This topic lists the procedures required to configure Active Directory
for use with SAN File System.
Prerequisites
You must complete the steps in Installing Active Directory before
completing this procedure.
Context
The following objects must be configured by the domain that is
used by SAN File System:
- A user for the SAN File System Administrative agent to access the contents
of the Active Directory instance. In the following example, this user is called
LDAP_Admin.
- A Global Security Group representing the SAN File System Administrator
role. In the following example, this group is called SANFS_Admins.
- A Global Security Group representing the Operator role (optional).
- A Global Security Group representing the Backup role (optional).
- A Global Security Group representing the Monitor role (optional).
- One or more users who are authorized in the Administrator role.
- Optionally, one or more users are authorized in the Operator role.
- Optionally, one or more users are authorized in the Backup role.
- Optionally, one or more users are authorized in the Monitor role.
Steps
- Add these elements using the Active Directory Users and Computers
interface.
- Open the Active Directory Users and Computers interface by clicking . The Active Directory Users and Computers interface,
has two panels. The left panel shows the tree type and the right panel shows
existing objects of the type highlighted in the left panel.
- In the left panel, click + next to the sanfsdom.net domain to
expand it and show its types.
- Click Users type to show the users that exist within
the domain.
- Add the LDAP_Admin user
- With the Users type highlighted (selected) in the left
panel in the Active Directory Users and Computers interface, select .
- Add the LDAP_Admin user, and fill in the First name and User
logon name and click Next. SAN File System uses the User
logon name in its LDAP traversal of Active Directory.
- Select the Password never expires option and enter the
password. Do not select the Disable account or User must change
password options. The Administrative agent automatically uses
this user and password combination to access Active Directory, so future password
changes must be made within Active Directory and the tank.properties file
at the same time. (Note that the Administrative agent must be restarted any
time a tank.properties value is changed as described in 5.)
- Click Next, then Finish. The
newly created user appears in the object list.
- Add the SAN File System administration group There
are four SAN File System Administration groups, corresponding to the SAN File
System administration roles: Administrator, Backup, Operator, and Monitor.
- With the Users type highlighted in the Active Directory
Users and Computers interface, click .
- Fill in the group name. It should be a Global Security
group.
- Click OK.
- Modify the newly created group to specify its Description property. In the example configurations, the Description property is used by
the Administrative agent in searching Active Directory, so it must be the
verbatim string corresponding to the SAN File System role, in this case "Administrator" with
no trailing spaces.
- Click OK.
- Repeat the steps in this section to create the groups for each
of the other three SAN File System roles (Operator, Backup, and Monitor),
in each case modifying the Description property to match the SAN File System
role exactly. The other three roles are not necessary to enable
basic SAN File System administration. If used, they provide restricted levels
of capability within the SAN File System GUI and CLI.
- Create users authorized to manage SAN File System. To
create an authorized user, you must first create the user, and then specify
that it is a member of one of the SAN File System administration groups created
in the previous section.
- To create a user, follow the same steps described in "Adding
the LDAP_ Admin user", substituting the user login name that you want to
use into the First name and User logon name fields. The password
that you specify is the password that must be given to tanktool and the
SAN File System console for authentication. If you use the tankpasswd command
to specify an administrator password on the SAN File System cluster, it
needs to be changed to match the password specified for the authorized user
in Active Directory.
- After creating the new users, you can create membership in one
of the four SAN File System administration groups using one of the following
methods:
- Double-click the group in the Active Directory Users and Computers interface,
select the Members tab in the group properties panel, select the user that
you want to authorize, and click Add.
- Double-click the user, select the Member-Of tab in the user properties
panel, select the group in which you want to include the user, and click Add.
Then click OK.
Postrequisites
Continue with Configuring SAN File System to use Active Directory.