3.5.13 Managing XSCF User Accounts Using Active Directory
3.5.13 Managing XSCF User Accounts Using Active Directory
In the Active Directory settings, items related to an Active Directory client are set. The settings cover the Active Directory server, loading of a server certificate, group name, user privilege, user domain, log, DNS locator query, and so on. In the Active Directory server, the XSCF user information is managed.
The available characters for a user account name for XSCF login are lowercase alphabetic characters, numbers, the hyphen (-), the underscore (_), and the period (.). The name is a combination of up to 31 characters. Uppercase alphabetic characters cannot be used. The first character of the name must be a lowercase alphabetic character.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
Even though you can log in using a user account name not fitting the above description, your commands may not work normally. For this reason, use the above-described user account name.
| Note - This section does not describe the configuration and management of the Active Directory server. An administrator who is familiar with the Active Directory server should design the Active Directory server. |
| Note - For the XCP firmware version that supports Active Directory, see the latest Product Notes for your server. |
Table 3-14 lists terms related to the Active Directory settings.
| Term | Description |
|---|---|
| Active Directory | Active Directory is a distributed directory service that was developed by Microsoft Corporation and is available in Windows operating systems. Like LDAP directory service, it is used for user authentication. |
| User domain | User domain is the authentication domain used to authenticate a user. |
| DNS locator query | The query is used to query a DNS server about the Active Directory server for user authentication. |
The Active Directory provides both user certificate authentication and authorization of a user access level to network resources. The Active Directory uses the authentication to identify specific users before they access the system resources, and to grant specific access privileges to users in order to control their rights to access network resources.
User privileges are either configured on the XSCF or obtained from a server in a network domain based on each user's group membership. A user can belong to more than one group. User domain is the authentication domain used to authenticate a user. The Active Directory authenticates users in the order in which the user domains are configured.
Once authenticated, user privileges can be determined in the following ways:
User privileges are either configured on the XSCF or obtained from a server in a network domain based on each user's group membership. A user can belong to more than one group. User domain is the authentication domain used to authenticate a user. The Active Directory authenticates users in the order in which the user domains are configured.
Once authenticated, user privileges can be determined in the following ways:
- In the simplest case, user privileges are determined by the Active Directory settings on the XSCF. There is a defaultrole parameter for the Active Directory. If the defaultrole parameter is configured or set, all users that are authenticated via the Active Directory are assigned the user privileges set in the parameter. Users that are set on the Active Directory server require only a password regardless of their group membership.
- If the defaultrole parameter is not configured or set, a user privilege is obtained from the Active Directory server based on the user's group membership. On the XSCF, the group parameter must correspond to the group name of an Active Directory server. Each group has a user privilege that is configured on the XSCF and is associated with the group. Once a user is authenticated, the user's group membership is used to determine the user privilege.
Active directory setting items and shell commands to be used
Table 3-15 lists the setting items and the corresponding shell commands.
