Skip to main content
Pure Technical Services

Directory Services Setup and Configuration

Currently viewing public documentation. Please login to access the full scope of documentation.

Directory Services provides secure FlashArray administration through role-based, multi-user access control.  

Support

Our Directory Services implementation is supported for the following: 

  • Windows Active Directory
  • OpenLDAP (Purity 4.7.0+ required)
    Note: OpenLDAP 389DS is supported only on Purity v.5.2.0 and greater.

Role-Based Access Control

  • Directory Services Provides Role Based Access Control (RBAC) through integration with Windows Active Directory by using the groups defined in AD for restricting access to the FlashArray.
  • Designated Windows users may log into the Pure Array using their Windows domain credentials. 
  • Access is granted when a user in the Windows Domain is made a member of one of three Pure Groups which you will create in AD.  To the FlashArray, each Group has its own level of access: Admin Access, Limited User Access, and Read-only Access. (explained in detail below)

 Security

  • There are no shared logins. With Directory Services, a user will use their own Windows Credentials to log into the FlashArray.
  • You can limit access.  Activity and level of activity can be controlled remotely by assigning Windows User accounts as members to Pure Groups in Active Directory.
  • Access can be granted to or revoked from users remotely from within Active Directory.
  • There is support for SSL and TLS (ldaps://) to encrypt passwords.

 Audit Trail

Audit trails are provided by the user. They track logins and activity.

Prerequisites

Requirements

  • The FlashArray must be of a Purity version that supports Directory Services  (3.2.0+)
  • The FlashArray must be able to see the Windows domain controller(s).   

Constraints

  • "Security Groups" must be used with your Directory Services configuration.
    Note: "There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. (For more information, see this TechNet article on Group Types).
  • Groups must have a common name (CN). You cannot just use an OU as a group. OUs don't set memberOf attributes, which are used to restrict FlashArray access.
  •  Making someone's group their "Primary Group" in AD will also remove the memberOf attribute. Therefore the feature will not work if the configured group in Directory Services is a user's Primary Group.  (This is not default and can usually be ignored)
  • All designated Pure Groups must exist within the same OU.
  • sAMAccountNames must not be a local linux user of the Pure FlashArray. These include: 

    ['root', 'daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp', 'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup', 'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog', 'mysql', 'messagebus', 'avahi', 'postfix', 'sshd', 'snmp', 'ntp', 'os76', 'pureuser', pureeng, pureadmin]

  • All Windows Domain Controller "URIs" (addresses) that you specify in the config must be in the same domain, and be either parent or child domain, not both.  Purity currently supports only a single domain, though up to 30 domain controllers can be defined.
  • All Domain Controller URIs must either be ldaps or ldap, no mixing is supported.
  • Bind User account and all intended AD login users must all be under the same exact domain as the domain specified for the BaseDN and URI (see below)
  • The Bind User must not have “Read Member Of” denied.
  • User must NOT be a member of the standard "Protected Users Security Group" (see https://docs.microsoft.com/en-us/win...security-group)

Setup & Configuration

Defining or Creating the Organizational Unit (OU) and Pure Groups in Windows Active Directory

Before configuring Directory Services on the FlashArray side, certain objects need to be created in Active Directory. 

  1. In Active Directory, create or define an Organizational Unit (OU). You may use an existing OU. If you decide to create a new OU, it can be named virtually anything. After creating the OU, you may gather the address by using dsquery,  as in the following example:
C:\Users\Administrator>dsquery ou -name *pure*
"OU=PureGroups,OU=SANManagers,DC=mydomaincontrolle<wbr/>r,DC=local"

From that output, you'll need only note OU=PureGroups,OU=SANManagers for filling out the Group Base information in the Directory Services Config. The following shows what the structure in AD may look like:

dssetup1.png

  1. In Active Directory, create the Pure Groups. You'll now need to populate the OU with Pure Groups. It's wise to use a descriptive name for the groups. The Groups can be it can be named virtually anything. The example below uses the following: pureadmins, purereadonly, and pureusers. These groups must exist within the OU created or defined above, in Step 1. Later in the configuration of the array side, you'll define these groups. Make note of them.

