Directory Services Setup and Configuration
Directory Services provides secure FlashArray administration through role-based, multi-user access control.
Support
Our Directory Services implementation is supported for the following:
- Windows Active Directory
- OpenLDAP (Purity 4.7.0+ required)
Note: OpenLDAP 389DS is supported only on Purity v.5.2.0 and greater.
Role-Based Access Control
- Directory Services Provides Role Based Access Control (RBAC) through integration with Windows Active Directory by using the groups defined in AD for restricting access to the FlashArray.
- Designated Windows users may log into the Pure Array using their Windows domain credentials.
- Access is granted when a user in the Windows Domain is made a member of one of four Pure Groups which you will create in AD. To the FlashArray, each Group has its own level of access: Array Admin Access, Storage Admin Access, Ops Admin Access, and Read-only Access. (For more detailed information, please visit RBAC Command Access List - Role Based Access Controls KB).
Security
- There are no shared logins. With Directory Services, a user will use their own Windows Credentials to log into the FlashArray.
- You can limit access. Activity and level of activity can be controlled remotely by assigning Windows User accounts as members to Pure Groups in Active Directory.
- Access can be granted to or revoked from users remotely from within Active Directory.
- There is support for SSL and TLS (ldaps://) to encrypt passwords.
Audit Trail
Audit trails are provided by the user. They track logins and activity.
Prerequisites
Requirements
- The FlashArray must be of a Purity version that supports Directory Services (3.2.0+).
- The FlashArray must be able to see the Windows domain controller(s).
Constraints
- "Security Groups" must be used with your Directory Services configuration.
Note: "There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. (For more information, see this TechNet article on Group Types). - Groups must have a common name (CN). Don't use an OU as a group. OUs don't set memberOf attributes, which are used to restrict FlashArray access.
- Making someone's group their "Primary Group" in AD will also remove the memberOf attribute. Therefore the feature will not work if the configured group in Directory Services is a user's Primary Group. (This is not default and can usually be ignored).
- All designated Pure Groups must exist within the same OU.
- sAMAccountNames must not be a local linux user of the Pure FlashArray. These include:
['root', 'daemon', 'bin', 'sys', 'sync', 'games', 'man', 'lp', 'mail', 'news', 'uucp', 'proxy', 'www-data', 'backup', 'list', 'irc', 'gnats', 'nobody', 'libuuid', 'syslog', 'mysql', 'messagebus', 'avahi', 'postfix', 'sshd', 'snmp', 'ntp', 'os76', 'pureuser', pureeng, pureadmin]
- All Windows Domain Controller "URIs" (addresses) that you specify in the config must be in the same domain, and be either parent or child domain, not both. Purity currently supports only a single domain, though up to 30 domain controllers can be defined.
- All Domain Controller URIs must either be ldaps or ldap, no mixing is supported.
- Bind User account and all intended AD login users must all be under the same exact domain as the domain specified for the BaseDN and URI (see below).
- The Bind User must not have “Read Member Of” denied.
- User must NOT be a member of the standard "Protected Users Security Group" (see https://docs.microsoft.com/en-us/win...security-group).
Setup and Configuration
Defining or Creating the Organizational Unit (OU) and Pure Groups in Windows Active Directory
Before configuring Directory Services on the FlashArray side, certain objects need to be created in Active Directory.
- In Active Directory, create or define an Organizational Unit (OU). You may use an existing OU. If you decide to create a new OU, it can be named virtually anything. After creating the OU, you may gather the address by using
dsquery
, as in the following example:
C:\Users\Administrator>dsquery ou -name *pure* "OU=PureGroups,OU=SANManagers,DC=testdrive,DC=local"
From that output, you'll need only note OU=PureGroups,OU=SANManagers for filling out the Group Base information in the Directory Services Configuration. The following shows what the structure in AD may look like:
- In Active Directory, create the Pure Groups. You'll now need to populate the OU with Pure Groups. It's wise to use a descriptive name for the groups. The Groups can be it can be named virtually anything. The example below uses the following: pureadmin, purestorage, pureops, and purereadonly. These groups must exist within the OU created or defined above, in Step 1. Later in the configuration of the array side, you'll define these groups. Make note of them.
