Legacy HDS Forums

Implementing HCS ver. 7.3 Authentication and Authorization Integration with LDAP Active Directory ver. 3.0 TLS / Secure Communication

Discussion created by Legacy HDS Forums on Apr 1, 2013
Latest reply on May 2, 2014 by Michael Ratner

Originally posted by: alexander



Hope this can help those who need LDAP Active Directory integration with TLS / Secure communication to be implemented on HCS. Be aware that all real names were substituted by appropriate common name aliases. The text below was edited in Word so it could be some end of line interrupts in command syntax. I apology in advance if I unintentionally missed any steps, or somehow mistyped something - I did my best.

0.        Built-in system account cannot be used with LDAP, only local.
1.        Create a binding account on AD server which will be used by HCS for reading AD directories when appropriate HCS users require their authentication and authorization.
dsquery user –samid hds_bind
"CN=hds_bind,OU=Generic_IDs,OU=Users,OU=Company,DC=company_domain,DC=com"
2.        Create three groups on AD server. They will be used to authorize HCS users’ rights.
dsquery group -name *HCS*
"CN=HCS_Admin_Group,OU=Managed_Groups,OU=Groups,OU=Company,DC=company_domain,DC=com"
"CN=HCS_Modify_Group,OU=Managed_Groups,OU=Groups,OU=Company,DC=company_domain,DC=com"
"CN=HCS_View_Group,OU=Managed_Groups,OU=Groups,OU=Company,DC=company_domain,DC=com"
3.        All existing AD accounts which are going to be used in appropriate roles on HCS (for example storage admins will be part of HCS_Admin_Group above) need to be assigned into appropriate newly created on AD HCS related groups.
4.        Export a security certificate from AD server. A certificate must show same value in its CN name as host name value in “exauth.properties” file (see below).
5.        Before you start using your Domain accounts to login to HCS, have them all do not exist on HCS internal user list.
6.        Login to HCS server and run cmd to get a CLI interface. Run a command which registers the binding account specified above:
D:\Program Files (x86)\HiCommand\Base\bin>hcmdsldapuser /set /dn “CN=hds_bind,OU=Generic_IDs,OU=Users,OU=Company,DC=company_domain,DC=com" /pass hds_bind_password /name AD_SERVER.company_domain.com
KAPM05250-I Registration of the information-search user has finished.
7.        Edit “exauth.properties” file in D:\Program Files (x86)\HiCommand\Base\conf:
auth.server.type=ldap
auth.server.name=AD_SERVER.company_domain.com
auth.group.mapping=true
auth.ldap.AD_SERVER.company_domain.com.protocol=tls
auth.ldap.AD_SERVER.company_domain.com.host=AD_SERVER.company_domain.com
auth.ldap.AD_SERVER.company_domain.com.port=389
auth.ldap.AD_SERVER.company_domain.com.timeout=15
auth.ldap.AD_SERVER.company_domain.com.attr=sAMAccountName
auth.ldap.AD_SERVER.company_domain.com.basedn=dc=company_domain,dc=com
auth.ldap.AD_SERVER.company_domain.com.retry.interval=1
auth.ldap.AD_SERVER.company_domain.com.retry.times=20
auth.ldap.AD_SERVER.company_domain.com.domain.name=company_domain.com
auth.ldap.AD_SERVER.company_domain.com.dns_lookup=true
8.         Import AD certificate into HCS. Keystore “ldapcacert” which is just a file below does not exist on the moment of this command runs.
D:\Program Files (x86)\HiCommand\Base\bin>hcmdskeytool -import -alias AD_SERVER -file .\AD_SERVER.cer -keystore "D:\Program Files (x86)\HiCommand\Base\conf\sec\ldapcacerts"
Enter keystore password:  passphrase
Owner: CN=AD_SERVER.company_domain.com, O=Company, L=City, ST=State, C=Country_code
Issuer: ISSUER_DETAILS
Serial number: SN_NUMBER
Valid from: DATES_FROM-TO
Certificate fingerprints:
         MD5:  Sequence _1
           SHA1: Sequence_2
Trust this certificate? [no]:  y
Certificate was added to keystore
9.        Recycle HCS services:
D:\Program Files (x86)\HiCommand\Base\bin>hcmdssrv /stop
D:\Program Files (x86)\HiCommand\Base\bin>hcmdssrv /start
10.   Verify communications between HCS and AD server by issuing the following command (AD_registered_user is one of storage admins’ account,  AD_registered_user_password is AD_registered_user’s password):
D:\Program Files (x86)\HiCommand\Base\bin>hcmdscheckauth /user AD_registered_user /pass AD_registered_user_password
KAPM15003-I The configuration check of Phase1 will now start.
type : ldap
server : AD_SERVER.company_domain.com
KAPM15227-I Group linkage is enabled.
KAPM15004-I The result of the configuration check of Phase1 was normal.
KAPM15003-I The configuration check of Phase2 will now start.
KAPM15006-I The configuration of the server AD_SERVER.company_domain.com will now be checked.
KAPM15007-I The result of the configuration check of the server AD_SERVER.company_domain.com was normal.
KAPM15004-I The result of the configuration check of Phase2 was normal.
KAPM15228-W The external authentication group was not linked to because an authentication user was found on the DBMS.
KAPM15003-I The configuration check of Phase3 will now start.
KAPM15010-I The connection to the server AD_SERVER.company_domain.com will now be checked. (host = AD_SERVER.company_domain.com, port = 389, protocol = tls)
KAPM15011-I The server AD_SERVER.company_domain.com can be connected to normally.
KAPM15004-I The result of the configuration check of Phase3 was normal.
KAPM15245-I A connection was successfully established. (server name = AD_SERVER.company_domain.com)
11.   Go to HCS GUI, Administration tab and open “Users an permissions” view. “Groups” folder must be expandable. Expand it, find AD server name, click on it and invoke “Add groups” function / button. In the wizard window, paste CN name of the first AD group created above:
CN=HCS_Admin_Group,OU=Managed_Groups,OU=Groups,OU=Company,DC=company_domain,DC=com
Before clicking OK button, verify that this group is confirmed by AD by clicking on “Check DN” button. Register all the rest groups in this manner.
12.   After all three groups are registered, activate the first one by clicking on it and edit its permissions by “Change Permissions” button. Admin group will get all the rights, Modify all except Admin and finally View will have only View rights.
13.   Go to Administration tab in HCS, open User groups view, and click on HCS_Admin_Group. Then add required resources (default is “All resources”) to this group setting up appropriate role during this assignment (in this case Admin). Set all three groups in this manner. Keep in mind that roles are different for each group.
14.   Login to STNM2 and set up all appropriate rights for newly created groups there too.
15.   Test login.

Outcomes