dasetup2.png 

  1. In Active Directory, define users as members of the Pure Groups. This can be accomplished by adding individual users or by adding existing individuals as a members of the Pure Groups. When an existing group is added to the new Pure Groups, they automatically inherit permissions of the parent group.
    Note: Do not make a user a member of more than a one Pure Group. If you do this, the user's permissions on the FlashArray will be restricted to the lowest group.

The following images show the addition of a group to a Pure Group and the addition a user to a Pure Group:

dasetup3.png  

FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 4.10.x and Prior.

Initial configuration of Directory Services must be done from the local pureuser account. To do this, access the Purity GUI as the local pureuser account and then navigate to the Directory Service configuration page as follows:

  1. Click from the System tab, click Directory Services from the Configuration menu in the left panel.
  2. Click on Edit. A dialog displays.

GUI1.png

  1. Fill in the fields of the dialog with the information gathered from Active Directory.

GUI2.png

Use the following descriptions to fill in the fields in the Directory Service fields above.

Field Input
Enabled Select the check box to leverage the directory service to perform user account and permission level searches.
 URI

Enter the universal resource identifier (URI)

The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain.  You can optionally specify a port.

For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.

Note: If you define more than one DC URI here, the URL scheme and domains must match exactly.  No mixing of domains is allowed, including subdomains.  

Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com

Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com 

Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com  

Note: The URI entry autofills the Base DN which is case sensitive. Please be sure to match the case used in AD.

Base DN

Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.comthe Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI.

Note: The case must match the case used in AD.

Bind User

Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user.  Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements.  However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed.  If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services.  If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s).  If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged.

Bind Password

Enter the password for the bind user account.

Note: If this password expires or changes, you will need to update it here.

Group Base

Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups:

OU=PureGroups,OU=SANManagers

All FlashArray configured group common names (CN) must exist in the same OU.

Note: Group Base is case sensitive and must match the case used in AD.  When entering the groups, don't use quotations.

Array Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser.

Storage Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations.

Read Only Group

Enter the common name (CN) of the group of users with read-only privileges on the FlashArray.

Note:  DO NOT enter the same group name in more than one field.  The permissions for the group will be locked down to the lowest level permissions.

Check Peer Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate.
CA Certificate Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
  1. Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
    1. Optional: To import the certificate, select “Check Peer."  Then import the certificates by selecting “change.” The Edit Certificate dialog box opens.

GUI3.png

  1. Choose each DC one by one from the drop-down menu. You may then enter the cert info manually, or click on Fetch from server to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.

dasetup8.png

The following is an example of completed fields:

GUI4.png

  1. If everything looks correct, click Save. To test it, click TestView the test results:

dasetup13.png

  • If all results return with green boxes, then the configuration is validated.  If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
  • Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller.  The ldap search from the FlashArray is being blocked from traversing AD.  Is “Read Member Of” denied on any of the objects?  If so, remove that restriction.
  • If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
  1. After a completed successful test result, you may enable Directory Services.

dasetup13.png

  1. Click Save to complete the setup.

FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 5.0.x and Above.

Note: Initial configuration of Directory Services must be done as the local pureuser account.  To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.

  1. Click from the System tab, click Directory Services from the Users menu in the left panel.
  2. Click on Edit. A dialog displays.

edit ds settings.png

blank config.png

  1. Fill in the blanks with the information gathered from Active Directory.
Field Input
Enabled Select the check box to leverage the directory service to perform user account and permission level searches.
 URI

Enter the universal resource identifier (URI)


The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain.  You can optionally specify a port.

For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol.

 

Note: If you define more than one DC URI here, the URL scheme and domains must match exactly.  No mixing of domains is allowed, including subdomains.  