| Setting Item | Function Description | Shell Command | Remarks |
|---|---|---|---|
| Active Directory status display | Displays the current status of the Active Directory, such as enable/disable of the Active Directory and DNS locator mode. | showad | |
| Active Directory usage enable/disable | Specifies whether to enable or disable the use of the Active Directory server for managing authentication and user privileges. | setad | It is disabled by default. |
| Active Directory server display | Displays the configuration of the primary Active Directory server or up to five alternate Active Directory servers. | showad | A port number "0" indicates that the default port for the Active Directory is used. |
| Active Directory server/port | Specifies IP addresses and port numbers of the primary and up to five alternate Active Directory servers. Specifies IP addresses or host names for the addresses. To specify host names for the Active Directory servers, the server names must be resolvable by the DNS server. |
setad | When a port number is not specified, the default port is used. |
| Server certificate load/delete | Loads or deletes the certificates of the primary and up to five alternate servers. | setad | The strictcertmode must be in the disabled state for a certificate to be removed. |
| DNS locator mode enable/disable | Enables or disables the DNS locator mode. | setad | It is disabled by default. |
| DNS locator query display | Displays the configuration of up to five DNS locator queries. | showad | |
| DNS locator query | Configures the DNS locator query. The DNS locator query is used to query a DNS server to determine an Active Directory server to use for user authentication. |
setad | DNS and DNS locator mode must be enabled for the DNS locator query to work. |
| Expanded search mode enable/disable | Enables or disables the expanded search mode. The expanded search mode is only enabled when addressing a specific environment where the user account is not in the UserPrincipalName (UPN) format. |
setad | It is disabled by default. |
| strictcertmode enable/disable | Enables or disables the strictcertmode. If the strictcertmode is enabled, the certificate of a server must have already been uploaded to the server so that the certificate signatures can be validated when the server certificate is presented. |
setad | It is disabled by default. |
| Server certificate display | Displays the following: - Certificate information for the primary and up to five alternate servers. - Entire contents of the certificate |
showad | |
| User domain display | Displays user domains. | showad | |
| User domain | Configures up to five specified user domains. Specify a user domain in the UPN format, where a user name and domain name are connected using the "@" symbol, or in the Distinguished Name (DN) format, which is defined as "uid = user name, ou = organization unit, and dc = domain name." | setad | If a user domain is directly specified using the UPN form at the login prompt, such as "login: ima.admin@dc01.example.com", the user domain is used only for this login. |
| defaultrole display | Displays the defaultrole setting. | showad | |
| defaultrole | Specifies the user privileges assigned to all users that are authenticated via Active Directory. | setad | |
| Group display | Displays the configuration of administrator group, operator group, and custom group. | showad | |
| Administrator group | Assigns group names for up to five administrator groups. The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. | setad | |
| Operator group | Assigns group names for up to five operator groups. The operator group has platop and auditop privileges. These privileges cannot be changed. | setad | |
| Custom group | Assigns group names and user privileges for up to five groups. | setad | |
| Timeout | Configures transaction timeout in seconds. You can specify a numeric value from 1 to 20. |
setad | The default value is 4 seconds. If a specified timeout is too short for the configuration, the login process or retrieval of the user privilege setting could fail. |
| Log enable/disable | Enables or disables the logging of Active Directory authentication and authorization diagnosis messages. | setad | This log is cleared when the XSCF is rebooted. |
| Log display | Displays Active Directory authentication and authorization diagnosis messages. | showad | |
| Log clear | Clears the logs of Active Directory authentication and authorization diagnosis messages. | setad | |
| Default | Resets the Active Directory settings to their factory defaults. | setad |
Before configuring the Active Directory settings
Note the following before configuring the Active Directory settings.
- Confirm that the XCP version that supports Active Directory is used. For the XCP that supports Active Directory, see the latest Product Notes.
- The useradm user privilege is required for the Active Directory settings.
- If the XSCF is configured to use LDAP, Active Directory, or LDAP over SSL for user account data, then the user account name and user identifier (if specified) must not already be in use in the XSCF, LDAP, Active Directory, or LDAP over SSL.
- To use a host name for an Active Directory server, DNS settings need to be configured properly before setting Active Directory.
- In Active Directory, the system account called proxyuser is used. Verify that no user account with that name already exists. If a user account with the name proxyuser exists, then delete the account with the deleteuser command. After deleting the account, reboot the XSCF before using Active Directory.
- If Active Directory is enabled and you try to login via telnet, inquiries to the second and subsequent alternate servers may time out, causing the login to fail.
- If the value set by the timeout operand is small, and you log in to the XSCF, user privilege may not be assigned to you. In this case, increase the timeout setting value and try again.
- If you are an Active Directory user, you cannot upload a user public key to the XSCF. The Active Directory users can login by connecting to the XSCF via SSH using password authentication.
Enabling or disabling the use of an Active Directory Server
- Execute the showad command to display the usage of the Active Directory server.
| XSCF> showad dnslocatormode: disabled expsearchmode: disabled state: disabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setad command to enable/disable the use of the Active Directory server.
In the following example, the use of the Active Directory server is enabled.
| XSCF> setad enable |
- In the following example, the use of the Active Directory server is disabled.
| XSCF> setad disable |
- Execute the showad command, and check whether Active Directory is enabled or disabled.
In the following example, the Active Directory is enabled.
| XSCF> showad dnslocatormode: disabled expsearchmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
Setting Active Directory servers and port numbers
- Execute the showad command to display the Active Directory server settings.
| XSCF> showad server Primary Server address: (none) port: 0 XSCF> showad server -i Alternate Server 1 address: (none) port: 0 Alternate Server 2 address: (none) port: 0 Alternate Server 3 address: (none) port: 0 Alternate Server 4 address: (none) port: 0 Alternate Server 5 address: (none) port: 0 |
- Execute the setad command to set Active Directory servers.
In the following example, the primary server and port number are specified.
| XSCF> setad server 10.24.159.150:8080 |
- In the following example, alternate servers are specified.
| XSCF> setad server -i 1 10.24.159.151 |
- Execute the showad command, and confirm the Active Directory server settings.
| XSCF> showad server Primary Server address: 10.24.159.150 port: 8080 XSCF> showad server -i Alternate Server 1 address: 10.24.159.151 port: 0 Alternate Server 2 address: (none) port: 0 Alternate Server 3 address: (none) port: 0 Alternate Server 4 address: (none) port: 0 Alternate Server 5 address: (none) port: 0 |
Loading/Deleting the Server Certificate
- Execute the showad command to display the server certificate information.
| XSCF> showad cert Primary Server: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) XSCF> showad cert -i Alternate Server 1: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) Alternate Server 2: ... <snip> Alternate Server 5: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) |
- Execute the setad command to load the server certificate to the XSCF.
In the following example, the server certificate of the primary server is loaded using the user name and password.
| XSCF> setad loadcert -u yoshi http://domain_2/UID_2333/testcert Warning: About to load certificate for Primary Server. Continue? [y|n]: y Password: |
- In the following example, the content of the certificate is copied and pasted on the screen, and then the certificate for the alternate server 1 is loaded from a console. After pressing the [Enter] key, press the [Ctrl] and [D] keys to complete loading.
| XSCF> setad loadcert console Warning: About to load certificate for Alternate Server 1: Continue? [y|n]: y Please enter the certificate: -----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU2FuIERpZWdvMRkwFwYDVQQK ExBTdW4gTWljcm9zeXN0ZW1zMRUwEwYDVQQLEwxTeXN0ZW0gR3JvdXAxEjAQBgNV ... -----END CERTIFICATE----- [Enter] [Ctrl]+[D] |
- Execute the showad command, and confirm that the server certificate has been loaded.
| XSCF> showad cert Primary Server: certstatus = certificate present issuer = DC = local, DC = xscf, CN = apl serial number = 55:1f:ff:c4:73:f7:5a:b9:4e:16:3c:fc:e5:66:5e:5a subject = DC = local, DC = xscf, CN = apl valid from = Mar 9 11:46:21 2010 GMT valid until = Mar 9 11:46:21 2015 GMT version = 3 (0x02) XSCF> showad cert -i 1 Alternate Server 1: certstatus = certificate present issuer = DC = local, DC = aplle, CN = aplle.local serial number = 0b:1d:43:39:ee:4b:38:ab:46:47:de:0a:b4:a9:ea:04 subject = DC = local, DC = aplle, CN = aplle.local valid from = Aug 25 02:38:15 2009 GMT valid until = Aug 25 02:44:48 2014 GMT version = 3 (0x02) |
- Execute the setad command to delete the primary server certificate.
| XSCF> setad rmcert Warning: About to delete certificate for Primary Server. Continue? [y|n]: y |
- Execute the showad command, and confirm that the server certificate has been deleted.
| XSCF> showad cert Primary Server: certstatus = certificate not present issuer = (none) serial number = (none) subject = (none) valid from = (none) valid until = (none) version = (none) |
- The strictcertmode must be in the disabled state for a certificate to be removed.
Enabling/disabling the DNS locator mode
- Execute the showad command to display whether the DNS locator mode is enabled or disabled.
| XSCF> showad dnslocatormode: disabled expsearchmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setad command to enable/disable the DNS locator mode.
In the following example, the DNS locator mode is enabled.
| XSCF> setad dnslocatormode enable |
- In the following example, the DNS locator mode is disabled.
| XSCF> setad dnslocatormode disable |
- Execute the showad command, and confirm that the DNS locator mode is enabled/disabled.
In the following example, the DNS locator mode is enabled.
| XSCF> showad dnslocatormode: enabled expsearchmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
Configuring the DNS locator query
| Note - Before setting DNS locator query, enable DNS locator mode. |
- Execute the showad command to display the configuration of the DNS locator query.
| XSCF> showad dnslocatorquery -i 1 service 1: (none) XSCF> showad dnslocatorquery -i 2 service 2: (none) |
- Execute the setad command to configure the DNS locator query.
| XSCF> setad dnslocatorquery -i 1 '_ldap._tcp.gc._msdcs..' |
- Execute the showad command, and confirm the DNS locator query.
| XSCF> showad dnslocatorquery -i 1 service 1: _ldap._tcp.gc._msdcs.. |
- DNS and DNS locator mode must be enabled for the DNS locator query to work.
Enabling/disabling the expanded search mode
- Execute the showad command to display whether the expanded search mode is enabled or disabled.
| XSCF> showad dnslocatormode: enabled expsearchmode: disabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setad command to enable/disable the expanded search mode.
In the following example, the expanded search mode is enabled.
| XSCF> setad expsearchmode enable |
- In the following example, the expanded search mode is disabled.
| XSCF> setad expsearchmode disable |
- Execute the showad command, and confirm that the expanded search mode is enabled/disabled.
In the following example, the expanded search mode is enabled.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
Enabling/Disabling the strictcertmode
- Execute the showad command to display whether the strictcertmode is enabled or disabled.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: disabled timeout: 4 logdetail: none |
- Execute the setad command to enable/disable the strictcertmode.
In the following example, the strictcertmode is enabled.
| XSCF> setad strictcertmode enable |
- In the following example, the strictcertmode is disabled.
| XSCF> setad strictcertmode disable |
- Execute the showad command, and confirm that the strictcertmode is enabled/disabled.
In the following example, the strictcertmode is enabled.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 4 logdetail: none |
- To enable the strictcertmode, the server certificate must have already been loaded to the XSCF.
Setting a User Domain
- Execute the showad command to display user domains.
| XSCF> showad userdomain domain 1: (none) domain 2: (none) domain 3: (none) domain 4: (none) domain 5: (none) |
- Execute the setad command to set user domains.
In the following example, user domain 1 is set.
| XSCF> setad userdomain -i 1 '@davidc.example.aCompany.com' |
- In the following example, user domain 2 is set.
| XSCF> setad userdomain -i 2 'CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com' |
- Execute the showad command, and confirm the user domains.
| XSCF> showad userdomain domain 1: <USERNAME>@davidc.example.aCompany.com domain 2: CN=<USERNAME>,CN=Users,DC=davidc,DC=example,DC=aCompany,DC=com domain 3: (none) domain 4: (none) domain 5: (none) |
- If a user domain is directly specified at the login prompt, such as "login: ima.admin@dc01.example.com", the user domain is used only for this login.
Setting the Default Privilege
- Execute the showad command to display the default privilege.
| XSCF> showad defaultrole Default role: (none) |
- Execute the setad command to set a default privilege.
| XSCF> setad defaultrole platadm platop |
- Execute the showad command, and confirm the default privilege.
| XSCF> showad defaultrole Default role: platadm platop |
Setting Group Names and Privileges
- Execute the showad command to display group names.
The following example shows administrator groups.
| XSCF> showad group administrator Administrator Group 1 name: (none) Administrator Group 2 name: (none) Administrator Group 3 name: (none) Administrator Group 4 name: (none) Administrator Group 5 name: (none) |
- The following example shows operator groups.
| XSCF> showad group operator Operator Group 1 name: (none) Operator Group 2 name: (none) Operator Group 3 name: (none) Operator Group 4 name: (none) Operator Group 5 name: (none) |
- The following example shows custom groups.
| XSCF> showad group custom Custom Group 1 name: (none) roles: (none) Custom Group 2 name: (none) roles: (none) Custom Group 3 name: (none) roles: (none) Custom Group 4 name: (none) roles: (none) Custom Group 5 name: (none) roles: (none) |
- Execute the setad command to set the group names and privileges.
