Administrator Guide
Authenticating Users with an External Directory
Service
The Data Collector can be congured to authenticate Storage Manager users with an Active Directory or OpenLDAP directory service. If
Kerberos authentication is also congured, users can log in with the Client automatically using their Windows session credentials.
Storage Manager access can be granted to directory service users and groups that belong to the domain to which the Data Collector is
joined. For Active Directory, access can also be granted to users and groups that belong to domains in the same forest, as well as domains
that belong to forests for which one-way or two-way trusts are congured.
Conguring an External Directory Service
Before users can be authenticated with an external directory service, the Data Collector must be congured to use the directory service.
Congure the Data Collector to Use a Directory Service
Congure the Data Collector to use an Active Directory or OpenLDAP directory service.
Prerequisites
• An Active Directory or OpenLDAP directory service must be deployed in your network environment.
• The directory service must meet specic conguration requirements.
– Active Directory: The directory service must be congured to use Kerberos authentication.
– OpenLDAP: The directory service must be congured to use LDAP with the StartTLS extension or LDAPS (LDAP over SSL).
• If the directory service is OpenLDAP, the SSL certicate public key le (DER or PEM encoding) for the directory server must be
exported and transferred to the server that hosts the Data Collector.
• The Data Collector must have network connectivity to the directory service.
• DNS SRV records must be correctly congured in your environment to allow the Data Collector to determine how to interact with the
directory service. If SRV records are not dened or are improperly congured, you must congure the directory service settings
manually.
• The Data Collector requires a user that has permission to query the directory service. For Active Directory, this user must also have a
User Principal Name attribute (username@example.com) on his or her entry in the directory.
• To use Kerberos authentication, you must provide the user name and password for a directory service user who has Administrator
privileges or use an existing service account.
• If a directory service is congured and you want to recongure the Data Collector to use a directory service in a dierent domain, the
directory services conguration must be disabled and applied before you continue.
• To authenticate Active Directory users that belong to domains in a dierent forest, a one-way or two-way trust must be congured
between the local forest and remote forest.
Steps
1 Connect to the Data Collector.
a Open a web browser.
b Type the address of the Data Collector in the web browser using the following format:
https://data_collector_host_name_or_IP_address:3033/
c Press Enter.
The Storage Manager login page is displayed.
d Type the user name and password of a Data Collector user with Administrator privileges in the User Name and Password eld.
e Click Log In.
2
If a Storage Center is selected from the drop-down list, click (Home) in the left navigation pane.
3 Click Data Collector.
688
Storage Manager User Management