 

Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com

Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com 

Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com  

Note: The URI entry auto-fills the Base DN which is case sensitive. Please be sure to match the case used in AD.

Base DN

Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.comthe Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI.

Note: The case must match the case used in AD.

Bind User

Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user.

Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user.  Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements.  However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions.  

The password policy for the LDAP reader account should be set to never expire, and change should not be allowed.  If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services.  If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.

Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s).  If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged.

Bind Password

Enter the password for the bind user account.

Note: If this password expires or changes, you will need to update it here.

Group Base

Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups:

OU=PureGroups,OU=SANManagers

All FlashArray configured group common names (CN) must exist in the same OU.

Note: Group Base is case sensitive and must match the case used in AD.  When entering the groups, don't use quotations.

Array Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser.

Storage Admin Group

Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations.

Read Only Group

Enter the common name (CN) of the group of users with read-only privileges on the FlashArray.

Note:  DO NOT enter the same group name in more than one field.  The permissions for the group will be locked down to the lowest level permissions.

Check Peer Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate.
CA Certificate Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
  1. Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
    1. Optional: To import the certificate, select “Edit." 
      import cert.png
    2. After selecting "Edit" a dialog box will open.  Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch from server" to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.

select cert location.png

The following is an example of completed fields.

completed config.png

  1. If using LDAPS, click Check Peer.

enable check peer after importing cert.png

  1. If everything looks correct, click Save. To test it, click Test.

test ds.png
View the test results:
test.png

  • If all results return with green boxes, then the configuration is validated.  If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
  • Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller.  The ldap search from the FlashArray is being blocked from traversing AD.  Is “Read Member Of” denied on any of the objects?  If so, remove that restriction.
  • If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
  1. After a completed successful test result, you may enable Directory Services.

enable.png

  1. Click Save to complete the setup.

FlashArray-Side Configuration Using the CLI

The CLI command pureds is used to configure the Secure Array Administration with Multi-User Access Control.

Note: These commands vary depending on Purity version. Use the help menu to view your valid commands: pureds -h:as in the following example:

# pureds list
URI  Basedn  Binduser  Password Set  Checkpeer  Enabled
  -    -       -         False         False     False


# pureds list --groups
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
     -                    -                   -             -


# pureds list --certificate
Certificate Data
-
  1. Set the URI to point to the active directory server:
# pureds setattr --uri ldaps://mydomaincontroller.mycompany.com
URI                                                    Basedn                                        Binduser  Password Set  Checkpeer  Enabled
ldaps://mydomaincontroller.mycompany.com     DC=mycompany,DC=com                                    -         False        False     False 

Note that this auto-populated the BaseDN. The default is derived from the domain in the URI. You may also enter more than one URI. Up to 30 can be entered, comma separated.  They must all use ldaps or ldap.  Mixing is not allowed as of Directory Services version1. The DCs must be members of the same domain. For example:

# pureds setattr --uri "ldaps://mydomaincontroller.mycompany.com,ldaps://<wbr/>mydomaincontroller2.mycompany.com,ldaps://mydomain<wbr/>controller3.mycompany.com"
  1. Set the bind credentials by adding the sAMAccountName (username) of the binduser( aka ldap reader account) and the beinduser's password:
# pureds setattr --bind-user ldapreader
URI                                                    Basedn                                        Binduser    Password Set  Checkpeer  Enabled
ldaps://mydomaincontroller.mycompany.com         DC=mycompany,DC=com                                ldapreader     False         False      False

