Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎11-03-2011

Fabric OS LDAP Configuration with 2008 AD

Hi All,

I've been trying to get LDAP configured on a Fabric OS 6.4.1a. I’ve made some progress by following the documentation but it’s not quite working as I’d expect. This is a Windows 2008 R2 Domain, the brocade is using virtual fabrics (FIDs 128,10 & 20).

What I’ve done so far:

-----------------------------------------------------------------

Import certificate on 2008 R2 Domain Controller (for secure LDAP)

Extend Schema with ‘brcdAdVfData’ attribute and assign this to the ‘user’ class. 

Add the FID values of the virtual fabrics to the ‘brcdAdVfData’ attribute on the relevant user account (colon spererated) (e.g. 10:20:128)

Used ‘Adsiedit’ on the DC to configure the ‘adminDescription’ on CN=Users to HomeLF=10;LFRoleList=admin128,10,20;ChassisRole=admin.

Used the following commands to configure LDAP from the FOS CLI:

                      aaaconfig –add <DC IP Address> –conf ldap –p 389 –d <Domain Name> –t 3

           aaaconfig –authspec “ldap;local” –backup

           ldapcfg –maprole <LDAP rolename> admin


Logon to Fabric OS CLI with name@FQDN - login appears to work.

-----------------------------------------------------------------

The result is that I can login with my AD account from the CLI, but NOT from the GUI (I've tried 'hafailover' comand but it didn't fix the issue). Also, when I do log on to the CLI with my AD account, I have no admin permissions (e.g. if I issue a ‘ldapcfg –show’ command it returns “Invalid Chassis Role, Set Chassis context returns -1”.

I can’t figure out how to get the admin permissions and chassis admin role working, and GUI login for the AD account. Any advice appreciated.

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: Fabric OS LDAP Configuration with 2008 AD

I assume that you run into a bug of the FOS code which does not allow you to login to webtools. The official defect number is: "Defect ID: DEFECT000288021"   

Try to install FOS 6.4.1b or higher to fix this issue.

If you are happy with this please rate the thread.

I hope this helps,

Andreas

New Contributor
Posts: 4
Registered: ‎11-03-2011

Re: Fabric OS LDAP Configuration with 2008 AD

Thanks Andreas. I updated the firmware to v6.4.2b and it's fixed part of my problem in that I can now login to the GUI with my AD account. I'm still not getting the correct permissions from my AD account though I can only manage the 'base' virtual fabric' (128).

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: Fabric OS LDAP Configuration with 2008 AD

Check with userconfig --show which access rights you have got.

This will help you to find the correct settings.

Please have a look in the Admin Guide.You have to do on the SAN switch with ldapcfg a role mapping .

I have not implemented AD jet so far I can only talk about RADIUS.

There is a section in the admin guide &quot;Adding an Admin Domain or Virtual Fabric list&quot; which shows you how to implement the VF with LDAP.

Regards,

Andreas

New Contributor
Posts: 4
Registered: ‎11-03-2011

Re: Fabric OS LDAP Configuration with 2008 AD

Userconfig shows that my AD account has admin role on the base virtual fabric (128), but no chassis permissions. It also doesn't list any permissions for my other virtual fabrics (10 and 20). I've used the info from the admin guide ( HomeLF=10;LFRoleList=admin:128,10,20;ChassisRole=admin ) to configure this in AD but these settings don't seem to be getting applies.

New Contributor
Posts: 4
Registered: ‎11-03-2011

Re: Fabric OS LDAP Configuration with 2008 AD

Just got it working, had to add the 'HomeLF=10;LFRoleList=admin:128,10,20;ChassisRole=admin' to the brcdAdVfData AD attribute. Thanks for all the help

Contributor
Posts: 26
Registered: ‎04-11-2010

Re: Fabric OS LDAP Configuration with 2008 AD

Hello Callum,

i read Brocade admin guide and found:

Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the

adminDescription value or adding the brcdAdVfData attribute to the existing Active Directory

schema.

As far as i understand, you running FOS6.4.2 and win2008 AD.  Where do you see the advantages/benefit of using brcdAdVfData attribute instead of editing adminDescription ?  I am trying to understand if usage of brcdAdVfData attribute is depending on FOS version in use or depending on AD version in use. The old FOS6.4.0 admin guide only talks about editing the adminDescription.

Thanks for explanation


Occasional Contributor
Posts: 6
Registered: ‎11-20-2012

Re: Fabric OS LDAP Configuration with 2008 AD

How did you add brcdAdVfData attribute to your AD Group ?? Can you please explain ?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook