Administrator Guide
Authenticating Users with an External Directory Service
The Data Collector can be configured to authenticate Storage Manager users with an Active Directory or OpenLDAP directory
service. If Kerberos authentication is also configured, users can log in with the Client automatically using their Windows session
credentials.
Storage Manager access can be granted to directory service users and groups that belong to the domain to which the Data
Collector is joined. For Active Directory, access can also be granted to users and groups that belong to domains in the same forest,
as well as domains that belong to forests for which one-way or two-way trusts are configured.
Configuring an External Directory Service
Before users can be authenticated with an external directory service, the Data Collector must be configured to use the directory
service.
Configure the Data Collector to Use a Directory Service
Use the Data Collector Manager to configure the Data Collector to use an Active Directory or OpenLDAP directory service.
Prerequisites
• An Active Directory or OpenLDAP directory service must be deployed in your network environment.
• The directory service must meet specific configuration requirements.
– Active Directory: The directory service must be configured to use Kerberos authentication.
– OpenLDAP: The directory service must be configured to use LDAP with the StartTLS extension or LDAPS (LDAP over
SSL).
• If the directory service is OpenLDAP, the SSL certificate public key file (DER or PEM encoding) for the directory server must be
exported and transferred to the server that hosts the Data Collector.
• The Data Collector must have network connectivity to the directory service.
• DNS SRV records must be correctly configured in your environment to allow the Data Collector to determine how to interact
with the directory service. If SRV records are not defined or are improperly configured, you must configure the directory service
settings manually.
• The Data Collector requires a user that has permission to query the directory service. For Active Directory, this user must also
have a User Principal Name attribute (username@example.com) on his or her entry in the directory.
• To use Kerberos authentication, you must provide the user name and password for a directory service user who has
Administrator privileges or use an existing service account.
• If a directory service is configured and you want to reconfigure the Data Collector to use a directory service in a different
domain, the directory services configuration must be disabled and applied before you continue.
• To authenticate Active Directory users that belong to domains in a different forest, a one-way or two-way trust must be
configured between the local forest and remote forest.
Steps
1. Expand the Dell Storage Manager menu, and then click Data Collector.
2. Click the Server tab, then click the Directory Service subtab.
3. Click Edit. The Server Agent dialog box opens.
4. Configure LDAP settings.
a. Select the Enable Directory Services check box.
b. In the Domain field, type the name of the domain to search.
NOTE: If the server that hosts the Data Collector belongs to a domain, the Domain field is automatically
populated.
c. In the Authentication Bind DN field, type the Distinguished Name or User Principal Name of the user that the Data
Collector uses to connect to and search the LDAP server. The user name Administrator is not allowed.
• Example Distinguished Name: CN=Firstname Lastname,CN=users,DC=corp,DC=Company,DC=COM
• Example User Principal Name: username@example.com
d. In the Authentication Bind Password field, type the password for the auth bind Distinguished Name.
148
Storage Manager User Management