# pureds setattr --bind-password
Enter bind password:
Retype bind password:
URI                                                    Basedn                                        Binduser    Password Set  Checkpeer  Enabled
ldaps://mydomaincontroller.mycompany.com         DC=mycompany,DC=com                                ldapreader    True          False      False
  1. Set the attribute for Group Base. You may enter just "OU=PureGroups" as the group, but in this scenario, there was an existing OU which became a sub OU.  Our group-base is now "OU=PureGroups,OU=SANManagers"
# pureds setattr --group-base OU=PureGroups,OU=SANManagers
Read-only Group  Storage Admin Group  Array Admins Group  Group Base
    -                   -                  -        OU=PureGroups,OU=SANManagers
  1. Set the attribute for the Groups.
# pureds setattr --array-admin-group pureadmins
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
      -               -                pureadmins   OU=PureGroups,OU=SANManagers

# pureds setattr --storage-admin-group pureusers
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
      -          pureusers             pureadmins   OU=PureGroups,OU=SANManagers

# pureds setattr --readonly-group purereadonly
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
purereadonly     pureusers             pureadmins   OU=PureGroups,OU=SANManagers 

Alternatively, you may set all three groups at once with the following command:

# pureds setattr --read-only-group purereadonly --array-admin-group pureusers --array-admin-group pureadmin
Read-only Group  Storage Admin Group  Array Admin Group  Group Base
purereadonly     pureusers            pureadmins   OU=PureGroups,OU=SANManagers 
  1. To test the configuration, enter the following:
# pureds test
Testing from ct0:
Searching ldaps://mydomaincontroller.mycompany.com...                    PASSED
Searching for group CN=purereadonly...                                   PASSED
Searching for group CN=pureusers...                                      PASSED
Searching for group CN=pureadmins...                                     PASSED
  1. To enable the configuration, enter the following:
# pureds enable
URI                                                    Basedn                                        Binduser    Password Set  Checkpeer  Enabled
ldaps://mydomaincontroller.mycompany.com      OU=PureGroups,OU=SANManagers                           ldapreader     True        False      True

You may now access the FlashArray from the CLI or GUI using a Windows Account that's a member of one of the Pure Groups in AD.

dasetup15.png

Additional Information

(TLS Support) Configuring a Certificate via CLI

After all other configuration is completed using the steps above, you can import the certificate(s).

