Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎09-04-2017

AD user integration with Brocade DCX

Dear community

 

I have a problem i hope you can help me solve.

 

In our SAN environment we have 6 director switches. Until now we havent used AD integration for users but we wanna establish this now. The problem is that some of the switches earlier was partitioned, and that makes a problem when trying to log on to a specifik context when allready logged onto the base. I have used these commands so far:

 

aaaconfig --add <ipadress> -conf ldap -p 389 -d <domain.name> -t 3

aaaconfig --authspec  "ldap;local"

ldapcfg --maprole "Domain.group" admin

 

so now our domain group is mapped to the role admin. When i logged on to the patitioned switch and wanna change to context 30, i get the error: VF Permission for fid 30 is denied.

 

 

output from userconfig --show

 

Account name: gun0014
Description: Remote Account
Enabled: Yes
Password Last Change Date: Unknown (UTC)
Password Expiration Date: Not Applicable (UTC)
Locked: No
Home LF Role: admin
Role-LF List: admin: 128
No chassis permission
Home LF: 128
DCX_ID128_BASE:FID128:gun0014>

 

i guess its because that Role-LF List admin is 128 and not 1-128. Isin't there any simple command that i can make the role "admin" witch is associated with the AD group, access 1-128?? im sure this would solve the problem. Im not interested in converting the switch into only being a base switch again.

The switch is a DCX running FOS v7.4.1e

 

I really hope someone can help.

Best Regards

 

Sebastian

Highlighted
Brocade Moderator
Posts: 383
Registered: ‎03-29-2011

Re: AD user integration with Brocade DCX

Hi Sebastian,

 

you are right, the user need to have FID 30 in the LF list.  In 7.4.1e, you only choice it two

 

1. update the adminDescription attribute of the user in AD to something like

 

    HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin

 

2. Add a new attribute brcdAdVfData as Unicode String to AD, and for the user below set the value as in (1)

 

With 7.4.2 and onwards you have the mapattr option in tle ldapcfg

 

"The ldapCfg command supports a new option --mapattr to assign a list of vendor specific attributes. This enhances the LDAP configuration support for Brocade vendor specific attributes, such as chassis role, home logical fabric (LF), and LF list to be assigned per LDAP server group."

 

So, you can use a command like

 

ldapCfg -mapattr "Domain.group" -l "admin:1-128" -h 30 -c admin

 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎09-04-2017

Re: AD user integration with Brocade DCX

Hi Martin

 

Thanks alot for your reply

 

It was exactly this command i was seeking "ldapCfg -mapattr "Domain.group" -l "admin:1-128" -h 30 -c admin"

We are on our way to update the core switches and i will use this command just after this upgrade.

 

But...

We allready have a minor switch model 2498-F48 running FOS v8.0.1b (so i just tried to see what was possible)

 

On this switch i tried to write this command:  "ldapcfg --help"

but the output was:

 

AKUT-HE_SW201A:FID128:admin> ldapcfg --help
Usage: ldapcfg
--help:         display this screen
--show:         display all the mapped entries
--maprole <LDAP rolename> <switch rolename>:
                creates a new mapping of ldap role with switch role
--unmaprole <LDAP rolename>:
                delete an existing mapping of ldap role
AKUT-HE_SW201A:FID128:admin>

 

Does this mean that I haven't got the option to do -mapattr on this kind of switch?

I actually thought it was possible here because of your input about the FOS version :-)

 

Brocade Moderator
Posts: 383
Registered: ‎03-29-2011

Re: AD user integration with Brocade DCX

Hi Sebastian,

 

it is 7.4.2 (RN), 8.1.0 (RN), but I have not seen it in 8.0.x yet (last release is 8.0.2c). 

 

kind regards 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎09-04-2017

Re: AD user integration with Brocade DCX

Okay, im just a little confused now.

 

If it is in 7.4.2(RN). Shouldn't it apply to all the following FOS versions then?
Or does Brocade work on different tracks in FOS 7.x.x and 8.x.x ?

 

Thanks for your fast replies.

 

Best regards

 

Sebastian

Brocade Moderator
Posts: 383
Registered: ‎03-29-2011

Re: AD user integration with Brocade DCX

Hi Sebastian,

 

I expected it to be in 8.0.2x something, but as far I have seen it is only in 7.4.2 (maintenance) release which was  released in April 2017 and in 8.1.0 (March 2017). I would have expected to be in any 8.0.x released after April/March, which leave 8.0.2c in fact. I will be pinging the Product Manager to see for any future 8.0.2x release it can be included or not.   It is not enough to look at release number, but also dates when the features where introducted.




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎09-04-2017

Re: AD user integration with Brocade DCX

Hi Martin

 

Thanks alot. Is it possible to be contacted when you have talked to a product manager?

I really would like to know more about this and wich FOS versions i can expect it to be a part of. We have quite a big environment and it seems to me that this little attribute would be quite an easy way to fix this for us.

 

I appreciate your help

 

Best regards

 

Sebastian

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook