Microsoft Active Directory and LDAP
The array allows you to use either Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP) to provide external authentication server support for managing and authenticating users and groups. When a user logs in to an array, the service authenticates the user based on information in a centralized domain and assigns the appropriate array role to the user. This role specifies which tasks the user can perform.
Using an external authentication server provides:
- Simplified administration. All the users and their permissions are stored in a single location. You can manage the users and set security policies, such as password strength and expiration time, from one location..
- Enhanced security. When you change user settings, you do it in one place, not on multiple arrays. For example, if you delete a user, you perform this action in one place.
Active Directory and LDAP can share a centralized domain that stores
information about authorized users, groups, and hardware objects when you select the
schema AD during setup.
NOTE: If you configure LDAP using the schema OpenLDAP, there is
no connection between Active Directory and LDAP.
The array requires that you only run one service at a time. While you cannot run both Active Directory and LDAP simultaneously, you can easily switch between the services.
IMPORTANT: To switch
from Active Directory to LDAP, use the GUI Leave
Domain option or the CLI userauth
--leave command option. To switch from LDAP, use the GUI Disconnect option or the CLI userauth --delete option. These options remove the
current service and its domain authentication. As a result, users who are logged in
to the array using that service will no longer be able to perform tasks on the
array. Any new operations will result in an error. If the users are not part of the
domain you are switching to, they may not be able to log in. Local account access is
permitted even if the array has stopped running an external server authentication
process.
For more information about these services, see