Fibre Channel (SAN)

Reply
New Contributor
chrismcnally
Posts: 3
Registered: ‎03-29-2006

LDAP AD Authentication Help

Getting AD authentication to work should be simple, but I have yet to make it work.


I need clarification on what the certificate is I need to install.  I don't understand this at all, so if anyone can help.  I would think this was only for LDAPS and not just plain old LDAP.

steps to configure ldap

aaaConfig --add myserver --conf ldap -d my.domain.com

    question?  should -d be the fully qualified domain, or just the lower level

ldapcfg --maprole brocade.admin admin

     question?  does having a "." in the group name create any issues for the Brocade

     question?  does the group have to be in the Groups OU in AD

     question?  does the group have to be any specific type of group. e.g global security

aaaConfig --authspec "ldap;local" -backup

I also have AD questions about the users.

     Do users have to be in the Users OU?

     Do you absolutely have to set the CN= parameter from ADSI, or if left blank do I achieve default access?

How to log in properly?

     Once configured, what does the proper log in look like?  ssh chris.mcnally@myswitch  or ssh DOMAIN\chris.mcnally@myswitch

Thanks for your help.

If any Brocade people see this, most LDAP implementations I have seen that were successful had a user search path and group search path that were configurable.  They also required a bind account.

Moderator
Antonio Bongiorno TechHelp24
Posts: 3,785
Registered: ‎02-23-2004

Re: LDAP AD Authentication Help

--->>> question?  should -d be the fully qualified domain, or just the lower level

full

--->>>  question?  does having a "." ....

Your mean the character "." ?

--->>> question?  does the group have to be in the Groups OU in AD

--->>> Do users have to be in the Users OU?

Your question's are a little confused.

TechHelp24
New Contributor
chrismcnally
Posts: 3
Registered: ‎03-29-2006

Re: LDAP AD Authentication Help

Sorry about the confustion

I need to know if the"." character creates any issues for the Brocade in group names.

By default users and groups created in Active directory get placed in the Users OU and Groups OU.  Since there is no option to provide search locations for users and groups, does Brocade require that user accounts be in the Users OU and groups be in the Groups OU.

Moderator
Antonio Bongiorno TechHelp24
Posts: 3,785
Registered: ‎02-23-2004

Re: LDAP AD Authentication Help

Chris,

characters such as ", * etc... are not allowed in the groups name, other is not know to me.

--->>>....does Brocade require that user accounts be in the Users OU and groups be in the Groups OU.

Yes.

About the login

--->>> How to log in properly?
     Once configured, what does the proper log in look like?  ssh chris.mcnally@myswitch  or ssh DOMAIN\chris.mcnally@myswitch

i think in this case you need to login whit chris.mcnally@myswitch as simple reason, after a AD is created and the switch is member this AD, you need just only to login whit the Domain native User name.

Another story is your have TWO or more different Domain Name, as example

a)  marketingdomain

b)  salesdomain

if the switch AD you have created is in the marketingdomain, and you want to login "from a different domain" - as example salesdomain - in this case you need to login as DOMAIN\chris.mcnally@myswitch

TechHelp24
New Contributor
chrismcnally
Posts: 3
Registered: ‎03-29-2006

Re: LDAP AD Authentication Help

I still need to know about the Certificate that is supposed to be installed.  If anyone can confirm or deny this is a requirement for non LDAPS implementations and provide any helpful information about where to get the certificate.

Thanks

Occasional Contributor
Trickster
Posts: 10
Registered: ‎07-20-2010

Re: LDAP AD Authentication Help

You do not need a certificate to use LDAP authentication on Brocade SAN switches. You do need a certificate to use LDAPS authentication though.

I have managed to get user authentication working using AD as the LDAP source, and the FOS 7.x Administration Guide is better (though still nowhere near good enough) in describing the steps you need to follow to get it to work.

Unfortunately I have not been able to get it to work with LDAPS, even though I have imported the Root, plus the subordinate Ash Forest and AD Server certificates to the SAN switch. It seems that these are not enough to allow the switch to authenticate over SSL.

From studying the Admin Guide, it would appear that I need to generate a public and private key, and a certificate signing request (CSR), on each switch, and for those to be transferred to the Certificate Authority (CA) so a specific switch certificate could be created. This certificate would then be transferred back to each switch and installed there. Unfortunately for me, the customer doesn't allow self-signed certification, and has only provided us with the above certificates, which they maintain are enough. We have be able to use LDAPS with other equipment (HP Servers) successfully in this manner, so we know that it is possible.

Can anyone shed any light on how to troubleshoot LDAPS authentication issues with Brocade SAN switches?

N/A
barnett
Posts: 1
Registered: ‎06-19-2012

Re: LDAP AD Authentication Help

I am having the issue after the configuration has been completed for LDAP authentication. I currently receive the Error: Invalid User. howerver the Group ***_***_************ was mapped to the securityadmin role, the LDAP servers have been added, and the configurations are correct. I have also activated LDAP as the primary authentication protocol and the local resository as the alternate.

With that said, when I try to log in, either in the gui or via CLI I am not able to get in. I am using all of these configurations in my other appliances and they are working fine. I have tried the following login formats:

domain\userID@switchname

domain\userID@swithcIP

domain\userID

userid\FullyQualifiedDomainName

UserID

None has produced a successful authentication experience.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.