Connecting to Your LDAP Server via VAST Web UI

From the left navigation menu, select User Management and then LDAP.
Click + Create LDAP to create an LDAP configuration or, to modify an existing configuration, right-click an existing configuration and select Edit.

In the General tab, enter details of your LDAP server:

Field	Description
Base DN	The entry in the LDAP directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster. The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain. The following attributes can be specified: cn: common name ou: organizational unit o: organization c: country dc: domain For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: `ou=users,dc=mydomain,dc=local` To specify the full domain as your search base, you would enter: `dc=mydomain,dc=local`
URLs (required)	Enter a comma-separated list of URIs of LDAP servers (domain controllers in the Active Directory joined domain). The order of listing defines the priority order. The URI with highest priority that has a good health status is used. Specify each URI in the format `<scheme>://<address>`. `<address>` can be either a DNS name or an IP address. Examples: `ldap://company-ad.com` `ldaps://company-ad.com` `ldap://company-ad.com,ldap://company-ad2.com` `ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2`
Port (required)	The port of the remote LDAP server. Recommended values: `389` for LDAP (with or without TLS), `636` for LDAPS. Note Setting non-recommended values may cause LDAP connectivity issues.
Domain name	The fully qualified domain name (FQDN) of the domain to join. Example: company-ad.com
Bind DN (required if Authentication method is set to Simple or SASL)	If multi-forest authentication is enabled and/or SASL authentication method is used, specify the bind DN in one of the following formats:Active Directory Overview `username@domain` `DOMAIN\username` Format is as described for Base DN beginning with a cn attribute component specifying the user object.
Bind password (required if Authentication method is set to Simple or SASL)	The password used with the Bind DN to authenticate to the LDAP server.

In the Attribute mapping tab, verify that the default attribute names match the actual names used by your LDAP provider. If needed, select Customize and edit the names:

Field	Description	Default (RFC2307)
GID Number	The attribute of a group entry that contains the GID number of a group.	`gidNumber`
UID	The attribute of a user entry that contains the user name.	`uid`
Group login name	The attribute used to query the provider for the group login name. For most environments, it is recommended to use the default value of `cn`.	`cn`
UID Number	The attribute of a user entry that contains the UID number.	`uidNumber`
Member UID	The attribute of the group entry that contains names of group members.	`memberUID`
Posix Account	The object class that defines a user entry.	`posixAccount`
Posix Group	The object class that defines a group entry.	`posixGroup`
Match User	The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.	`uid`
Username Property Name	The attribute to use when querying a provider for a user when the query is initiated by a VMS user.	`cn`
User login name	Not applicable for LDAP.	`uid`
UID member value property name	Specifies the attribute which represents the value of the group's `member` property.	`uid`
Mail property name	The attribute to use for the user's email address.	`mail`

In the Encryption tab, set or modify the following settings as needed:

Field	Description
Use Encryption	Determines whether to use encryption to secure communication between VAST Clusterand the LDAP server. Choose between: None. No encryption. StartTLS. VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513. LDAPs. VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.
Upload TLS certificate	If Use Encryption is set to LDAPS or StartTLS, use this field to upload a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server. If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. Important Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (`TLSVerifyClient` should be set to `never`). Otherwise, connections will fail.

Field

Description

Use Encryption

Determines whether to use encryption to secure communication between VAST Clusterand the LDAP server. Choose between:

None. No encryption.
StartTLS. VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.
LDAPs. VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.

Upload TLS certificate

If Use Encryption is set to LDAPS or StartTLS, use this field to upload a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received.

Important
Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (TLSVerifyClient should be set to never). Otherwise, connections will fail.

In the Advanced settings tab, set or modify these settings as necessary:

Field	Description
Cluster Admin Groups	Specify names of groups on the provider to grant cluster admin manager access to VMS to group members. Users in these groups can log into VMS. To grant permissions to these users, add the group name to roles. By default, they are assigned a read-only role.
VMS auth provider	When enabled, this LDAP configuration is the one that is used for VMS authentication.
Netgroup DNS operation mode	Determines whether DNS reverse lookup is used for the translation of a client IP address to a host name: Normal (default): The server queries DNS for each host name found in the netgroup entries. Reverse lookup: The server compares the host name to host names in netgroup entries.
Authentication method (required)	The authentication method the LDAP server uses to authenticate VAST Cluster as a client querying the LDAP database. When multi-forest authentication is enabled, VAST Cluster uses SASL for the LDAP bind to domain controllers in other trusted forests, and this setting is only honored for the LDAP bind to domain controllers in the forest of the cluster's joined domain. Active Directory Overview Set the method according to how the LDAP server is configured to authenticate clients: Anonymous. The LDAP server accepts queries without any authentication. Simple. The LDAP server attempts to bind a specified user name to a matching LDAP user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. If this method is selected, you have to set Bind DN and Bind password. SASL. The LDAP server performs the Simple Authentication and Security Layer (SASL) authentication process. If the SASL bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set Bind DN and Bind password, with the bind DN in the `username@domain` or `DOMAIN\username` format.
Query group mode	Sets the mode for querying a users' auxiliary group memberships, where applicable: Note Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the view policy. Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode. RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions. RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers. None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
Filters	Optionally, specify a search filter string to be to be appended to the search base DN in all user queries that VAST Cluster makes to this provider. Entries that do not match the filter string are filtered out from the query results.
Group base DN	The base DN for group queries within the joined domain. When Auto discovery is enabled, group queries outside the joined domain use base DNs that are auto-discovered.
Netgroup Base DN	The Netgroup Base DN for LDAP searches, if it is different from the Base DN. Netgroup searches are directed to this base DN, if it is specified, instead of to the Base DN (specified in General tab).
Periodic health check type	Determine the type of periodic health check that VAST Cluster performs for an Active Directory provider configured for the cluster: Ping check (default): Ping the provider. This option creates less overhead and reduces impact on the provider. Bind check: Bind to the provider.

Click Create or Update.
The LDAP client configuration is created/updated. For a new configuration, the State will initially indicate Not Connected, and then change to Connected.