Best practices
• Create a unique group in the CMC for the Active Directory association. Use a name and
description that signifies the Active Directory association. See “Adding administrative groups”
(page 78).
• Create a separate SAN/iQ ‘administrator’ group in Active Directory.
• Create a unique user in Active Directory to use as the Bind user for the management group
to allow for communication between storage and Active Directory. This user configuration
helps to ensure clarity and ease of management.
NOTE: HP recommends using local SAN/iQ user credentials for any client applications that use
cached credentials, such as the Application Aware Snapshot Manager, the Recovery Manager,
the CLI, or VSS. If the first Active Directory server in the list is unreachable, or offline, the CMC
does not show an error or warning. However, operations such as logging in, changing
configurations, and so on, will experience a delay.
Changing Active Directory user passwords
After changing an Active Directory password for a user who has permission to log in to a
management group, that change will take up to 5 minutes or longer to take effect across multiple
Domain Controllers, depending upon the Active Directory configuration. During that period, the
user still can log in to the management group using the old password.
Changing Active Directory user permissions
If you change permissions in the Active Directory group for an Active Directory user, that user must
log out of the management group or close the CMC for the change to take effect.
Configuring external authentication
Use the Active Directory credentials to configure external authentication and then associate the
external authentication group with a local SAN/iQ group.
1. Log in to the management group, and select the Administration category.
2. Click Administration Tasks and select Configure External Authentication.
3. Enter the Bind User Name and Bind Password.
4. Enter one or more Active Directory server IP addresses or server names.
The port numbers default to standard ports: 389 for unsecured servers and 636 for secure
servers.
5. If you are using secure servers, select These are secure Active Directory servers (LDAPS).
6. Click Find Base DN.
7. Optional: Add one or more User Context entries.
8. Click Validate Active Directory to ensure the configuration is correct.
9. Click Save to finish.
Associating the Active Directory group with the SAN/iQ group
1. Select the Administration category of the desired management group.
2. Select the group to associate to the external group, click Administration Tasks and select Edit
Group.
3. Ensure the group permissions are set correctly and that the group contains the desired users.
4. To associate the Active Directory group, do one of the following:
• Enter the name in the Associate an External Group box and click OK.
• To search by a user:
80 Managing authentication
To Next Page
Loading...
