The following procedure shows how to enable the plug-in module for LDAP authentication. This section provides examples for OpenLDAP and Windows Active Directory LDAP distributions.
See the vssat.1m and the atldapconf.1m manual pages.
To enable OpenLDAP authentication for clusters that run in secure mode
The following example adds the LDAP domain, MYENTERPRISE:
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat addldapdomain \ --domainname "MYENTERPRISE.symantecdomain.com"\ --server_url "ldap://my_openldap_host.symantecexample.com"\ --user_base_dn "ou=people,dc=symantecdomain,dc=myenterprise,dc=com"\ --user_attribute "cn" --user_object_class "account"\ --user_gid_attribute "gidNumber"\ --group_base_dn "ou=group,dc=symantecdomain,dc=myenterprise,dc=com"\ --group_attribute "cn" --group_object_class "posixGroup"\ --group_gid_attribute "member"\ --admin_user "cn=manager,dc=symantecdomain,dc=myenterprise,dc=com"\ --admin_user_password "password" --auth_type "FLAT"
You must have a valid LDAP user ID and password to run the command. In the following example, authentication is verified for the MYENTERPRISE domain for the LDAP user, vcsadmin1.
galaxy# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat authenticate --domain ldap:MYENTERPRISE.symantecdomain.com --prplname vcsadmin1 --broker galaxy:14149 Enter password for vcsadmin1: ########## authenticate ---------------------- ---------------------- Authenticated User vcsadmin1 ----------------------
# haconf makerw # hauser -add "CN=vcsadmin1/CN=people/\ DC=symantecdomain/DC=myenterprise/\ DC=com@myenterprise.symantecdomain.com" -priv Administrator # haconf -dump -makero
If you want to enable group-level authentication, you must run the following command:
# hauser -addpriv \ ldap_group@ldap_domain AdministratorGroup
# cat /etc/VRTSvcs/conf/config/main.cf ... ... cluster clus1 ( SecureClus = 1 Administrators = { "CN=vcsadmin1/CN=people/DC=symantecdomain/DC=myenterprise/ DC=com@myenterprise.symantecdomain.com" } AdministratorGroups = { "CN=symantecusergroups/DC=symantecdomain/DC=myenterprise/ DC=com@myenterprise.symantecdomain.com " } ) ... ...
Set the VCS_DOMAIN and VCS_DOMAINTYPE environment variables as follows:
VCS_DOMAIN=myenterprise.symantecdomain.com
VCS_DOMAINTYPE=ldap
# export VCS_DOMAIN=myenterprise.symantecdomain.com # export VCS_DOMAINTYPE=ldap
# halogin vcsadmin1 password # hasys -state VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1 #System Attribute Value galaxy Attribute RUNNING nebula Attribute RUNNING
Similarly, you can use the same LDAP user credentials to log on to the SFCFSHA node using the VCS Cluster Manager (Java Console).
To enable Windows Active Directory authentication for clusters that run in secure mode
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf -d \ -s domain_controller_name_or_ipaddress \ -u domain_user -g domain_group
For example:
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \ -d -s 192.168.20.32 -u Administrator -g "Domain Admins" Search User provided is invalid or Authentication is required to proceed further. Please provide authentication information for LDAP server. Username/Common Name: symantecdomain\administrator Password: Attribute file created.
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \ -c -d windows_domain_name
For example:
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \ -c -d symantecdomain.com Attribute list file not provided, using default AttributeList.txt. CLI file name not provided, using default CLI.txt. CLI for addldapdomain generated.
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf -x
# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat listldapdomains Domain Name : symantecdomain.com Server URL : ldap://192.168.20.32:389 SSL Enabled : No User Base DN : CN=people,DC=symantecdomain,DC=com User Object Class : account User Attribute : cn User GID Attribute : gidNumber Group Base DN : CN=group,DC=symantecdomain,DC=com Group Object Class : group Group Attribute : cn Group GID Attribute : cn Auth Type : FLAT Admin User : Admin User Password : Search Scope : SUB
Set the VCS_DOMAIN and VCS_DOMAINTYPE environment variables as follows:
VCS_DOMAIN=symantecdomain.com
VCS_DOMAINTYPE=ldap
# export VCS_DOMAIN=symantecdomain.com # export VCS_DOMAINTYPE=ldap
# halogin vcsadmin1 password # hasys -state VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1 #System Attribute Value galaxy Attribute RUNNING nebula Attribute RUNNING
Similarly, you can use the same LDAP user credentials to log on to the SFCFSHA node using the VCS Cluster Manager (Java Console).