Configuring Active Directory

This topic lists the procedures required to configure Active Directory for use with SAN File System.

Prerequisites

You must complete the steps in Installing Active Directory before completing this procedure.

Context

The following objects must be configured by the domain that is used by SAN File System:

Steps

  1. Add these elements using the Active Directory Users and Computers interface.
    1. Open the Active Directory Users and Computers interface by clicking Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers interface, has two panels. The left panel shows the tree type and the right panel shows existing objects of the type highlighted in the left panel.
    2. In the left panel, click + next to the sanfsdom.net domain to expand it and show its types.
    3. Click Users type to show the users that exist within the domain.
  2. Add the LDAP_Admin user
    1. With the Users type highlighted (selected) in the left panel in the Active Directory Users and Computers interface, select Action > New > UserTo.
    2. Add the LDAP_Admin user, and fill in the First name and User logon name and click Next. SAN File System uses the User logon name in its LDAP traversal of Active Directory.
    3. Select the Password never expires option and enter the password. Do not select the Disable account or User must change password options. The Administrative agent automatically uses this user and password combination to access Active Directory, so future password changes must be made within Active Directory and the tank.properties file at the same time. (Note that the Administrative agent must be restarted any time a tank.properties value is changed as described in 5.)
    4. Click Next, then Finish. The newly created user appears in the object list.
  3. Add the SAN File System administration group There are four SAN File System Administration groups, corresponding to the SAN File System administration roles: Administrator, Backup, Operator, and Monitor.
    1. With the Users type highlighted in the Active Directory Users and Computers interface, click Action > New > Group.
    2. Fill in the group name. It should be a Global Security group.
    3. Click OK.
    4. Modify the newly created group to specify its Description property. In the example configurations, the Description property is used by the Administrative agent in searching Active Directory, so it must be the verbatim string corresponding to the SAN File System role, in this case "Administrator" with no trailing spaces.
    5. Click OK.
    6. Repeat the steps in this section to create the groups for each of the other three SAN File System roles (Operator, Backup, and Monitor), in each case modifying the Description property to match the SAN File System role exactly. The other three roles are not necessary to enable basic SAN File System administration. If used, they provide restricted levels of capability within the SAN File System GUI and CLI.
  4. Create users authorized to manage SAN File System. To create an authorized user, you must first create the user, and then specify that it is a member of one of the SAN File System administration groups created in the previous section.
    1. To create a user, follow the same steps described in "Adding the LDAP_ Admin user", substituting the user login name that you want to use into the First name and User logon name fields. The password that you specify is the password that must be given to tanktool and the SAN File System console for authentication. If you use the tankpasswd command to specify an administrator password on the SAN File System cluster, it needs to be changed to match the password specified for the authorized user in Active Directory.
    2. After creating the new users, you can create membership in one of the four SAN File System administration groups using one of the following methods:
      • Double-click the group in the Active Directory Users and Computers interface, select the Members tab in the group properties panel, select the user that you want to authorize, and click Add.
      • Double-click the user, select the Member-Of tab in the user properties panel, select the group in which you want to include the user, and click Add. Then click OK.

Postrequisites

Continue with Configuring SAN File System to use Active Directory.

Parent topic: Configuring LDAP using Microsoft Active Directory LDAP
Previous topic: Installing Active Directory
Next topic: Configuring SAN File System to use Active Directory

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2