HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
Fabric OS 6.1.1 administrator guide 79
LDAP in FIPS mode, see ”Configuring advanced security features” on page 107. The following are
restrictions when using LDAP:
• In Fabric OS 6.1.x and later there will be no password change through Active Directory.
• There is no automatic migration of newly created users from local switch database to Active Directory.
This is a manual process explained later.
• LDAP authentication is used on the local switch only and not for the entire fabric.
Roles for users can be added through the Microsoft Management Console. Groups created in Active
Directory must correspond directly to the RBAC user roles on the switch. Role assignments can be achieved
by including the user in the respective group. A user can be assigned to multiple groups like Switch Admin
and Security Admin. For LDAP servers, you can use the ldapCfg
--maprole <ldap_role name>
<switch_role> to map a LDAP server role to one of the default roles available on a switch.For more
information on RBAC roles, see ”Role-Based Access Control (RBAC)” on page 58.
NOTE: All instructions involving Microsoft’s Active Directory can be obtained from
www.microsoft.com
. Confer with your network administrator prior to configuration for any special
needs your network environment may have.
To set up LDAP:
1. Install a Certificate Authority (CA) certificate on the Windows Active Directory server for LDAP.
Follow Microsoft’s instructions for generating and installing CA certificates on a Windows server.
2. Create a user in Microsoft Active Directory server.
For instructions on how to create a user, see Microsoft documentation to create a user in your Active
Directory.
3. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the
same as the switch’s role name.
or
Use the ldapCfg -–maprole <ldap_role_name> <switch_role> command to map an LDAP
server role to one of the default roles available on the switch.
4. Associate the user to the group by adding the user to the group.
For instructions on how to create a user, see Microsoft documentation to create a user in your Active
Directory.
5. Add the user’s Administrative Domains to the CN_list by editing the adminDescription value.
This will map the admin domains to the user name. Multiple admin domains can be added as a string
value separated by the underscore character ( _ ).
To create a user:
To create a user in Active Directory, see www.microsoft.com
or Microsoft documentation. There are no
special attributes.
To create a group:
To create a group in Active Directory, see www.microsoft.com
or Microsoft documentation. There are no
special attributes to set.
To assign the group (role) to the user:
To assign the user to a group in the Active Directory, see www.microsoft.com
or Microsoft documentation.
You will need to verify that the user has the following attributes:
• Update the memberOf field with the login role (Root, Admin, SwitchAdmin, User, etc.) that the user
must use to log in to the switch, or
• If you have a user-defined group, use the ldapCfg -–maprole <ldap_role_name>
<switch_role> to map an LDAP server role to one of the default roles available on a switch.