Initial configuration of Directory Services must be done from the local pureuser account. To do this, access the Purity GUI as the local pureuser account and then navigate to the Directory Service configuration page as follows:
- Click from the System tab, click Directory Services from the Configuration menu in the left panel.
- Click on Edit. A dialog displays.
- Fill in the fields of the dialog with the information gathered from Active Directory.
Use the following descriptions to fill in the fields in the Directory Service fields above.
|
Field |
Input |
|---|---|
|
Enabled |
Select the check box to leverage the directory service to perform user account and permission level searches. |
|
URI |
Enter the universal resource identifier (URI). The URI must include a URL scheme (ldap, or ldaps for LDAP over SSL), the hostname, and the domain. You can optionally specify a port. For example, ldap://ad.company.com configures the Active Directory server with the hostname 'ad' in the domain 'company.com' while specifying the unencrypted LDAP protocol. Note: If you define more than one DC URI here, the URL scheme and domains must match exactly. No mixing of domains is allowed, including subdomains. Acceptable: ldap://mydc.mydomain.com,ldap://mydc2.mydomain.com,ldap://mydc3.mydomain.com Not acceptable: ldap://mydc.mydomain.com,ldap://mydc2.subdomain.mydomain.com,ldap://mydc3.mydomain2.com Not acceptable: ldap://mydc.mydomain.com,ldaps://mydc2.mydomain.com,ldaps://mydc3.mydomain.com Note: The URI entry autofills the Base DN which is case sensitive. Please be sure to match the case used in AD. |
|
Base DN |
Enter the base distinguished name (DN) of the directory service. The Base DN is built from the domain and should consist only of domain components (DCs). For example, for ldap://ad.storage.company.com, the Base DN would be: “DC=storage,DC=company,DC=com” If you leave the field blank, the Base DN will be derived from the URI. Note: The case must match the case used in AD. |
|
Bind User |
Enter the username for the account that is used to perform directory lookups, this should be your LDAP reader account that is not tied to any actual user. Typically speaking, the bind user will be low-level account in AD, and not tied to any actual user. Purity does not require any extra permissions for the Bind user and a non-privileged account with the default users will do for our requirements. However, if you use permissions/ACL's within your provider then the Bind user will require elevated permissions. The password policy for the LDAP reader account should be set to never expire, and change should not be allowed. If the password were to expire or change, Windows users who would normally be able to authenticate with the FlashArray will lose access to the FlashArray using Directory Services. If the password were to change for the LDAP Reader account, the password would need to be set back to the way it was in AD, or updated in the Directory Service configuration to match the new password in AD. Purity uses ldap to heartbeat between the FlashArray and the Domain Controller(s). If the ldap (bind user) account cannot connect to the Domain Controller(s) for any reason, a Warning Alert will be generated and logged. |
|
Bind Password |
Enter the password for the bind user account. Note: If this password expires or changes, you will need to update it here. |
|
Group Base |
Enter the organizational unit (OU) path to the groups that are configured in Active Directory. Groups can be nested. In the following example, SANManagers contains the sub-organizational unit PureGroups: OU=PureGroups,OU=SANManagers All FlashArray configured group common names (CN) must exist in the same OU. Note: Group Base is case sensitive and must match the case used in AD. When entering the groups, don't use quotations. |
|
Array Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform every FlashArray operation. Array Admin Group administrators have the same privileges as pureuser. |
|
Storage Admin Group |
Enter the common name (CN) of the group of administrators that are allowed to perform FlashArray storage operations. |
|
Read Only Group |
Enter the common name (CN) of the group of users with read-only privileges on the FlashArray. Note: DO NOT enter the same group name in more than one field. The permissions for the group will be locked down to the lowest level permissions. |
|
Check Peer |
Select the check box to validate the authenticity of the directory servers using the CA Certificate (TLS will be used to secure the connection). When using ldap:// in the URI, this box has no effect. |
|
CA Certificate |
Enter the certificate of the issuing certificate authority. Only one certificate can be configured at a time, so the same certificate authority should be the issuer of all directory server certificates. The certificate should be PEM formatted (base64 encoded) and should not exceed 3000 characters in total length. |