
- "Security Groups" must be used with your Directory Services configuration.
Note: "There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. (For more information, see this TechNet article on Group Types). - Groups must have a common name (CN). You cannot just use an OU as a group. OUs don't set memberOf attributes, which are used to restrict FlashArray access.
- Making someone's group their "Primary Group" in AD will also remove the memberOf attribute. Therefore the feature will not work if the configured group in Directory Services is a user's Primary Group. (This is not default and can usually be ignored)
- All designated Pure Groups must exist within the same OU.
- sAMAccountNames must not be a local linux user of the Pure FlashArray. These include:
['root', 'daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp', 'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup', 'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog', 'mysql', 'messagebus', 'avahi', 'postfix', 'sshd', 'snmp', 'ntp', 'os76', 'pureuser', pureeng, pureadmin]
- All Windows Domain Controller "URIs" (addresses) that you specify in the config must be in the same domain, and be either parent or child domain, not both. Purity currently supports only a single domain, though up to 30 domain controllers can be defined.
- All Domain Controller URIs must either be ldaps or ldap, no mixing is supported.
- Bind User account and all intended AD login users must all be under the same exact domain as the domain specified for the BaseDN and URI (see below)
- The Bind User must not have “Read Member Of” denied.
- User must NOT be a member of the standard "Protected Users Security Group" (see https://docs.microsoft.com/en-us/win...security-group)
Setup & Configuration
Defining or Creating the Organizational Unit (OU) and Pure Groups in Windows Active Directory
Before configuring Directory Services on the FlashArray side, certain objects need to be created in Active Directory.
- In Active Directory, create or define an Organizational Unit (OU). You may use an existing OU. If you decide to create a new OU, it can be named virtually anything. After creating the OU, you may gather the address by using
dsquery
, as in the following example:
C:\Users\Administrator>dsquery ou -name *pure* "OU=PureGroups,OU=SANManagers,DC=mydomaincontrolle<wbr/>r,DC=local"
From that output, you'll need only note OU=PureGroups,OU=SANManagers for filling out the Group Base information in the Directory Services Config. The following shows what the structure in AD may look like:
- In Active Directory, create the Pure Groups. You'll now need to populate the OU with Pure Groups. It's wise to use a descriptive name for the groups. The Groups can be it can be named virtually anything. The example below uses the following: pureadmins, purereadonly, and pureusers. These groups must exist within the OU created or defined above, in Step 1. Later in the configuration of the array side, you'll define these groups. Make note of them.
- In Active Directory, define users as members of the Pure Groups. This can be accomplished by adding individual users or by adding existing individuals as a members of the Pure Groups. When an existing group is added to the new Pure Groups, they automatically inherit permissions of the parent group.
Note: Do not make a user a member of more than a one Pure Group. If you do this, the user's permissions on the FlashArray will be restricted to the lowest group.
The following images show the addition of a group to a Pure Group and the addition a user to a Pure Group:
FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 4.10.x and Prior.
Initial configuration of Directory Services must be done from the local pureuser account. To do this, access the Purity GUI as the local pureuser account and then navigate to the Directory Service configuration page as follows:
- Click from the System tab, click Directory Services from the Configuration menu in the left panel.
- Click on Edit. A dialog displays.
- Fill in the fields of the dialog with the information gathered from Active Directory.
Use the following descriptions to fill in the fields in the Directory Service fields above.
Field | Input |
---|---|
Enabled | Select the check box to leverage the directory service to perform user account and permission level searches. |
URI |
Enter the universal resource identifier (URI) The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port. For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol. Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains. Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com |
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
Group Base |
Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups: OU=PureGroups,OU=SANManagers All FlashArray configured group common names (CN) must exist in the same OU. Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations. |
Array Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser. |
Storage Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations. |
Read Only Group |
Enter the common name (CN) of the group of users with read-only privileges on the FlashArray. Note: DO NOT enter the same group name in more than one field. The permissions for the group will be locked down to the lowest level permissions. |
Check Peer | Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate. |
CA Certificate | Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length. |
- Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
- Optional: To import the certificate, select “Check Peer." Then import the certificates by selecting “change.” The Edit Certificate dialog box opens.
- Choose each DC one by one from the drop-down menu. You may then enter the cert info manually, or click on Fetch from server to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.
The following is an example of completed fields:
- If everything looks correct, click Save. To test it, click Test. View the test results:
- If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
- Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
- If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
- After a completed successful test result, you may enable Directory Services.
- Click Save to complete the setup.
FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 5.0.x and Above.
Note: Initial configuration of Directory Services must be done as the local pureuser account. To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.
- Click from the System tab, click Directory Services from the Users menu in the left panel.
- Click on Edit. A dialog displays.
- Fill in the blanks with the information gathered from Active Directory.
