Guidelines for Working with Arrays and LDAP

Lightweight Directory Access Protocol (LDAP) requires that you join an array to an LDAP domain. You must map LDAP groups to the array. Users are assigned to specific LDAP groups, which can have specific array roles.

Login credentials

When you add an LDAP user to a group that is mapped to the array, that user is authorized to log into the array. The login credentials are based on the information you provide when you set up LDAP.

Each username must include @<domain_name>. The domain_name is the value you supplied for domain name when you configured LDAP to work with the array.
The password is the one you entered when you configured LDAP to work with the array.

Groups and users

LDAP supports up to 100 groups, including groups designed for LDAP internal use. It supports up to 2,000 users.

NOTE: When you add LDAP users, the GIDs and UIDs must be 1,000 or greater. This avoids clashes with system users. The values 0 through 999 are reserved for system use. If an LDAP server user has a GID or UID that is less than 1,000, the authentication fails with a message indicating that the user was not found.

You can have up to 10 user search bases or 10 group search bases or Directory Information Trees (DIT).

Supported schemas

The current LDAP implementation supports the following schemas:

OpenLDAP (RFC 2307)
Active Directory

NOTE: Custom schemas are not supported.

Supported domains

Currently the array supports only one LDAP domain. Once you set up the domain, it is considered to be in use even if it is disabled.

Disabling and disconnecting an LDAP domain

You can disable LDAP or even disconnect the LDAP domain from the array.

If you disable LDAP, the configuration is considered to be in use; however:

You cannot set up any other service. If you attempt to configure a new domain, that effort will fail. You must either delete the disabled domain or re-enable it before you can configure a new domain.
Any attempts to join a new, existing domain will fail.
All users associated with the domain will be disconnected from the array and no longer able to log in.

If you choose to disconnect the LDAP configuration, the connection with the array is removed completely. Users who relied on LDAP authorization are no longer able to log in to the array.

Connection options

LDAP supports the following connection options:

LDAP server host: host name or an IPv4 address
NOTE: IPv6 is not supported.
LDAP server port: 389 for LDAP or 636 for LDAP over TLS/SSL
Encryption: StartTLS with port 389. TLS/SSL with port 636.
NOTE: These are default ports. This information is in each ldap://host:port serve URI and each ldap:// = StartTLS, ldaps:// = TLS/SSL URI. You can change the port numbers in the URI.

Certificate authentication

You must import the CA certificate for the LDAP server before you attempt to connect it to the array. For example:

$ cert --import ldap1ca --trusted
Please enter certificate in PEM format followed by ^D:
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIUXe2PtGSkULD+vdCXuJ+nGNk/ZpQwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0JyaXN0b2wxEDAOBgNVBAcMB0Jy
aXN0b2wxETAPBgNVBAoMCE5pbWJsZU9TMRMwEQYDVQQDDApSb290LWxkYXAxMB4X
DTIwMDcwODE0NTEzOFoXDTIxMDcwODE0NTEzOFowXTELMAkGA1UEBhMCVUsxEDAO
BgNVBAgMB0JyaXN0b2wxEDAOBgNVBAcMB0JyaXN0b2wxETAPBgNVBAoMCE5pbWJs
ZU9TMRcwFQYDVQQDDA5OaW1ibGVPUy1sZGFwMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALr+WOXB9wNBecKf3mlVTs0sQL1C7Lju3uYKPlfoWbvV2wyV
cQ7w+ksX5XyCyryBcQDGLtFUNvtvqzsgewxNNPQKbgq75v7pL2tzaxH/audddOZF
t8vlYhrGnYMocwbUzdDaTRLsMbLvtlAgsiA1dT2t37HAHRR0d76xKIQL4qQu2EZY
8+YHMCBPAM8m48nRN2ztSbIk640cCvON2fIKBQT5Rsf6iJVnChpPSxSuZDDhDJfi
buwq/EBEGRA/bg86F9tpyuPv0sE/+XMANxMUii0UWdqNdRrHLyMTL7JmoXXdYZRE
uAu5o77/jy1jdbfQB91ChwIgtVSKrJ5kt07kaGsCAwEAAaMjMCEwDwYDVR0TAQH/
BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAAzYbxwA
lRDRdXLKtBKv+bZSodhFCZ1reet12s7lGsbpTrlMgV6gk8owXm8JfvbsPcA4CLbT
O8wPoN3RBUckn8YucvfF9n8NGL0nUGM/pOBJAnm41Es85JmNw1T8x7Ega42kgM6k
fE2Pj5t7NOyOZ245U5n8sAGph4ggZVP4iIwB/qw+Pw48SQFZvtlTYWTfTZ9xGCGt
swKzUC6G1ktjqJLqEngU4kucqMu/dRVfP9/qBKTD65yBB/fujOcSWogUapwkKnMN
b83S89dTDKnNzNmUhknV0xalLPCpl4RtlX+jRJIy9hBB309jplsp+DQeBwjCija8
F0Q91kuZRlc2fZs=
-----END CERTIFICATE----

For information about how the array works with certificates, see Secure Sockets Layer Certificates.

Performing searches

You can set up your LDAP implementation to perform searches for user and group information. For example, you can configure LDAP to search for a user with a specific name or all the groups that a user is a member of.

Searches are relative to the base Distinguished Name. If you do not specify a search base, LDAP searches from the base Distinguished Name. It is a good practice to limit searches to the part or parts of the directory where you know the users and groups are.

NOTE: A search immediately starts authenticating the search items. If you have a large domain, searching the base domain can take a long time. Restricting the search can increase the speed of the authentications.