- In Active Directory, define users as members of the Pure Groups. This can be accomplished by adding individual users or by adding existing groups as a members of the Pure Groups. When an existing group is added to the new Pure Groups, they automatically inherit permissions of the parent group.
Note: Do not make a user a member of more than a one Pure Group. If you do this, the user's permissions on the FlashArray will be restricted to the lowest group.
The following images show the addition of users to a Security Group and the addition of a group to a Pure Group:
Defining or Creating the Bind User in Windows Active Directory
The next step before configuring Directory Services on the FlashArray is to create a User that is used to perform directory lookups, not tied to any actual user.
Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions.
The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD.
The following images indicate how an User called purebinduser was created, as an example:
FlashArray-Side Configuration Using the FlashArray GUI: Purity Versions 5.3.x and Above
Note: Initial configuration of Directory Services must be done as the local pureuser account. To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.
- Click from the Settings tab, click Access tab, and then,from the Directory Service section, click on Roles. to configure the Security Groups mentioned on the previous sections of this document.
- Enter the names of each Group and its corresponding Group Base corresponding to the assigned role in the Flash Array. In our example, the group pureadmin is given the array_admin role, the group purestorage is given the storage_admin role, the group pureops is given the ops_admin role, and finally the group purereadonly is given the readonly role. Save the information when completed.
- Next, click on Configuration to proceed with the Directory Service configuration. Ensure that Array Management is highlighted on the right.
- Fill in the blanks with the information gathered from Active Directory.
Field | Input |
---|---|
Enabled | Select the check box to leverage the directory service to perform user account and permission level searches. |
URIs |
Enter the universal resource identifier (URI). The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port. For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol. Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains. Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com |
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
User Login Attribute |
Enter the logon name attribute used in your Directory domain. The logon name must be 20 or fewer characters and be unique among all security principal objects within the domain. It defaults to sAMAccountName for ActiveDirectory, or uid for other directory services. |
User Object Class |
Enter the object class used in your Domain domain that define the accounts. It defaults to User for AD, posixAccount or shadowAccount for OpenLDAP, posixAccount for posix compliant servers, or person for all others. |
Check Peer | Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate. |
The following is an example of completed fields:
When using LDAPS:
- Press Save.
- Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length.
- Optional: To import the certificate, select “Edit."
- After selecting "Edit" a dialog box will open. Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch certificate from" to auto-fetch the cert and then select "Save" at bottom of the dialog box to continue.
- Optional: To import the certificate, select “Edit."
- If everything looks correct, click Test.
View the test results:
- If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
- Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
- If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
- After a completed successful test result, you may enable Directory Services.
- Click Save to complete the setup.
FlashArray-Side Configuration Using the CLI
The CLI command pureds
is used to configure the Secure Array Administration with Multi-User Access Control.