In the following example, administrator group 1 is set.
| XSCF> setad group administrator -i 1 name CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com |
- In the following example, operator group 1 is set.
| XSCF> setad group operator -i 1 name CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local |
- In the following example, custom group 1 is set.
| XSCF> setad group custom -i 1 name CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local |
- In the following example, the privilege of the custom group 1 is set.
| XSCF> setad group custom -i 1 roles platadm,platop |
- Execute the showad command, and confirm the group names and privileges.
In the following example, the administrator groups are confirmed.
| XSCF> showad group administrator Administrator Group 1 name: CN=<USERNAME>,CN=SpSuperAdmin,OU=Groups,DC=davidc,DC=example,DC=aCompany,DC=com Administrator Group 2 name: (none) Administrator Group 3 name: (none) Administrator Group 4 name: (none) Administrator Group 5 name: (none) |
- In the following example, the operator groups are confirmed.
| XSCF> showad group operator Operator Group 1 name: CN=OpGroup1,OU=SCFTEST,DC=aplle,DC=local Operator Group 2 name: (none) Operator Group 3 name: (none) Operator Group 4 name: (none) Operator Group 5 name: (none) |
- In the following example, the custom groups are confirmed.
| XSCF> showad group custom Custom Group 1 name: CN=CtmGroup1,OU=SCFTEST,DC=aplle,DC=local roles: platadm platop Custom Group 2 name: (none) roles: (none) Custom Group 3 name: (none) roles: (none) Custom Group 4 name: (none) roles: (none) Custom Group 5 name: (none) roles: (none) |
- The administrator group has platadm, useradm, and auditadm privileges. These privileges cannot be changed. The operator group also has platop and auditop privileges. These privileges cannot be changed.
Setting a Timeout
- Execute the showad command to display the timeout time.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 4 logdetail: none |
- Execute the setad command to set the timeout.
In the following example, 10 seconds are set as the timeout time.
| XSCF> setad timeout 10 |
- Execute the showad command, and confirm the timeout time.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: none |
Enabling/disabling the logs of Active Directory authentication and authorization diagnosis messages
- Execute the showad command to display the log detail level.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: none |
- Execute the setad command to set the log detail level.
In the following example, the log is enabled and the log detail level is set to trace.
| XSCF> setad logdetail trace |
- In the following example, the log is disabled.
| XSCF> setad logdetail none |
- Execute the showad command, and confirm the log detail level.
In the following example, the log detail level is set to trace.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
Displaying the Log of Diagnosis Messages and Clearing the Log File
- Execute the showad command to display the log detail level.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
- Execute the showad command to display the diagnosis messages.
In the following example, diagnosis messages are displayed in real time.
| XSCF> showad log -f Mon Nov 16 14:47:53 2009 (ActDir): module loaded, OPL Mon Nov 16 14:47:53 2009 (ActDir): --error-- authentication status: auth-ERROR Mon Nov 16 14:48:18 2009 (ActDir): module loaded, OPL : |
- Execute the setad command to clear the log file of diagnosis messages.
| XSCF> setad log clear Warning: About to clear log file. Continue? [y|n]: y |
Resetting the Active Directory Settings to Their Defaults
- Execute the showad command to display the setting status of the Active Directory.
| XSCF> showad dnslocatormode: enabled expsearchmode: enabled state: enabled strictcertmode: enabled timeout: 10 logdetail: trace |
- Execute the setad command to reset the Active Directory settings to their defaults.
| XSCF> setad default -y Warning: About to reset settings to default. Continue? [y|n]: y |
- Execute the showad command, and confirm that the Active Directory settings are reset to their defaults.
| XSCF> showad dnslocatormode: disabled expsearchmode: disabled state: disabled strictcertmode: disabled timeout: 4 logdetail: none |
Logging In With the Active Directory User Account
After completing each setting, confirm whether login with the user account of Active Directory is possible.
< Previous Page | Next Page >