Guidelines for Working with Arrays and LDAP

Lightweight Directory Access Protocol (LDAP) requires that you join an array to an LDAP domain. You must map LDAP groups to the array. Users are assigned to specific LDAP groups, which can have specific array roles.

Login credentials

When you add an LDAP user to a group that is mapped to the array, that user is authorized to log into the array. The login credentials are based on the information you provide when you set up LDAP.

  • Each username must include @<domain_name>. The domain_name is the value you supplied for domain name when you configured LDAP to work with the array.
  • The password is the one you entered when you configured LDAP to work with the array.

Groups and users

LDAP supports up to 100 groups, including groups designed for LDAP internal use. It supports up to 2,000 users.

NOTE: When you add LDAP users, the GIDs and UIDs must be 1,000 or greater. This avoids clashes with system users. The values 0 through 999 are reserved for system use. If an LDAP server user has a GID or UID that is less than 1,000, the authentication fails with a message indicating that the user was not found.

You can have up to 10 user search bases or 10 group search bases or Directory Information Trees (DIT).

Supported schemas

The current LDAP implementation supports the following schemas:

  • OpenLDAP (RFC 2307)
  • Active Directory
NOTE: Custom schemas are not supported.

Supported domains

Currently the array supports only one LDAP domain. Once you set up the domain, it is considered to be in use even if it is disabled.

Disabling and disconnecting an LDAP domain

You can disable LDAP or even disconnect the LDAP domain from the array.

If you disable LDAP, the configuration is considered to be in use; however:

  • You cannot set up any other service. If you attempt to configure a new domain, that effort will fail. You must either delete the disabled domain or re-enable it before you can configure a new domain.
  • Any attempts to join a new, existing domain will fail.
  • All users associated with the domain will be disconnected from the array and no longer able to log in.

If you choose to disconnect the LDAP configuration, the connection with the array is removed completely. Users who relied on LDAP authorization are no longer able to log in to the array.

Connection options

LDAP supports the following connection options:

  • LDAP server host: host name or an IPv4 address
    NOTE: IPv6 is not supported.
  • LDAP server port: 389 for LDAP or 636 for LDAP over TLS/SSL
  • Encryption: StartTLS with port 389. TLS/SSL with port 636.
    NOTE: These are default ports. This information is in each ldap://host:port serve URI and each ldap:// = StartTLS, ldaps:// = TLS/SSL URI. You can change the port numbers in the URI.

Certificate authentication

You must import the CA certificate for the LDAP server before you attempt to connect it to the array. For example:

$ cert --import ldap1ca --trusted
Please enter certificate in PEM format followed by ^D:

For information about how the array works with certificates, see Secure Sockets Layer Certificates.

Performing searches

You can set up your LDAP implementation to perform searches for user and group information. For example, you can configure LDAP to search for a user with a specific name or all the groups that a user is a member of.

Searches are relative to the base Distinguished Name. If you do not specify a search base, LDAP searches from the base Distinguished Name. It is a good practice to limit searches to the part or parts of the directory where you know the users and groups are.

NOTE: A search immediately starts authenticating the search items. If you have a large domain, searching the base domain can take a long time. Restricting the search can increase the speed of the authentications.