Note: These commands vary depending on Purity version. Use the help menu to view your valid commands: pureds -h
:as in the following examples:
pureuser@flasharray1> pureds list Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class data - - - - False False - - management - - - - False False - - pureuser@flasharray1> pureuser@flasharray1> pureds setattr --help usage: pureds setattr [-h] [--uri URI] [--base-dn BASE_DN] [--bind-user BIND_USER] [--bind-password] [--readonly-group READONLY_GROUP] [--storage-admin-group STORAGE_ADMIN_GROUP] [--array-admin-group ARRAY_ADMIN_GROUP] [--group-base GROUP_BASE] [--ca-certificate] [--trust] [--auto-fetch] [--user-login-attribute USER_LOGIN_ATTRIBUTE] [--user-object-class USER_OBJECT_CLASS] [SERVICE-NAME] positional arguments: SERVICE-NAME service name, only one service name at a time. (Ex: management or data) optional arguments: -h, --help show this help message and exit --uri URI comma separated directory server URIs (Ex: ldaps://ad.company.com) --base-dn BASE_DN base DN of directory service (Ex: DC=company,DC=com) --bind-user BIND_USER sAMAccountName to use for doing lookups in Active Directory (Ex: ldapreader). Full Distinguished Name of the bind user for doing lookups in OpenLDAP (Ex: "cn=ldapreader,dc=company,dc=com") --bind-password use prompt to set password of bind-user account --readonly-group READONLY_GROUP (deprecated) use "pureds role setattr" --storage-admin-group STORAGE_ADMIN_GROUP (deprecated) use "pureds role setattr" --array-admin-group ARRAY_ADMIN_GROUP (deprecated) use "pureds role setattr" --group-base GROUP_BASE (deprecated) use "pureds role setattr" --ca-certificate use prompt to enter PEM format CA certificate (including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines) --trust skip certificate chain trust verification --auto-fetch download and confirm the server certificate. Use with --ca-certificate. --user-login-attribute USER_LOGIN_ATTRIBUTE User login attribute in your LDAP structure. Typically, the attribute field that holds the user's unique login name. Defaults to sAMAccountName for Active Directory, or uid for other directory services. --user-object-class USER_OBJECT_CLASS Value of the object class used for the LDAP user. Defaults to User for AD, posixAccount or shadowAccount for OpenLDAP, or person for all others. pureuser@flasharray1> pureds role setattr --help usage: pureds role setattr [-h] [--group GROUP] [--group-base GROUP_BASE] ROLE ... positional arguments: ROLE role name (readonly, ops_admin, storage_admin, or array_admin) optional arguments: -h, --help show this help message and exit --group GROUP CN of the group --group-base GROUP_BASE OU path to configured groups pureuser@flasharray1>
- Set the role for the Groups created previously in your Active Directory Domain.
pureuser@flasharray1> pureds role setattr readonly --group purereadonly --group-base OU=PureGroups,OU=SANManagers Name Group Group Base readonly purereadonly OU=PureGroups,OU=SANManagers pureuser@flasharray1> pureds role setattr ops_admin --group pureops --group-base OU=PureGroups,OU=SANManagers Name Group Group Base ops_admin pureops OU=PureGroups,OU=SANManagers pureuser@flasharray1> pureds role setattr storage_admin --group purestorage --group-base OU=PureGroups,OU=SANManagers Name Group Group Base storage_admin purestorage OU=PureGroups,OU=SANManagers pureuser@flasharray1> pureds role setattr array_admin --group pureadmin --group-base OU=PureGroups,OU=SANManagers Name Group Group Base array_admin pureadmin OU=PureGroups,OU=SANManagers
- Set the URI to point to the active directory server:
pureuser@flasharray1> pureds setattr --uri ldaps://windows1.testdrive.local Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldaps://windows1.testdrive.local DC=testdrive,DC=local - - False False -
Note that this auto-populated the BaseDN. The default is derived from the domain in the URI. You may also enter more than one URI. Up to 30 can be entered, comma separated. They must all use ldaps or ldap. The DCs must be members of the same domain. For example:
pureuser@flasharray1> pureds setattr --uri "ldaps://mydomaincontroller.mycompany.com,ldaps://<wbr/>mydomaincontroller2.mycompany.com,ldaps://mydomain<wbr/>controller3.mycompany.com"
- Set the bind credentials by adding the sAMAccountName (username) of the binduser (aka ldap reader account) and the beinduser's password:
pureuser@flasharray1> pureds setattr --bind-user purebinduser Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldaps://windows1.testdrive.local DC=testdrive,DC=local purebinduser - False False - - pureuser@flasharray1> pureds setattr --bind-password Enter bind password: Retype bind password: Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldaps://windows1.testdrive.local DC=testdrive,DC=local purebinduser **** False False - - pureuser@flasharray1> pureds setattr --user-login-attribute sAMAccountName --user-object-class User Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldaps://windows1.testdrive.local DC=testdrive,DC=local purebinduser **** False False sAMAccountName User
- Set the attribute for Group Base. You may enter just "OU=PureGroups" as the group, but in this scenario, there was an existing OU which became a sub OU. Our group-base is now "OU=PureGroups,OU=SANManagers"
pureuser@flasharray1> pureds setattr --base-dn DC=testdrive,DC=local Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldaps://windows1.testdrive.local DC=testdrive,DC=local - - False False - -To test the configuration, enter the following:
- To test the configuration, enter the following:
pureuser@flasharray1> pureds test Output Feature Status: Disabled Testing from ct0: Resolving windows1.testdrive.local... PASSED Searching ldaps://windows1.testdrive.local... PASSED Searching for group CN=purereadonly... PASSED Searching for group CN=pureops... PASSED Searching for group CN=purestorage... PASSED Searching for group CN=pureadmin... PASSED pureuser@flasharray1>
- Once the test results are successful, you can proceed to enable the configuration:
pureuser@flasharray1> pureds enable URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class ldaps://windows1.testdrive.local DC=testdrive,DC=local purebinduser **** False True sAMAccountName User pureuser@flasharray1>
You may now access the FlashArray from the CLI or GUI using a Windows Account that's a member of one of the Pure Groups in AD.
