The following procedure shows how to enable the plug-in module for LDAP authentication. This section provides examples for OpenLDAP and Windows Active Directory LDAP distributions.
See the vssat.1m and the atldapconf.1m manual pages.
To enable OpenLDAP authentication for clusters that run in secure mode
Add the LDAP domain to the AT configuration using the vssat command.
The following example adds the LDAP domain, MYENTERPRISE:
# /opt/VRTSat/bin/vssat addldapdomain \ --domainname "MYENTERPRISE.symantecdomain.com"\ --server_url "ldap://my_openldap_host.symantecexample.com"\ --user_base_dn "ou=people,dc=symantecdomain,dc=myenterprise,dc=com"\ --user_attribute "cn" --user_object_class "account"\ --user_gid_attribute "gidNumber"\ --group_base_dn "ou=group,dc=symantecdomain,dc=myenterprise,dc=com"\ --group_attribute "cn" --group_object_class "posixGroup"\ --group_gid_attribute "member"\ --admin_user "cn=manager,dc=symantecdomain,dc=myenterprise,dc=com"\ --admin_user_password "password" --auth_type "FLAT"
Verify that you can successfully authenticate an LDAP user on the VCS nodes.
You must have a valid LDAP user ID and password to run the command. In the following example, authentication is verified for the MYENTERPRISE domain for the LDAP user, vcsadmin1.
galaxy# /opt/VRTSat/bin/vssat authenticate --domain ldap:MYENTERPRISE.symantecdomain.com --prplname vcsadmin1 --broker galaxy:2821 Enter password for vcsadmin1: ########## authenticate ---------------------- ---------------------- Authenticated User vcsadmin1 ----------------------
Add the LDAP user to the main.cf file.
# haconf makerw # hauser -add "CN=vcsadmin1/CN=people/\ DC=symantecdomain/DC=myenterprise/\ DC=com@myenterprise.symantecdomain.com" -priv Administrator # haconf -dump -makero
If you want to enable group-level authentication, you must run the following command:
# hauser -addpriv \ ldap_group@ldap_domain AdministratorGroup
Verify that the main.cf file has the following lines:
# cat /etc/VRTSvcs/conf/config/main.cf ... ... cluster clus1 ( SecureClus = 1 Administrators = { "CN=vcsadmin1/CN=people/DC=symantecdomain/DC=myenterprise/ DC=com@myenterprise.symantecdomain.com" } AdministratorGroups = { "CN=symantecusergroups/DC=symantecdomain/DC=myenterprise/ DC=com@myenterprise.symantecdomain.com " } ) ... ...
For example, for the Bourne Shell (sh or ksh), run the following commands:
# export VCS_DOMAIN=myenterprise.symantecdomain.com # export VCS_DOMAINTYPE=ldap
Verify that you can log on to VCS. For example
# halogin vcsadmin1 password # hasys -state VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1 #System Attribute Value galaxy Attribute RUNNING nebula Attribute RUNNING
Similarly, you can use the same LDAP user credentials to log on to the VCS node using the VCS Cluster Manager (Java Console).
To enable LDAP authentication on other nodes in the cluster, perform the procedure on each of the nodes in the cluster.
To enable Windows Active Directory authentication for clusters that run in secure mode
Run the LDAP configuration tool atldapconf using the -d option. The -d option discovers and retrieves an LDAP properties file which is a prioritized attribute list.
# /opt/VRTSat/bin/atldapconf -d -s domain_controller_name_or_ipaddress -u domain_user -g domain_group
# /opt/VRTSat/bin/atldapconf -d -s 192.168.20.32 \ -u Administrator -g "Domain Admins" Search User provided is invalid or Authentication is required to proceed further. Please provide authentication information for LDAP server. Username/Common Name: symantecdomain\administrator Password: Attribute file created.
Run the LDAP configuration tool atldapconf using the -c option. The -c option creates a CLI file to add the LDAP domain.
# /opt/VRTSat/bin/atldapconf -c -d windows_domain_name
# /opt/VRTSat/bin/atldapconf -c -d symantecdomain.com Attribute list file not provided, using default AttributeList.txt. CLI file name not provided, using default CLI.txt. CLI for addldapdomain generated.
Run the LDAP configuration tool atldapconf using the -x option. The -x option reads the CLI file and executes the commands to add a domain to the AT.
# /opt/VRTSat/bin/atldapconf -x
List the LDAP domains to verify that the Windows Active Directory server integration is complete.
# /opt/VRTSat/bin/vssat listldapdomains Domain Name : symantecdomain.com Server URL : ldap://192.168.20.32:389 SSL Enabled : No User Base DN : CN=people,DC=symantecdomain,DC=com User Object Class : account User Attribute : cn User GID Attribute : gidNumber Group Base DN : CN=group,DC=symantecdomain,DC=com Group Object Class : group Group Attribute : cn Group GID Attribute : cn Auth Type : FLAT Admin User : Admin User Password : Search Scope : SUB
For example, for the Bourne Shell (sh or ksh), run the following commands:
# export VCS_DOMAIN=symantecdomain.com # export VCS_DOMAINTYPE=ldap
Verify that you can log on to VCS. For example
# halogin vcsadmin1 password # hasys -state VCS NOTICE V-16-1-52563 VCS Login:vcsadmin1 #System Attribute Value galaxy Attribute RUNNING nebula Attribute RUNNING
Similarly, you can use the same LDAP user credentials to log on to the VCS node using the VCS Cluster Manager (Java Console).
To enable LDAP authentication on other nodes in the cluster, perform the procedure on each of the nodes in the cluster.