  1. Enter the following command:
# pureds setattr --certificate
Please enter certificate data followed by a blank line:
-----BEGIN CERTIFICATE-----
MIIFPjCCBCagAwIBAgIQEq8c+d2S0IhBuhwpUpjrVzANBgkqhk<wbr/>iG9w0BAQUFADCB
gjETMBEGCgmSJomT8ixkARkWA2NvbTEbMBkGCgmSJomT8ixkAR<wbr/>kWC3B1cmVzdG9y
YWdlMRMwEQYKCZImiZPyLGQBGRYDZGV2MRwwGgYKCZImiZPyLG<wbr/>QBGRYMamVua2lu
cy13MmszMRswGQYDVQQDExJqZW5raW5zLXcyazMtYWQtY2EwIB<wbr/>cNMTMwNjEzMDU1
NzM3WhgPMjUxMzA2MTMwNjA2MjlaMIGCMGMwEQYKCZImiZPyLG<wbr/>QBGRYDY29tMRsw
GQYKCZImiZPyLGQBGRYLcHVyZXN0b3JhZ2UxEzARBgoJkiaJk/<wbr/>IsZAEZFgNkZXYx
HDAaBgoJkiaJk/IsZAEZFgxqZW5raW5zLXcyazMxGzAZBgNVBA<wbr/>MTEmplbmtpbnMt
dzJrMy1hZC1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQ<wbr/>oCggEBANWx2+/t
LuybAYk4E66J/3So73kACzb7iRrNlhgKLVklXLKMa8Q+5tLBAz<wbr/>Gr7Q3kS/qkPRH7
HBmpqOo7CY4p/nxm6idrk1nGzmd4IpbZJQ7knIYth9fius60Bm<wbr/>9VswLdEiqIpWi4
yqxXpMHwI8H2o8cj+nbeZJtG64bQzWQW4t9Jvra7V/ZwxkbzmC<wbr/>+ueFHY1XVgpEFP
FA9bUtYnpPovaaHCIhUFQKIPeYr6G4icP9xRcW1ri7aT0kSQEh<wbr/>5mBVCihxtuRq/8
MMVTdx4JT16EwUYx5waWesLNwQmWxafHZ0fQZmcEXWG2HtccfG<wbr/>TdsDBtF0B31N67
LBStbeiZ/UY0G+MCAwEAAaOCAaowggGmMAsGA1UdDwQEAwIBhj<wbr/>APBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSFdCk9DQmH9CSiLtE8x0PvVJIVlD<wbr/>CCAVMGA1UdHwSC
AUowggFGMIIBQqCCAT6gggE6hoHcbGRhcDovLy9DTj1qZW5raW<wbr/>5zLXcyazMtYWQt
Y2EsQ049am5raW5zLXcyazMtYWQxLENOPUNEUCxDTj1QdWJsaW<wbr/>MlMjBLZXklMjBT
ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLE<wbr/>RDPWplbmtpbnMt
dzJrMyxEQz1kZXYsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nlcn<wbr/>RpZmljYXRlUmV2
b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cm<wbr/>lidXRpb25Qb2lu
dIZZaHR0cDovL2pua2lucy13MmszLWFkMS5qZW5raW5zLXcyaz<wbr/>MuZGV2LnB1cmVz
dG9yYWdlLmNvbS9DZXJ0RW5yb2xsL2plbmtpbnMtd1JrMy1hZC<wbr/>1jYS5jcmwwEAYJ
KwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAAYJz5<wbr/>WmZsm/nqbv06ov
NRECGAWQUGg6LkJMZYkd6cniKPnVWwyZhG62f6FtHeUergkob1<wbr/>/ZKRiOk4H9pKFO
y4IdRkh1zeTYWpuUwWlZ0bPwI/gY68jah42Cz/yJkfJ9FZqKQL<wbr/>GA6zpnEJdI6UbC
HGLbjRa05263UqWzX8Y3YWSNpYxp80jqOvG7WRwwOp1QrBCb/a<wbr/>kXZmxlXesQQ+of
jrMCkzPokuZNRb45PTYJPxfIIog6Skj3AEe9zFOQ+FvfHUpJrW<wbr/>sZ+iCauWiRG0rg
m8wYNgJgyhs4WGb/1UeC/cLtDDHuLw/G5n9Fht6lS/PCvvUURN<wbr/>gYYQOOrNjbXi4p
/hA=

-----END CERTIFICATE-----

Alternatively, you may use the --auto-fetch switch to fetch the certificate from the Domain Controller.