(TLS Support) Configuring a Certificate via CLI
After all other configuration is completed using the steps above, you can import the certificate(s).
- Enter the following command:
pureuser@flasharray1> pureds setattr --ca-certificate Please enter certificate data followed by Enter and then Ctrl-D: -----BEGIN CERTIFICATE----- MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0 ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3 FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0 ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0 MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4 ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA== -----END CERTIFICATE----- CA Certificate Data -----BEGIN CERTIFICATE----- MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0 ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3 FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0 ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0 MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4 ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA== -----END CERTIFICATE----- pureuser@flasharray1>
Alternatively, you may use the --auto-fetch switch to fetch the certificate from the Domain Controller.
pureuser@flasharray1> pureds setattr --ca-certificate --auto-fetch Attempting to automatically fetch certificate from windows1.testdrive.local:636... -----BEGIN CERTIFICATE----- MIIGJzCCBQ+gAwIBAgITSgAAAAM9/gMAIA7I1QAAAAAAAzANBgkqhkiG9w0BAQsF ADBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFgl0ZXN0 ZHJpdmUxHjAcBgNVBAMTFXRlc3Rkcml2ZS1XSU5ET1dTMS1DQTAeFw0yMzAzMjMx MTAyMDVaFw0yNDAzMjIxMTAyMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDh0IUSIRPJKgmFgdQYBXHxVQRrelyjwRmt3hxjfXRyuHZIhQB01oiY j1QR+swaC5/ugudaZEDDD+dyS70A0vTEW1ti+43B0IaHXV3VwWoxm+/8OS/5H2dx VVpvvdoRe3SiZinlby4Mex6DotdTSYBP3sJYs1oQl5hrIMBKW85K/+Ib/aDZBlBc WmVMxd3g/E+2tIfDXlczYjLmGHCGmUpiNV5rFqKGa1ejeC6QfZc+z3CXR/O/Fx7r HOOHGpUvr11Ioek4woFjufUc0YPtQv/LKCKYHjRDoZe9kIv6qS90Pa7q48IS3IkH QO/dXW+uNrjArMdsVCi3jK0Fxm4z0iA5AgMBAAGjggNGMIIDQjA8BgkrBgEEAYI3 FQcELzAtBiUrBgEEAYI3FQiCwNwyhYquXIOVhS+Fkb9u0NYrOIfYqyqHmO8tAgFk AgECMDIGA1UdJQQrMCkGBysGAQUCAwUGCisGAQQBgjcUAgIGCCsGAQUFBwMBBggr BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAJBgcrBgEF AgMFMAwGCisGAQQBgjcUAgIwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwHQYDVR0O BBYEFDNQJAAIjBnmWjayUeOLqw6Dqd83MB8GA1UdIwQYMBaAFAI8koMfDWrE9MQF WWg37XxWONZ8MIHYBgNVHR8EgdAwgc0wgcqggceggcSGgcFsZGFwOi8vL0NOPXRl c3Rkcml2ZS1XSU5ET1dTMS1DQSxDTj1XaW5kb3dzMSxDTj1DRFAsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz10ZXN0ZHJpdmUsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHLBggrBgEFBQcB AQSBvjCBuzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPXRlc3Rkcml2ZS1XSU5E T1dTMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10ZXN0ZHJpdmUsREM9bG9jYWw/Y0FD ZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp dHkwQgYDVR0RAQH/BDgwNoIYV2luZG93czEudGVzdGRyaXZlLmxvY2Fsgg90ZXN0 ZHJpdmUubG9jYWyCCVRFU1REUklWRTBPBgkrBgEEAYI3GQIEQjBAoD4GCisGAQQB