Field | Input |
---|---|
Enabled | Select the check box to leverage the directory service to perform user account and permission level searches. |
URI |
Enter the universal resource identifier (URI)
For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.
Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains.
Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com |
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
Group Base |
Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups: OU=PureGroups,OU=SANManagers All FlashArray configured group common names (CN) must exist in the same OU. Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations. |
Array Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser. |
Storage Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations. |
Read Only Group |
Enter the common name (CN) of the group of users with read-only privileges on the FlashArray. Note: DO NOT enter the same group name in more than one field. The permissions for the group will be locked down to the lowest level permissions. |
Check Peer | Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate. |
CA Certificate | Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length. |
- Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
- Optional: To import the certificate, select “Edit."
- After selecting "Edit" a dialog box will open. Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch from server" to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.
- Optional: To import the certificate, select “Edit."
The following is an example of completed fields.
- If using LDAPS, click Check Peer.
- If everything looks correct, click Save. To test it, click Test.
View the test results:
- If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
- Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
- If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
- After a completed successful test result, you may enable Directory Services.
- Click Save to complete the setup.
FlashArray-Side Configuration Using the CLI
The CLI command pureds
is used to configure the Secure Array Administration with Multi-User Access Control.
Note: These commands vary depending on Purity version. Use the help menu to view your valid commands: pureds -h
:as in the following example:
# pureds list URI Basedn Binduser Password Set Checkpeer Enabled - - - False False False # pureds list --groups Read-only Group Storage Admin Group Array Admin Group Group Base - - - - # pureds list --certificate Certificate Data -
- Set the URI to point to the active directory server:
# pureds setattr --uri ldaps://mydomaincontroller.mycompany.com URI Basedn Binduser Password Set Checkpeer Enabled ldaps://mydomaincontroller.mycompany.com DC=mycompany,DC=com - False False False
Note that this auto-populated the BaseDN. The default is derived from the domain in the URI. You may also enter more than one URI. Up to 30 can be entered, comma separated. They must all use ldaps or ldap. Mixing is not allowed as of Directory Services version1. The DCs must be members of the same domain. For example:
# pureds setattr --uri "ldaps://mydomaincontroller.mycompany.com,ldaps://<wbr/>mydomaincontroller2.mycompany.com,ldaps://mydomain<wbr/>controller3.mycompany.com"
- Set the bind credentials by adding the sAMAccountName (username) of the binduser( aka ldap reader account) and the beinduser's password:
# pureds setattr --bind-user ldapreader URI Basedn Binduser Password Set Checkpeer Enabled ldaps://mydomaincontroller.mycompany.com DC=mycompany,DC=com ldapreader False False False # pureds setattr --bind-password Enter bind password: Retype bind password: URI Basedn Binduser Password Set Checkpeer Enabled ldaps://mydomaincontroller.mycompany.com DC=mycompany,DC=com ldapreader True False False
- Set the attribute for Group Base. You may enter just "OU=PureGroups" as the group, but in this scenario, there was an existing OU which became a sub OU. Our group-base is now "OU=PureGroups,OU=SANManagers"
# pureds setattr --group-base OU=PureGroups,OU=SANManagers Read-only Group Storage Admin Group Array Admins Group Group Base - - - OU=PureGroups,OU=SANManagers
- Set the attribute for the Groups.
# pureds setattr --array-admin-group pureadmins Read-only Group Storage Admin Group Array Admin Group Group Base - - pureadmins OU=PureGroups,OU=SANManagers
# pureds setattr --storage-admin-group pureusers Read-only Group Storage Admin Group Array Admin Group Group Base - pureusers pureadmins OU=PureGroups,OU=SANManagers
# pureds setattr --readonly-group purereadonly Read-only Group Storage Admin Group Array Admin Group Group Base purereadonly pureusers pureadmins OU=PureGroups,OU=SANManagers
Alternatively, you may set all three groups at once with the following command:
# pureds setattr --read-only-group purereadonly --array-admin-group pureusers --array-admin-group pureadmin Read-only Group Storage Admin Group Array Admin Group Group Base purereadonly pureusers pureadmins OU=PureGroups,OU=SANManagers
- To test the configuration, enter the following:
# pureds test Testing from ct0: Searching ldaps://mydomaincontroller.mycompany.com... PASSED Searching for group CN=purereadonly... PASSED Searching for group CN=pureusers... PASSED Searching for group CN=pureadmins... PASSED
- To enable the configuration, enter the following:
# pureds enable URI Basedn Binduser Password Set Checkpeer Enabled ldaps://mydomaincontroller.mycompany.com OU=PureGroups,OU=SANManagers ldapreader True False True
You may now access the FlashArray from the CLI or GUI using a Windows Account that's a member of one of the Pure Groups in AD.