# pureds setattr --certificate --auto-fetch
Attempting to automatically fetch certificate from mydomaincontroller.mycompany.com:636...
-----BEGIN CERTIFICATE-----
MIIFPjCCBCagAwIBAgIQEq8c+d2S0IhBuhwpUpjrVzANBgkqhk<wbr/>iG9w0BAQUFADCB
gjETMBEGCgmSJomT8ixkARkWA2NvbTEbMBkGCgmSJomT8ixkAR<wbr/>kWC3B1cmVzdG9y
YWdlMRMwEQYKCZImiZPyLGQBGRYDZGV2MRwwGgYKCZImiZPyLG<wbr/>QBGRYMamVua2lu
cy13MmszMRswGQYDVQQDExJqZW5raW5zLXcyazMtYWQtY2EwIB<wbr/>cNMTMwNjEzMDU1
NzM3WhgPMjUxMzA2MTMwNjA2MjlaMIGCMGMwEQYKCZImiZPyLG<wbr/>QBGRYDY29tMRsw
GQYKCZImiZPyLGQBGRYLcHVyZXN0b3JhZ2UxEzARBgoJkiaJk/<wbr/>IsZAEZFgNkZXYx
HDAaBgoJkiaJk/IsZAEZFgxqZW5raW5zLXcyazMxGzAZBgNVBA<wbr/>MTEmplbmtpbnMt
dzJrMy1hZC1jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQ<wbr/>oCggEBANWx2+/t
LuybAYk4E66J/3So73kACzb7iRrNlhgKLVklXLKMa8Q+5tLBAz<wbr/>Gr7Q3kS/qkPRH7
HBmpqOo7CY4p/nxm6idrk1nGzmd4IpbZJQ7knIYth9fius60Bm<wbr/>9VswLdEiqIpWi4
yqxXpMHwI8H2o8cj+nbeZJtG64bQzWQW4t9Jvra7V/ZwxkbzmC<wbr/>+ueFHY1XVgpEFP
FA9bUtYnpPovaaHCIhUFQKIPeYr6G4icP9xRcW1ri7aT0kSQEh<wbr/>5mBVCihxtuRq/8
MMVTdx4JT16EwUYx5waWesLNwQmWxafHZ0fQZmcEXWG2HtccfG<wbr/>TdsDBtF0B31N67
LBStbeiZ/UY0G+MCAwEAAaOCAaowggGmMAsGA1UdDwQEAwIBhj<wbr/>APBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSFdCk9DQmH9CSiLtE8x0PvVJIVlD<wbr/>CCAVMGA1UdHwSC
AUowggFGMIIBQqCCAT6gggE6hoHcbGRhcDovLy9DTj1qZW5raW<wbr/>5zLXcyazMtYWQt
Y2EsQ049am5raW5zLXcyazMtYWQxLENOPUNEUCxDTj1QdWJsaW<wbr/>MlMjBLZXklMjBT
ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLE<wbr/>RDPWplbmtpbnMt
dzJrMyxEQz1kZXYsREM9cHVyZXN0b3JhZ2UsREM9Y29tP2Nlcn<wbr/>RpZmljYXRlUmV2
b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cm<wbr/>lidXRpb25Qb2lu
dIZZaHR0cDovL2pua2lucy13MmszLWFkMS5qZW5raW5zLXcyaz<wbr/>MuZGV2LnB1cmVz
dG9yYWdlLmNvbS9DZXJ0RW5yb2xsL2plbmtpbnMtd1JrMy1hZC<wbr/>1jYS5jcmwwEAYJ
KwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAAYJz5<wbr/>WmZsm/nqbv06ov
NRECGAWQUGg6LkJMZYkd6cniKPnVWwyZhG62f6FtHeUergkob1<wbr/>/ZKRiOk4H9pKFO
y4IdRkh1zeTYWpuUwWlZ0bPwI/gY68jah42Cz/yJkfJ9FZqKQL<wbr/>GA6zpnEJdI6UbC
HGLbjRa05263UqWzX8Y3YWSNpYxp80jqOvG7WRwwOp1QrBCb/a<wbr/>kXZmxlXesQQ+of
jrMCkzPokuZNRb45PTYJPxfIIog6Skj3AEe9zFOQ+FvfHUpJrW<wbr/>sZ+iCauWiRG0rg
m8wYNgJgyhs4WGb/1UeC/cLtDDHuLw/G5n9Fht6lS/PCvvUURN<wbr/>gYYQOOrNjbXi4p
/hA=

-----END CERTIFICATE-----
  1. To enable the certificate:
# pureds enable --checkpeer
URI                                               Basedn      Binduser    Password Set  Checkpeer  Enabled
ldaps://mydomaincontroller.mycompany.com DC=mycompany,DC=com  ldapreader    True          True       True
  1. To test the settings:
# pureds test
Testing from ct0:
Resolving mydomaincontroller.mycompany.com...                            PASSED
Searching ldaps://mydomaincontroller.mycompany.com                ...    PASSED
Searching while enforcing configured certificate...                      PASSED
Searching for group CN=purereadonly...                                   PASSED
Searching for group CN=pureusers...                                      PASSED
Searching for group CN=pureadmins...                                     PASSED