gjcZAgGgMAQuUy0xLTUtMjEtMzgyNDc0MTk2Ny00MjEzODY5Nzk1LTM1ODY4NDk0 MzMtMTAwMDANBgkqhkiG9w0BAQsFAAOCAQEAFF9L6fzOKUOs97UXDh5ZH3TAwoR4 ZVohK9+lsdkwfLx34HM67rv1TZKyCn61z1N3CJ+yqt+ZoOhfri4nqEECcC/2FdgW r8bZLU+sciPyG9fWVwS5JRveuS069vpDhqL111d3fOl/LQ1PW7vebFv+VY2YykSv nWs2leJShdJF4V9izMGroyTOlm2NhB+s6AR48kTHf7fabAAHwJO8wFpQ17EiqLhJ KJEFjPvyzGzdoe6NcCydXGeHQFeFpHnrmX/Z2l3LWQQBSlsGC7Z+bEIC8M2fp0Og kOlB4hFhRhWaAD0/1U1X8+7F1WtgPn3wyraDCapD7ScgGMRw9a6O3A8rbA== -----END CERTIFICATE----- pureuser@flasharray1>
- To enable the certificate:
pureuser@flasharray1> pureds enable --checkpeer URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class ldaps://windows1.testdrive.local DC=testdrive,DC=local purebinduser **** False True sAMAccountName User pureuser@flasharray1>
- To test the settings:
pureuser@flasharray1> pureds test Output Feature Status: Disabled Testing from ct0: Resolving windows1.testdrive.local... PASSED Searching ldaps://windows1.testdrive.local... PASSED Searching for group CN=purereadonly... PASSED Searching for group CN=pureops... PASSED Searching for group CN=purestorage... PASSED Searching for group CN=pureadmin... PASSED pureuser@flasharray1>
Additional Information
Integration with FreeIPA
FreeIPA has some notable differences in its implementation on the FlashArray.
Base DN
In order for the FlashArray to accept CN= in the Base DN, you may need to upgrade Purity to the latest version. The Base DN should look something like this:
CN=accounts,DC=dev,DC=company,DC=com
Group Base
The Group Base should look something like this, since FreeIPA doesn't support OUs:
CN=groups
So for example:
> pureds list Name URI Base DN Bind User Bind Password Check Peer Enabled User Login Attribute User Object Class management ldap://ipa1.dev.company.com CN=accounts,DC=dev,DC=company,DC=com UID=ldap_checker,CN=users,CN=accounts,DC=dev,DC=company,DC=com **** False True uid posixAccount ldap://ipa2.dev.company.com > pureds list --groups Read-only Group Storage Admin Group Array Admin Group Group Base purereadonly purestorageadmin pureadmins CN=groups
Users should not be members of more than one security group, or the login will fail.
You can test what permissions the FlashArray will find with "pureadmin list username --force". The --force requires the FlashArray to bypass cached permissions (permissions are stored for a user for 30 minutes) and query the domain controller again.
Integration with LDAP Server, Using Data Service
To integrate FlashArray with a LDAP server using the data service, you can use the following commands:
> pureds setattr data --base-dn dc=mydomain,dc=com --bind-user cn=admin,dc=mydomain,dc=com --uri ldap://192.168.20.2 --bind-password > pureds enable data
FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions Between 5.0.x and 5.2.x.
Note: Initial configuration of Directory Services must be done as the local pureuser account. To do this, access the Purity GUI as the local pureuser account and navigate to the Directory Service configuration section.
