Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 5
Registered: ‎10-30-2009

Synchronize passwords across switches in same fabric.

Hi Everyone,

There may be an answer to this question already, but I am having issues searching the forums.  ALL of my searches either come up blank, or will only show me people matches.

Anyway, I have 3 switches in the same fabric (all at Firmware v6.3.1a).  I setup a few useraccount on switch1.  I used the command 'distribute -p PWD -d *' to distribute the local user database to the other 2 switches.  I then connected to the other 2 switches and ran the following command to accept the database from the master:  'fddcfg --localaccept PWD'  This succesfully pulled the user accounts from switch1 to the other 2 switches.  My issue now is, when I change a password on a user account on Switch1, I would like it to synchronize the passwords on switch2 and switch3 so that they are all the same, but they are not doing that.  Is there another command that I need to run to on the switches to auto-synchronize them?

Thanks in advance for any help!

-Jeff

External Moderator
Posts: 4,973
Registered: ‎02-23-2004

Re: Synchronize passwords across switches in same fabric.

jeff,

are the value in fddcfg set to accept ?

try fddcfg --showall to list

TechHelp24
Occasional Contributor
Posts: 5
Registered: ‎10-30-2009

Re: Synchronize passwords across switches in same fabric.

Yes,

Here is the output of that command:

fddcfg --showall

Local Switch Configuration for all Databases:-
DATABASE  -  Accept/Reject
---------------------------------
SCC          -     accept
DCC          -     accept
PWD         -     accept
FCS          -     accept
AUTH        -     accept
IPFILTER   -     accept

Fabric Wide Consistency Policy:- ""

I set them all to accept with 'fddcfg --localaccept PWD'.  All of the user accounts propogated correctly, but when I change a password to a user account on the master switch, the other switches do not recieve the updated password so they are out of sync.

Thanks!

-Jeff

Occasional Contributor
Posts: 5
Registered: ‎10-30-2009

Re: Synchronize passwords across switches in same fabric.

Does anyone have any more input on this?  Is it the "Fabric Wide Consistency policy" that I need to be worried about?  I am pretty stuck, so if anyone has any tips, or can point me in the general direction, it would be much appreciated.

Thanks!

-Jeff

New Contributor
Posts: 5
Registered: ‎10-18-2004

Re: Synchronize passwords across switches in same fabric.

The PWD policy can't be automatically distributed.  Try using the distribute command on switch1:

distribute -p "PWD" -d "*"

I believe the only ones that can be automatically distributed are SCC, DCC, and FCS.

Occasional Contributor
Posts: 5
Registered: ‎10-30-2009

Re: Synchronize passwords across switches in same fabric.

Rats!!  That was the answer I expected, but not Hoped for.  My biggest issue is that it's great that I don't have to create each user account on each switch (thought it is quick to do from a command prompt), but I am not going to know when user Joe.Schmoe changes his password on one switch to run the fddcfg command on all of the different switches.  I will have to tell them that they will need to change the password on all the switches manually, i was just hoping for a more elegant way (Brocade, if you are reading this, Can you PLEASE Add this to the next code revision?  Seems like the distribute command is useless without the ability to auto-push password changes!!)

Thanks for the response!

-Jeff

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: Synchronize passwords across switches in same fabric.

Integrate Brocade switch password management with Active Directory.

If you have a set policy on AD for a 30 day password change, then thats applicable for your SAN as well.

The problem is AD works only with switches having 6.x+ code, so old switches cannot be included.

The other way is to have a privileged user management product work with SAN switches, these can change passwords automatically. But there is not a single software available in the market which does this out of the box for brocade switches, so you'll have to talk to a PIM vendor and ask for customization.

Occasional Contributor
Posts: 5
Registered: ‎10-30-2009

Re: Synchronize passwords across switches in same fabric.

For Active Directory Integration, I would need to purchase a Radius Server, correct?  We are on FOS v6.3.1a.  We only have 5 switches in the fabric so I can't justify purchasing a Radius Server, so I was hoping to be able to do it with the distribute command, or other commands built into the switches.

Thanks!

-Jeff

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: Synchronize passwords across switches in same fabric.

If you have an existing AD setup, you can configure your brocade switches to authenticate via AD. RADIUS is altogether a different concept, and there is openradius which is free.

Configure AD on a test switch before you try it on production as there are cases where users have locked their switches. Most cases the users havent read the user manual properly and understood the consequences.

http://community.brocade.com/home/thread/2638;jsessionid=366A70A0EDC246750B06DE4FC333851C?start=15&tstart=0

Read the admin guide for your FOS version, I'm sure it has a section explaining AD integration. You can even create AD groups to match standard brocade groups, like fabric admin, admin, user etc.

Hope this helps.

Regards,

Biju Krishnan

TechHelp24

Email: bkrishnan@techhelp24.com

Site: www.techhelp24.com



Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.