I should be ashamed of myself just posting this, but confession is the first step of healing (or something like that), right? For years, I put off configuring Active Directory LDAP integration for authentication on our storage arrays. Perhaps at the beginning, it was due to complexity and overload, but more recently, it just wasn’t that important to me. We’ve had strong, complex passwords in place on the built-in accounts, so the real “risk” was accountability–who performed an action under that login. So while I begrudge any positive sentiment toward auditors, I’ll throw some props to them for the motivational boost to eliminate these shared access methods.
The funny thing is that most of what follows in this 3-part series was pretty easy. Parts 1 & 2 took a whopping hour or two. Shame on me. So if you’re reading this and have any of these arrays, take the plunge and raise your security posture with an easy afternoon project.
Let’s give this boulder some downhill momentum with the easiest of the three arrays. It only makes sense that Pure takes the cake on this since the rest of what they do is equally simple–initial setup, vCenter Plug-in, volume provisioning, etc.
Pure actually pushes its customers to setup external authentication by restricting the local user database to the “pureuser” account with which all arrays ship. Thus, every admin of Pure knows this default launching point.
- Create a basic domain user account in Active Directory for the bind user
- Create a security group for the array admins
- Add users/groups to the array admins group
- Note the Distinguished Name (DN) where the array admins group resides
- Login to the Pure Storage array > System > Configuration > Directory Service
- Click “Edit” and configure directory service integration
- Click “Save” and then “Test”
Really short list for PowerShell folks: Tweak & run the script at http://www.purepowershellguy.com/?p=5851
Step 1: Create the “Bind User” for authenticating to AD/LDAP
This step has nothing exceptionally special about it. The user account is vanilla, and it’s a matter of preference whether you use one of these accounts for all LDAP Bind configurations (i.e. multiple arrays/vendors/etc) or whether you split it out per device or type. For us, I decided to dedicate an account per array.
So go ahead and create that user (i.e. “puread”), give it a fancy, long password, and remember where you put it (we’ll write this down in Step 4).
Step 2: Create a security group to represent array admins
Create a security group such as “Pure Storage Array Admins”.
Step 3: Add users/groups who will be Pure admins to the group from Step 2
Depending on your organization, these users may be dedicated storage admins, domain admins, or those who previously had access to the shared “pureuser” account. You can nest both users and groups inside the group designated as the “Array Admin Group”.
Add the appropriate Active Directory users and/or groups to the security group from Step 2 and proceed.
Step 4: Note the Distinguished Name (DN) of the folder/OU of the group created in Step 2
The easiest way to pull this information is to enable “Advanced Features” in Active Directory Users & Computers. From the top menu, click View > Advanced Features. Your window will refresh and a lot of previously hidden system folders and objects will appear. You’ll also gain a few extra tabs when viewing AD object properties.
Now, navigate to the location of the group from Step 2. For us, we keep an OU called “Security Groups” for organizational purposes (we like to maintain a tidy shop). Right-click on the OU or folder and click “Properties”. Then select the last tab titled “Attribute Editor”. In the list of attributes, find and select “distinguishedName”. Then click “View”.
Copy the crazy-long value that begins with “OU=…” or “CN=…” and ends with “DC=…”. Put this in a temporary notepad or save it in your clipboard for Step 6. Part of the DN will become the value of “Base DN” while the rest of it will be the “Group Base”.
Step 5: Login to Pure and go to “Directory Service” configuration
Login as “pureuser”. Go to “SYSTEM” at the top. On the left, click “Configuration” to expand the options. Then select “Directory Service”.
Step 6: Configure and enable Directory Service integration
- Enabled: Check the box, unless you aren’t ready to go live with integration
- URI: Fill in the LDAP servers in the URI field. You can enter multiple servers with LDAP or LDAPS as long as you separate them by a comma (no spaces). For two servers, it should look something like this:
- Base DN: The simplest way is to use the root of your AD domain. Pure needs to be able to find the Bind User and the Groups/Group Base under this DN. If your domain is “domain.com”, then your Base DN will be:
- Bind User: From Step 1, simply as the username; i.e. “puread”
- Bind Password: For the Bind User
- Group Base: From Step 4, the part that follows to the left of the Base DN; i.e. “OU=Security Groups”
- Array Admin Group: From Step 2; i.e. “Pure Storage Array Admins”
- Storage Admin Group: (optional) Similar to the steps above, but for admins who should only be able to volume-type functions
- Read Only Group: (optional) Similar to the steps above, but for read-only access; I see this potentially for dashboard or NOC monitoring
- Check Peer: (optional, related to CA Certificate) Leave unchecked; only applies to server authenticity enforcement
- CA Certificate: (optional, related to Check Peer) Leave unconfigured, unless checking/enforcing server certificate authenticity
Your fields should look something like this:
Finally, click “Save”.
After saving, click “Test” and after a few short moments, you should see “LDAP Test Results” with lots of green squares. If you fail to resolve, search, or connect, check your Bind User credentials and your Base DN and Group Base. Those last two should combine to form the full DN of the location of your Array/Storage/Read Groups.
When everything is green, logout of the Pure GUI and enter your Active Directory admin credentials (that are members of the “Pure Storage Array Admins” group) to start your new path of externally-authenticated life.
Up Next: Part 2 – LDAP Integration with EMC XtremIO