- Click from the System tab, click Directory Services from the Users menu in the left panel.
- Click on Edit. A dialog displays.
- Fill in the blanks with the information gathered from Active Directory.
Field | Input |
---|---|
Enabled | Select the check box to leverage the directory service to perform user account and permission level searches. |
URI |
Enter the universal resource identifier (URI) The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port. For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol. Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains. Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com |
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
Group Base |
Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups: OU=PureGroups,OU=SANManagers All FlashArray configured group common names (CN) must exist in the same OU. Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations. |
Array Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser. |
Storage Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations. |
Read Only Group |
Enter the common name (CN) of the group of users with read-only privileges on the FlashArray. Note: DO NOT enter the same group name in more than one field. The permissions for the group will be locked down to the lowest level permissions. |
Check Peer | Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate. |
CA Certificate | Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length. |
- Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
- Optional: To import the certificate, select “Edit."
- After selecting "Edit" a dialog box will open. Choose each DC one by one from the drop-down menu, you may then enter the cert info manually, or click on "Fetch from server" to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.
- Optional: To import the certificate, select “Edit."
The following is an example of completed fields.
- If using LDAPS, click Check Peer.
- If everything looks correct, click Save. To test it, click Test.
View the test results:
- If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
- Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
- If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
- After a completed successful test result, you may enable Directory Services.
- Click Save to complete the setup.
FlashArray-Side Configuration Using the Pure FlashArray's GUI: Purity Versions 4.10.x and Prior
Initial configuration of Directory Services must be done from the local pureuser account. To do this, access the Purity GUI as the local pureuser account and then navigate to the Directory Service configuration page as follows:
- Click from the System tab, click Directory Services from the Configuration menu in the left panel.
- Click on Edit. A dialog displays.
- Fill in the fields of the dialog with the information gathered from Active Directory.
Use the following descriptions to fill in the fields in the Directory Service fields above.
Field | Input |
---|---|
Enabled | Select the check box to leverage the directory service to perform user account and permission level searches. |
URI |
Enter the universal resource identifier (URI). The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port. For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol. Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains. Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com |
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-priviledged account with the default users will do for our requirements. However, if you use permissions / ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
Group Base |
Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups: OU=PureGroups,OU=SANManagers All FlashArray configured group common names (CN) must exist in the same OU. Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations. |
Array Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser. |
Storage Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations. |
Read Only Group |
Enter the common name (CN) of the group of users with read-only privileges on the FlashArray. Note: DO NOT enter the same group name in more than one field. The permissions for the group will be locked down to the lowest level permissions. |
Check Peer | Select the check box to validate the authenticity of the directory servers using the CA Certificate. If you enable Check Peer, you must provide a CA Certificate. |
CA Certificate | Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length. |
- Additional information and configuration is required for TLS support. If you want encrypted communication and have already enabled SSL on the AD server, setting the URI scheme to ldaps:// is adequate. However, if you also want server authentication, you need the PEM certificate of the AD server (base64 encoded x.509). Once SSL is enabled, the entire AD bind and query session is encrypted. Complete the below few steps to configure TLS support.
- Optional: To import the certificate, select “Check Peer." Then import the certificates by selecting “change.” The Edit Certificate dialog box opens.
- Choose each DC one by one from the drop-down menu. You may then enter the cert info manually, or click on Fetch from server to auto-fetch the cert and then select "Set" at bottom of the dialog box to continue.
The following is an example of completed fields:
- If everything looks correct, click Save. To test it, click Test. View the test results:
- If all results return with green boxes, then the configuration is validated. If any boxes return red, an entry most likely needs editing to reflect accurately the information from Active Directory.
- Failed test results can also be a result of Pure not being able to access or talk to the Domain Controller. The ldap search from the FlashArray is being blocked from traversing AD. Is “Read Member Of” denied on any of the objects? If so, remove that restriction.
- If you run a test, and it fails, and you believe all entries in Directory Service are configured correctly, and Active Directory is configured correctly, please open a Support ticket with Pure Storage Support.
- After a completed successful test result, you may enable Directory Services.
- Click Save to complete the setup.