Administrator Guide
Conguring an External Directory Service
Before users can be authenticated with an external directory service, the Data Collector must be congured to use the directory service.
Congure the Data Collector to Use a Directory Service
Congure the Data Collector to use an Active Directory or OpenLDAP directory service.
Prerequisites
• An Active Directory or OpenLDAP directory service must be deployed in your network environment.
• The directory service must meet specic conguration requirements.
– Active Directory: The directory service must be congured to use Kerberos authentication.
– OpenLDAP: The directory service must be congured to use LDAP with the StartTLS extension or LDAPS (LDAP over SSL).
• If the directory service is OpenLDAP, the SSL certicate public key le (DER or PEM encoding) for the directory server must be
exported and transferred to the server that hosts the Data Collector.
• The Data Collector must have network connectivity to the directory service.
• DNS SRV records must be correctly congured in your environment to allow the Data Collector to determine how to interact with the
directory service. If SRV records are not dened or are improperly congured, you must congure the directory service settings
manually.
• The Data Collector requires a user that has permission to query the directory service. For Active Directory, this user must also have a
User Principal Name attribute (username@example.com) on his or her entry in the directory.
• To use Kerberos authentication, you must provide the user name and password for a directory service user who has Administrator
privileges or use an existing service account.
• If a directory service is congured and you want to recongure the Data Collector to use a directory service in a dierent domain, the
directory services conguration must be disabled and applied before you continue.
• To authenticate Active Directory users that belong to domains in a dierent forest, a one-way or two-way trust must be congured
between the local forest and remote forest.
Steps
1
If a Storage Center is selected from the drop-down list, click (Home) in the left navigation pane.
2 Click Data Collector.
The Data Collector view is displayed.
3 Click the Environment tab and then select the Directory Service subtab.
4 Click Edit.
The Service Settings dialog box opens.
5 Congure LDAP settings.
a Select the Enabled checkbox.
b In the Domain eld, type the name of the domain to search.
NOTE
: If the server that hosts the Data Collector belongs to a domain, the Domain eld is automatically populated.
c In the Authentication Bind DN eld, type the Distinguished Name or User Principal Name of the user that the Data Collector
uses to connect to and search the LDAP server. The user name Administrator is not allowed.
• Example Distinguished Name: CN=Firstname Lastname,CN=users,DC=corp,DC=Company,DC=COM
• Example User Principal Name: username@example.com
d In the Authentication Bind Password eld, type the password for the auth bind Distinguished Name.
e If you modied the Domain eld, click Discover to locate the directory service for the specied domain.
6 (Optional) Manually congure the directory service settings.
a From the Type drop-down menu, select Active Directory or OpenLDAP.
b In the Directory Servers eld, type the fully qualied domain name (FQDN) of each directory server on a separate line.
224
Data Collector User Management