Additional Information
(TLS Support) Configuring a Certificate via CLI
After all other configuration is completed using the steps above, you can import the certificate(s).
- Enter the following command:
# pureds setattr --certificate Please enter certificate data followed by a blank line: -----BEGIN CERTIFICATE----- MIIFPjCCBCagAwIBAgIQEq8c+d2S0IhBuhwpUpjrVzANBgkqhk<wbr/>iG9w0BAQUFADCB gjETMBEGCgmSJomT8ixkARkWA2NvbTEbMBkGCgmSJomT8ixkAR<wbr/>kWC3B1cmVzdG9y YWdlMRMwEQYKCZImiZPyLGQBGRYDZGV2MRwwGgYKCZImiZPyLG<wbr/>QBGRYMamVua2lu cy13MmszMRswGQYDVQQDExJqZW5raW5zLXcyazMtYWQtY2EwIB<wbr/>cNMTMwNjEzMDU1 NzM3WhgPMjUxMzA2MTMwNjA2MjlaMIGCMGMwEQYKCZImiZPyLG<wbr/>QBGRYDY29tMRsw GQYKCZImiZPyLGQBGRYLcHVyZXN0b3JhZ2UxEzARBgoJkiaJk/<wbr/>IsZAEZFgNkZXYx HDAaBgoJkiaJk/IsZAEZFgxqZW5raW5zLXcyazMxGzAZBgNVBA<wbr/>MTEmplbmtpbnMt dzJrMy1hZC1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQ<wbr/>oCggEBANWx2+/t LuybAYk4E66J/3So73kACzb7iRrNlhgKLVklXLKMa8Q+5tLBAz<wbr/>Gr7Q3kS/qkPRH7 HBmpqOo7CY4p/nxm6idrk1nGzmd4IpbZJQ7knIYth9fius60Bm<wbr/>9VswLdEiqIpWi4 yqxXpMHwI8H2o8cj+nbeZJtG64bQzWQW4t9Jvra7V/ZwxkbzmC<wbr/>+ueFHY1XVgpEFP FA9bUtYnpPovaaHCIhUFQKIPeYr6G4icP9xRcW1ri7aT0kSQEh<wbr/>5mBVCihxtuRq/8 MMVTdx4JT16EwUYx5waWesLNwQmWxafHZ0fQZmcEXWG2HtccfG<wbr/>TdsDBtF0B31N67 LBStbeiZ/UY0G+MCAwEAAaOCAaowggGmMAsGA1UdDwQEAwIBhj<wbr/>APBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSFdCk9DQmH9CSiLtE8x0PvVJIVlD<wbr/>CCAVMGA1UdHwSC AUowggFGMIIBQqCCAT6gggE6hoHcbGRhcDovLy9DTj1qZW5raW<wbr/>5zLXcyazMtYWQt Y2EsQ049am5raW5zLXcyazMtYWQxLENOPUNEUCxDTj1QdWJsaW<wbr/>MlMjBLZXklMjBT ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLE<wbr/>RDPWplbmtpbnMt dzJrMyxEQz1kZXYsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nlcn<wbr/>RpZmljYXRlUmV2 b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cm<wbr/>lidXRpb25Qb2lu dIZZaHR0cDovL2pua2lucy13MmszLWFkMS5qZW5raW5zLXcyaz<wbr/>MuZGV2LnB1cmVz dG9yYWdlLmNvbS9DZXJ0RW5yb2xsL2plbmtpbnMtd1JrMy1hZC<wbr/>1jYS5jcmwwEAYJ KwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAAYJz5<wbr/>WmZsm/nqbv06ov NRECGAWQUGg6LkJMZYkd6cniKPnVWwyZhG62f6FtHeUergkob1<wbr/>/ZKRiOk4H9pKFO y4IdRkh1zeTYWpuUwWlZ0bPwI/gY68jah42Cz/yJkfJ9FZqKQL<wbr/>GA6zpnEJdI6UbC HGLbjRa05263UqWzX8Y3YWSNpYxp80jqOvG7WRwwOp1QrBCb/a<wbr/>kXZmxlXesQQ+of jrMCkzPokuZNRb45PTYJPxfIIog6Skj3AEe9zFOQ+FvfHUpJrW<wbr/>sZ+iCauWiRG0rg m8wYNgJgyhs4WGb/1UeC/cLtDDHuLw/G5n9Fht6lS/PCvvUURN<wbr/>gYYQOOrNjbXi4p /hA= -----END CERTIFICATE-----
Alternatively, you may use the --auto-fetch switch to fetch the certificate from the Domain Controller.
