Example of an LDAP Setup

The following example takes you through the steps to set up Lightweight Directory Access Protocol (LDAP) to work with an array. This is just an example to provide an extended workflow.

Before you can configure LDAP to connect with the array, you must import the trusted server certificate for the LDAP server to the array. This example uses an internal CA.

After the certificate has been imported, you can set up the LDAP configuration for the array.

  1. Use LDAP to connect to the Active Directory server.
    You need the host name that is used in the certificate and the domain name.
  2. Using a tool such as Adminstrative ToolsCertificate Authority, locate the certificate and copy it.
    1. Select the certificate and open the certificate properties.
    2. Click View Certificate.
    3. Click the Details tab and select View Certificate.
    4. The Certificate Export Wizard starts. Click Next.
    5. Select Base-64 and click Next.
    6. Browse to where you want to save the copy of the certificate and enter a file name for it.
      You can enter any name you choose.
    7. Click Finish.
      A message is displayed telling you whether your export was successful.
  3. Open the certificate in a tool such as Notepad and copy the certificate chain information.
  4. Log in to the array GUI.
    Make sure you log in with administrator privileges.
  5. Go to AdministrationSecurity SSL Certificate.
  6. Under Certificate Actions, select Import a Trusted Certificate.
    1. Provide a name for the certificate.
      You might want to give it the same name as the domain; however, you can give it any name you choose.
    2. Paste in the certificate chain information and click Save.
      The certificate now shows up as a trusted certificate. It will show up as a trusted connection when you connect the LDAP server to it.
  7. Go to AdministrationSecurity Directory and select LDAP from the drop-down list.
    Provide the Connection Details and the LDAP Search Details. Most of the fields are self-explanatory. Here are some details for some of the key fields.
    NOTE: The information you enter is divided into sections. In some cases, there is an Add button. These are places where you can add more information if you choose. For example, you can have up to three server URIs. The initial fields allow you to provide information for the first server URI. Selecting Add allows you to provide the details for a second URI. Selecting Add again lets you provide information for a third server URI.
    • Domain. This is the local name for the domain. You can enter any name you choose. You do not need to enter a fully qualified domain name. However, when users log in to the array, they will need to enter the value you enter here as part of their username: <username>@<domain>.
    • Server URL. This must be a valid URL and it must match the host name in the certificate. You can use either "ldap" or "ldaps". You can also provide a port number as part for the URL. For example, you might enter ldaps://wintrust.net:1234.

      You can have up to three server URIs. Use the Add button if you want to have more than one server URI.

    • Schema. Select the schema from the drop-down list. The array currently supports two schemas:
      • AD
      • OpenLDAP
    • Bind User DN. Enter the distinguished name. The user must have read and search permissions for the directory, but does not have to be an administrator. For example, if you were setting up information using the server URL above, you might enter something similar to cn-Administrator,cn=Users,dc=wintrust,dc=NET.
    • Base DN. For the search, you can set the base domain name. You should consider where you want the search to start. If you search the entire domain, it can take a long time.
    • User Search Base. You can supply a value here to focus the search area on users. You might enter something similar to cn=USERS. The name you enter is relative to the Base DN.

      You can have up to 10 user search base DNs. Use the Add button to provide information for additional user search bases.

    • Group Search Base. You can supply a value here to focus the search area on groups. You might enter something similar to ou=CompanyABC. The name you enter is relative to the Base DN.

      You can have up to 10 group search base DNs. Use the Add button to provide information for additional group search bases.

  8. Click the Connect button.
    It displays the details about the LDAP directory domain you just created.
  9. In the left navigation pane, go to Users and Groups and add a group.
    You must enter the following information:
    1. The Group Name.
    2. The Role. Select it from the drop-down list. For more information, see Supported Array Roles.
    3. The Inactivity Timeout. Enter this value as minutes.
  10. Click Submit.
  11. Test the new directory domain.
    1. Log out of the array.
    2. Log back in to the array.
      Remember you need to enter <username>@<domain_name> where domain_name is the name of the LDAP domain.