Creating Active Directory Configuration in VAST Web UI

VAST Cluster Active Directory configuration includes settings pertaining to Active Directory and settings for the underlying LDAP setup.

You can create multiple Active Directory configurations. Note that VAST Cluster does not allow adding two different Active Directory configuration records that have:

The same domain name but different settings for multi-forest authentication.
The same domain name and the same machine account name.

To create an Active Directory configuration on VAST Cluster:

From the left navigation menu, select User Management and then VAST Providers.
Click Add New Provider and then select Active Directory to create a new Active Directory configuration record.

In the General tab, fill in the fields to create the machine account on the Active Directory domain:

Domain name (required)	The fully qualified domain name (FQDN) of the Active Directory domain to join. Example: company-ad.com
Machine account name (required)	Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended that you name the machine account name the same as the cluster name, for simplicity.
Organizational unit (required)	The organizational unit (OU) in the Active Directory domain in which to create the machine object. Specify as a Distinguished Name (DN). For example: OU=Computers,DC=company-ad,DC=com
Port (required)	The port to append to the URI. Recommended values: `389` for LDAP (with or without TLS), `636` for LDAPS. Note Setting non-recommended values may cause LDAP connectivity issues.
Bind DN (required if Authentication method is set to Simple or SASL)	Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain. Format is as described for Search base beginning with a cn attribute component specifying the user object. For example, `cn=admin,ou=users,dc=mydomain,dc=local` specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
Bind password (required if Authentication method is set to Simple or SASL)	This field appears if Simple is selected in the Authentication method field under Advanced Settings. This is the password used with the Bind DN to authenticate to the Active Directory domain controller.

In the Attribute mapping tab, verify that the default attribute names match the actual names used by your Active Directory provider. If needed, select Customize and edit the names:

Field	Description	Default (RFC2307BIS)
GID Number	The attribute of a group entry that contains the GID number of a group.	`gidNumber`
UID	The attribute of a user entry that contains the user name.	`sAMAccountName` (common, use unless you know otherwise). Also can be `uid` (rare) or `cn` (rare).
Group login name	The attribute used to query Active Directory for the group login name.	`sAMAccountName` (common, use unless you know otherwise). Also can be `uid` (rare) or `cn` (rare).
Mail	The attribute to use for the user's email address.	`mail`
UID number	The attribute of a user entry that contains the UID number.	`uidNumber`
Member UID	The attribute of the group entry that contains names of group members.	`member`
POSIX account	The object class that defines a user entry.	`user`
POSIX group	The object class that defines a group entry.	`group`
Match user	The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.	`sAMAccountName`
Username	The attribute to use when querying a provider for a user when the query is initiated by a VMS user.	`name`
User login name	Applicable only with NFSv4 with client-enabled ID matching. This field specifies the attribute used to query Active Directory for the user login name for NFSv4 ID mapping. On NDU, this value is set to sAMAccountname for Active Directory configurations.	`sAMAccountName`
UID member value	Specifies the attribute which represents the value of the group's `member` property.	`sAMAccountName`
ABAC read only	Sets the ABAC attribute value that grants read-only access to a view tagged with this ABAC attribute.	`ro`
ABAC read-write	Sets the ABAC attribute value that grants read/write access to a view tagged with this ABAC attribute.	`rw`

In the Encryption tab, set or modify the following settings as needed:

None, StartTLS and LDAPS

Determines whether to use encryption to secure communication between VAST Clusterand the LDAP server. Choose between:

None. No encryption.
StartTLS. VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.
LDAPS. VAST Cluster connects to port 636 for the domain controller or port 3269 for the global catalog and initiates a TLS handshake immediately afterwards.

Upload TLS certificate

If you selected StartTLS, use this field to upload a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received.

Important
Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (TLSVerifyClient should be set to never). Otherwise, connections will fail.

In the Password Renewal tab, optionally toggle Enable password renewal on to have the cluster's machine account's password renewed at a certain interval.

If you enable password renewal, complete the following fields:

Number of days for password renewal	Enter the interval for password renewal as a number of days.
Define when the password update should happen	Enter the time of day, per UTC time zone, at which the password should be renewed in the format `HH:mm` where `HH` is a number of hours and `mm` is a number of minutes.

In the Advanced tab, complete the fields:

Enable trusted domains on other forests	Allows access for principals from trusted domains on other forests. When enabled, VAST Cluster automatically discovers all domains in other trusted forests, in addition to domains in the forest of the cluster's joined domain. For more information, see Active Directory Overview.Active Directory Overview
Cluster admin groups	Specify names of groups on the provider to grant cluster admin manager access to VMS to group members. Users in these groups can log into VMS. To grant permissions to these users, add the group name to roles. By default, they are assigned a read-only role.
NTLM enabled	If enabled (default), SMB clients accessing the cluster are allowed to use NTLM authentication to get authenticated via this Active Directory provider. If disabled, NTLM authentication is prohibited, and SMB clients are expected to use Kerberos authentication, which requires an SPN to be configured for each virtual IP pool. Note NTLM authentication is not FIPS-compliant. You cannot alter this setting while the cluster is joined to the Active Directory domain. To alter it for an existing Active Directory configuration, first leave the domain, then enable or disable the setting as appropriate, and then rejoin the domain.
VMS authentication provider	When enabled, this LDAP configuration is the one that can be used for authentication of VMS users. Only one LDAP server can be used for VMS authentication.
Netgroup DNS operation mode	Determines whether DNS reverse lookup is used for the translation of a client IP address to a host name: Normal (default): The server queries DNS for each host name found in the netgroup entries. Reverse lookup: The server compares the host name to host names in netgroup entries.
Authentication method (required)	The LDAP authentication method that the Active Directory domain controller uses to authenticate clients: Anonymous. The Active Directory domain controller accepts queries without any authentication. Simple. The Active Directory domain controller attempts to bind a specified user name to a matching Active Directory user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password. SASL. The LDAP server performs the Simple Authentication and Security Layer (SASL) authentication process. If the SASL bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set Bind DN and Bind password.
Query group mode	Sets the mode for querying a users' auxiliary group memberships, where applicable: Note Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the View Policy. Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode. RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions. RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers. None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
Filters	Optionally, specify a search filter string to be to be appended to the search base DN in all user queries that VAST Cluster makes to this provider. Entries that do not match the filter string are filtered out from the query results.
POSIX attributes source	Determines domains from which VAST Cluster queries POSIX attributes. Options include: Joined domain. The domain which the cluster has joined. All domains in the joined forest. All domains in the Active Directory forest of the joined domain and, if multi-forest authentication is enabled, from other trusted forests.Active Directory Overview Specific domains. One or more domains specified in Domains with posix attributes. Global catalog. All domains included in the Active Directory global catalog of the cluster's joined domain forest. When this option is chosen, the global catalog must be configured with POSIX attributes.
Domains with POSIX attributes	If you set POSIX attributes source to Specific domains, use this option to list the specific domains. The listed domains can be in the forest of the cluster's joined domain, and also in other trusted forests which have a two-way trust with the cluster's forest.
Periodic health check type	Determine the type of periodic health check that VAST Cluster performs for an Active Directory provider configured for the cluster: Ping check (default): Ping the provider. This option creates less overhead and reduces impact on the provider. Bind check: Bind to the provider.

Click Create.
The record is created and you can see it displayed. The Joined State shows Not a member because the cluster has not yet joined the Active Directory domain.