# pureds setattr --certificate --auto-fetch Attempting to automatically fetch certificate from mydomaincontroller.mycompany.com:636... -----BEGIN CERTIFICATE----- MIIFPjCCBCagAwIBAgIQEq8c+d2S0IhBuhwpUpjrVzANBgkqhk<wbr/>iG9w0BAQUFADCB gjETMBEGCgmSJomT8ixkARkWA2NvbTEbMBkGCgmSJomT8ixkAR<wbr/>kWC3B1cmVzdG9y YWdlMRMwEQYKCZImiZPyLGQBGRYDZGV2MRwwGgYKCZImiZPyLG<wbr/>QBGRYMamVua2lu cy13MmszMRswGQYDVQQDExJqZW5raW5zLXcyazMtYWQtY2EwIB<wbr/>cNMTMwNjEzMDU1 NzM3WhgPMjUxMzA2MTMwNjA2MjlaMIGCMGMwEQYKCZImiZPyLG<wbr/>QBGRYDY29tMRsw GQYKCZImiZPyLGQBGRYLcHVyZXN0b3JhZ2UxEzARBgoJkiaJk/<wbr/>IsZAEZFgNkZXYx HDAaBgoJkiaJk/IsZAEZFgxqZW5raW5zLXcyazMxGzAZBgNVBA<wbr/>MTEmplbmtpbnMt dzJrMy1hZC1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQ<wbr/>oCggEBANWx2+/t LuybAYk4E66J/3So73kACzb7iRrNlhgKLVklXLKMa8Q+5tLBAz<wbr/>Gr7Q3kS/qkPRH7 HBmpqOo7CY4p/nxm6idrk1nGzmd4IpbZJQ7knIYth9fius60Bm<wbr/>9VswLdEiqIpWi4 yqxXpMHwI8H2o8cj+nbeZJtG64bQzWQW4t9Jvra7V/ZwxkbzmC<wbr/>+ueFHY1XVgpEFP FA9bUtYnpPovaaHCIhUFQKIPeYr6G4icP9xRcW1ri7aT0kSQEh<wbr/>5mBVCihxtuRq/8 MMVTdx4JT16EwUYx5waWesLNwQmWxafHZ0fQZmcEXWG2HtccfG<wbr/>TdsDBtF0B31N67 LBStbeiZ/UY0G+MCAwEAAaOCAaowggGmMAsGA1UdDwQEAwIBhj<wbr/>APBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSFdCk9DQmH9CSiLtE8x0PvVJIVlD<wbr/>CCAVMGA1UdHwSC AUowggFGMIIBQqCCAT6gggE6hoHcbGRhcDovLy9DTj1qZW5raW<wbr/>5zLXcyazMtYWQt Y2EsQ049am5raW5zLXcyazMtYWQxLENOPUNEUCxDTj1QdWJsaW<wbr/>MlMjBLZXklMjBT ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLE<wbr/>RDPWplbmtpbnMt dzJrMyxEQz1kZXYsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nlcn<wbr/>RpZmljYXRlUmV2 b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cm<wbr/>lidXRpb25Qb2lu dIZZaHR0cDovL2pua2lucy13MmszLWFkMS5qZW5raW5zLXcyaz<wbr/>MuZGV2LnB1cmVz dG9yYWdlLmNvbS9DZXJ0RW5yb2xsL2plbmtpbnMtd1JrMy1hZC<wbr/>1jYS5jcmwwEAYJ KwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAAYJz5<wbr/>WmZsm/nqbv06ov NRECGAWQUGg6LkJMZYkd6cniKPnVWwyZhG62f6FtHeUergkob1<wbr/>/ZKRiOk4H9pKFO y4IdRkh1zeTYWpuUwWlZ0bPwI/gY68jah42Cz/yJkfJ9FZqKQL<wbr/>GA6zpnEJdI6UbC HGLbjRa05263UqWzX8Y3YWSNpYxp80jqOvG7WRwwOp1QrBCb/a<wbr/>kXZmxlXesQQ+of jrMCkzPokuZNRb45PTYJPxfIIog6Skj3AEe9zFOQ+FvfHUpJrW<wbr/>sZ+iCauWiRG0rg m8wYNgJgyhs4WGb/1UeC/cLtDDHuLw/G5n9Fht6lS/PCvvUURN<wbr/>gYYQOOrNjbXi4p /hA= -----END CERTIFICATE-----
- To enable the certificate:
# pureds enable --checkpeer URI Basedn Binduser Password Set Checkpeer Enabled ldaps://mydomaincontroller.mycompany.com DC=mycompany,DC=com ldapreader True True True
- To test the settings:
# pureds test Testing from ct0: Resolving mydomaincontroller.mycompany.com... PASSED Searching ldaps://mydomaincontroller.mycompany.com ... PASSED Searching while enforcing configured certificate... PASSED Searching for group CN=purereadonly... PASSED Searching for group CN=pureusers... PASSED Searching for group CN=pureadmins... PASSED