Securing Administrative Access to your HP 3PAR StoreServ
In this post I will describe how you can configure authentication via Active Directory, as well as limiting the LDAP search path used to resolve users. This will limit LDAP queries down to a particular Active Directory Organisational Unit, so you don’t have LDAP searches traversing your entire AD infrastructure.
The StoreServ uses RBAC (Roll Based Access Control) – which maps a user or group of users to an administrative role. Its important to know that the authorisation group ‘super-map’, identifies users in the defined group with super user privileges.
Additional groups can be added to identify lower level access rights for operations performed on the StoreServ.
Note: Presently there is no way of adding additional LDAP servers for redundancy, highlighting a single point of failure, something which will hopefully be addressed in new releases. I would also recommend using the CLI as some of these attributes cannot be set using the user interface.
To login to the StoreServ MC if the configured LDAP server has failed or the IP address has changed, you will need to login using a local account configured on the StoreServ and specify an alternative server.
For the purposes of this demonstration, the ‘3PARAdmins’ AD security group has been created, the AD DN name for this security group will be mapped to the StoreServ ‘super-map’ authorisation group. The user viGareth.H has been added to the AD security group.
The IP address of the StoreServ is : 172.16.20.1
The IP address of the Domain Controller is: 172.16.12.1
The FQDN name of the Domain Controller is: dc01.vikernel.com
Target Search OU = “OU=Resources,OU=ITSVD,OU=EMEA,DC=vikernel,DC=com”
Authorisation Group = “CN=3PARAdmins ,OU=Security,OU=EMEA,DC= vikernel,DC=com ”
Administrator = CN=H\, viGareth,OU=Administrators, OU=Resources,OU=ITSVD,OU=EMEA,DC=vikernel,DC=com
Note: When defining the ‘Kerberos-Realm’ it must be entered in upper case.
Now lets configure the StoreServ to use Active Directory to authenticate users.
Login to the StoreServ via the CLI.
SSH to: 172.16.20.1 (StoreServ Cluster IP)
Enter the following:
3PAR-PRD01 cli% setauthparam -f ldap-server 172.16.12.1
3PAR-PRD01 cli% setauthparam -f ldap-server-hn dc01.vikernel.com
3PAR-PRD01 cli% setauthparam -f kerberos-realm VIKERNEL.COM
3PAR-PRD01 cli% setauthparam -f binding sasl
3PAR-PRD01 cli% setauthparam -f sasl-mechanism GSSAPI
3PAR-PRD01 cli% setauthparam -f accounts-dn OU=Resources,OU=ITSVD,OU=EMEA,DC=vikernel,DC=com ”
3PAR-PRD01 cli% setauthparam -f account-obj user
3PAR-PRD01 cli% setauthparam -f account-name-attr sAMAccountName
3PAR-PRD01 cli% setauthparam -f memberof-attr memberOf
3PAR-PRD01 cli% setauthparam -f super-map “CN=3PARAdmins ,OU=Security,OU=EMEA,DC= vikernel,DC=com”
Troubleshooting:
To check that an AD user can be resolved use the ‘checkpassword user’ 3PAR command (This is useful for troubleshooting login issues, for instance Kerberos tickets rely on accurate time synchronisation, inaccurate time will prohibit access via LDAP). Here is what happens when the time between the DC and StoreServ is not set correctly.
3PAR-PRD01 cli% checkpassword viGareth.H
password:
+ attempting authentication and authorization using system-local data
+ authentication denied: unknown username
+ attempting authentication and authorization using LDAP
+ using Kerberos configuration file:
[domain_realm]
dc01.vikernel.com = VIKERNEL.COM
[realms]
VIKERNEL.COM = {
kdc = dc01.vikernel.com
}
+ temporarily setting name-to-address mapping: dc01.vikernel.com -> 172.16.12.1
+ attempting to obtain credentials for ” viGareth.H@VIKERNEL.COM ”
+ Kerberos credentials denied: Clock skew too great user viGareth.H is not authenticated or not authorized
3PAR-PRD01 cli%
How to check the time on the StoreServ array:
3PAR-PRD01 cli% showdate
Node Date
0 2013-07-01 22:52:17 BST (Europe/London)
1 2013-07-01 22:52:35 BST (Europe/London)
2 2013-07-01 22:52:33 BST (Europe/London)
3 2013-07-01 22:52:30 BST (Europe/London)
Setting the time on the StoreServ array:
3PAR-PRD01 cli%
Setting the correct date/time in MMDDhhmmCCYY (Month/Day/Hours/Minutes/Century/Years)
3PAR-PRD01 cli% setdate 070115002013
Node 0 time set to 2013-07-01 15:00:00 BST
Node 1 time set to 2013-07-01 15:00:00 BST
Node 2 time set to 2013-07-01 15:00:00 BST
Node 3 time set to 2013-07-01 15:00:00 BST
3PAR-PRD01 cli%
Now lets run the checkpassword command to validate clock is set correctly.
3PAR-PRD01 cli% checkpassword viGareth.H
password
+ attempting authentication and authorization using system-local data
+ attempting authentication and authorization using LDAP
+ using Kerberos configuration file:
[domain_realm]
dc01.vikernel.com = VIKERNEL.COM
[realms]
VIKERNEL.COM = {
kdc = dc01.vikernel.com
}
+ temporarily setting name-to-address mapping: dc01.vikernel.com -> 172.16.12.1
+ attempting to obtain credentials for ” viGareth.H @ VIKERNEL.COM ”
+ connecting to LDAP server using URI: ldap://dc01.vikernel.com
+ binding to user ” viGareth.H ” with SASL mechanism GSSAPI
+ searching LDAP using: search base: OU=Resources,OU=ITSVD,OU=EMEA,DC=vikernel,DC=com
scope: sub
filter: (&(objectClass=user)(sAMAccountName=viGareth,H)) for attributes: memberOf
+ search result DN: CN=H\, viGareth,OU=Administrators, OU=Resources,OU=ITSVD,OU=EMEA,DC=vikernel,DC=com user viGareth.H is authenticated and authorized
Reference Documents
/> vi Kernel 