To enable OpenLDAP authentication for clusters that run in secure mode

1. Add the LDAP domain to the AT configuration using the vssat command.

   The following example adds the LDAP domain, MYENTERPRISE:

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat addldapdomain \
   --domainname "MYENTERPRISE.symantecdomain.com"\
   --server_url "ldap://my_openldap_host.symantecexample.com"\
   --user_base_dn "ou=people,dc=symantecdomain,dc=myenterprise,dc=com"\
   --user_attribute "cn" --user_object_class "account"\
   --user_gid_attribute "gidNumber"\
   --group_base_dn "ou=group,dc=symantecdomain,dc=myenterprise,dc=com"\
   --group_attribute "cn" --group_object_class "posixGroup"\
   --group_gid_attribute "member"\
   --admin_user "cn=manager,dc=symantecdomain,dc=myenterprise,dc=com"\
   --admin_user_password "password" --auth_type "FLAT"

2. Verify that you can successfully authenticate an LDAP user on the SFCFSHA nodes.

   You must have a valid LDAP user ID and password to run the command. In the following example, authentication is verified for the MYENTERPRISE domain for the LDAP user, vcsadmin1.

   galaxy# /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat authenticate 
   --domain ldap:MYENTERPRISE.symantecdomain.com 
   --prplname vcsadmin1 --broker galaxy:14149
   
   Enter password for vcsadmin1: ##########
   
   authenticate
   ----------------------
   ----------------------
   
   Authenticated User vcsadmin1
   ----------------------

3. Add the LDAP user to the main.cf file.

   # haconf makerw
   # hauser -add "CN=vcsadmin1/CN=people/\
   DC=symantecdomain/DC=myenterprise/\
   DC=com@myenterprise.symantecdomain.com" -priv Administrator
   # haconf -dump -makero

   If you want to enable group-level authentication, you must run the following command:

   # hauser -addpriv \
   ldap_group@ldap_domain AdministratorGroup

4. Verify that the main.cf file has the following lines:

   # cat /etc/VRTSvcs/conf/config/main.cf
   ...
   ...
   cluster clus1 (
     SecureClus = 1
     Administrators = {
       "CN=vcsadmin1/CN=people/DC=symantecdomain/DC=myenterprise/
       DC=com@myenterprise.symantecdomain.com" }
     AdministratorGroups = { 
       "CN=symantecusergroups/DC=symantecdomain/DC=myenterprise/
       DC=com@myenterprise.symantecdomain.com " }
     )
   ...
   ...

5. Set the VCS_DOMAIN and VCS_DOMAINTYPE environment variables as follows:

   • VCS_DOMAIN=myenterprise.symantecdomain.com

   • VCS_DOMAINTYPE=ldap

   For example, for the Bourne Shell (sh) or the Korn shell (ksh), run the following commands:

   # export VCS_DOMAIN=myenterprise.symantecdomain.com
   # export VCS_DOMAINTYPE=ldap

6. Verify that you can log on to VCS. For example

   # halogin vcsadmin1 password
   # hasys -state
   VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1
   #System    Attribute    Value
   galaxy     Attribute  RUNNING
   nebula     Attribute  RUNNING

   Similarly, you can use the same LDAP user credentials to log on to the SFCFSHA node using the VCS Cluster Manager (Java Console).

7. To enable LDAP authentication on other nodes in the cluster, perform the procedure on each of the nodes in the cluster.

To enable Windows Active Directory authentication for clusters that run in secure mode

1. Run the LDAP configuration tool atldapconf using the -d option. The -d option discovers and retrieves an LDAP properties file which is a prioritized attribute list.

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf -d \ 
   -s domain_controller_name_or_ipaddress \
   -u domain_user -g domain_group

   For example:

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \
   -d -s 192.168.20.32 -u Administrator -g "Domain Admins"
   Search User provided is invalid or Authentication is required to 
   proceed further.
   Please provide authentication information for LDAP server.
   
   Username/Common Name: symantecdomain\administrator
   Password: 
   
   Attribute file created.

2. Run the LDAP configuration tool atldapconf using the -c option. The -c option creates a CLI file to add the LDAP domain.

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \
   -c -d windows_domain_name

   For example:

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf \
   -c -d symantecdomain.com
   Attribute list file not provided, using default AttributeList.txt.
   CLI file name not provided, using default CLI.txt.
   
   CLI for addldapdomain generated.

3. Run the LDAP configuration tool atldapconf using the -x option. The -x option reads the CLI file and executes the commands to add a domain to the AT.

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/atldapconf -x

4. List the LDAP domains to verify that the Windows Active Directory server integration is complete.

   # /opt/VRTSvcs/bin/vcsauth/vcsauthserver/bin/vssat listldapdomains
   
   Domain Name :         symantecdomain.com
   Server URL :          ldap://192.168.20.32:389
   SSL Enabled :         No
   User Base DN :        CN=people,DC=symantecdomain,DC=com
   User Object Class :   account
   User Attribute :      cn
   User GID Attribute :  gidNumber
   Group Base DN :       CN=group,DC=symantecdomain,DC=com
   Group Object Class :  group
   Group Attribute :     cn
   Group GID Attribute : cn
   Auth Type :           FLAT
   Admin User :  
   Admin User Password :
   Search Scope :        SUB
   

5. Set the VCS_DOMAIN and VCS_DOMAINTYPE environment variables as follows:

   • VCS_DOMAIN=symantecdomain.com

   • VCS_DOMAINTYPE=ldap

   For example, for the Bourne Shell (sh) or the Korn shell (ksh), run the following commands:

   # export VCS_DOMAIN=symantecdomain.com
   # export VCS_DOMAINTYPE=ldap

6. Verify that you can log on to VCS. For example

   # halogin vcsadmin1 password
   # hasys -state
   VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1
   #System    Attribute    Value
   galaxy     Attribute  RUNNING
   nebula     Attribute  RUNNING

   Similarly, you can use the same LDAP user credentials to log on to the SFCFSHA node using the VCS Cluster Manager (Java Console).

7. To enable LDAP authentication on other nodes in the cluster, perform the procedure on each of the nodes in the cluster.