Creating Active Directory Configuration via VAST Web UI

VAST Cluster Active Directory configuration includes settings pertaining to Active Directory and settings for the underlying LDAP setup.

You can create multiple Active Directory configurations. Note that VAST Cluster does not allow adding two different Active Directory configuration records that have:

The same domain name but different settings for multi-forest authentication and/or auto-discovery.
The same domain name and the same machine account name.

To create an Active Directory configuration on VAST Cluster:

From the left navigation menu, select User Management and then Active Directory.
Click + Create Active Directory to create a new Active Directory configuration record.

In the General tab, fill in the fields to create the machine object on the Active Directory domain:

Field	Description
Machine account name (required)	Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended that you name the machine account name the same as the cluster name, for simplicity.
Organizational unit (required)	The organizational unit (OU) in the Active Directory domain in which to create the machine object. Specify as a Distinguished Name (DN). For example: OU=Computers,DC=company-ad,DC=com

Field

Description

Machine account name (required)

Specify a name for the machine object that will be created for the cluster within Active Directory, inside the Organizational Unit (see next). It is recommended that you name the machine account name the same as the cluster name, for simplicity.

Organizational unit (required)

The organizational unit (OU) in the Active Directory domain in which to create the machine object.

Specify as a Distinguished Name (DN).

For example: OU=Computers,DC=company-ad,DC=com

In the General tab, set SMB access-related options:

Field	Description
SMB Allowed	If enabled (default), VAST Cluster uses this Active Directory provider to authenticate and authorize clients accessing the cluster via the SMB storage protocol. If disabled, this Active Directory provider is not used for SMB client access. You cannot alter this setting while the cluster is joined to the Active Directory domain. To alter it for an existing Active Directory configuration, first leave the domain, then enable or disable the setting as appropriate, and then rejoin the domain.
NTLM enabled	If enabled (default), SMB clients accessing the cluster are allowed to use NTLM authentication to get authenticated via this Active Directory provider. If disabled, NTLM authentication is prohibited, and SMB clients are expected to use Kerberos authentication, which requires an SPN to be ⚠️ configured for each virtual IP pool. Note NTLM authentication is not FIPS-compliant. You cannot alter this setting while the cluster is joined to the Active Directory domain. To alter it for an existing Active Directory configuration, first leave the domain, then enable or disable the setting as appropriate, and then rejoin the domain.

Field

Description

SMB Allowed

If enabled (default), VAST Cluster uses this Active Directory provider to authenticate and authorize clients accessing the cluster via the SMB storage protocol.

If disabled, this Active Directory provider is not used for SMB client access.

You cannot alter this setting while the cluster is joined to the Active Directory domain. To alter it for an existing Active Directory configuration, first leave the domain, then enable or disable the setting as appropriate, and then rejoin the domain.

NTLM enabled

If enabled (default), SMB clients accessing the cluster are allowed to use NTLM authentication to get authenticated via this Active Directory provider.

If disabled, NTLM authentication is prohibited, and SMB clients are expected to use Kerberos authentication, which requires an SPN to be ⚠️ configured for each virtual IP pool.

Note
NTLM authentication is not FIPS-compliant.

If you want VAST Cluster to automatically discover domains and domain controllers, ensure that Auto discovery is enabled.

When Auto discovery is enabled, VAST Cluster automatically discovers and queries all domains and domain controllers in the forest of the cluster's joined domain and, if Enable trusted domains on other forests is on, in other trusted forests. For more information, see Active Directory Domain Auto-Discovery.

If Auto discovery is enabled, you can set the following:

Field	Description
Enable trusted domains on other forests	Allows access for principals from trusted domains on other forests. When enabled, VAST Cluster automatically discovers all domains in other trusted forests, in addition to domains in the forest of the cluster's joined domain. For more information, see Active Directory Multi-Forest Authentication. This option can be enabled only if Auto discovery is on. If you are going to disable Auto discovery, set this option to off.
Domain name	The fully qualified domain name (FQDN) of the Active Directory domain to join. Example: company-ad.com

Field

Description

Enable trusted domains on other forests

Allows access for principals from trusted domains on other forests.

When enabled, VAST Cluster automatically discovers all domains in other trusted forests, in addition to domains in the forest of the cluster's joined domain. For more information, see Active Directory Multi-Forest Authentication.

This option can be enabled only if Auto discovery is on. If you are going to disable Auto discovery, set this option to off.

Domain name

The fully qualified domain name (FQDN) of the Active Directory domain to join.

Example: company-ad.com

When Auto discovery is disabled, VAST Cluster contacts only the domain controllers configured in the URLs field and does not process requests from users in other domains, neither in the forest of the cluster's joined domain nor in other trusted forests. The LDAP URI (URLs) and search base DN (Base DN) fields must be specified manually.

Tip
Before disabling Auto discovery, verify that Enable trusted domains on other forests is disabled.

If Auto discovery is disabled, complete these fields:

Field	Description
Base DN	This field is available only if Auto discovery is disabled. The entry in the Active Directory tree to use as a starting point for user queries. By default, this is also used as the starting point for group queries. Optionally, you can specify a different entry as the Group Base DN. To maximize the speed of authentication queries, start the search in the lowest branch of the tree under which all users can be found. For example, if the entire directory must be queried, the search base must specify the root of the tree. However, if the search can be restricted to a specific organizational unit (OU), queries may be faster. The format for base DN is a comma separated list of components. Each component is an attribute=value pair defining an object in the directory tree. The first component defines the object at the lowest part of the tree that you want to use as the starting point of the search, the next component is its container and so on up the tree, with the last component representing the top level domain. The following attributes can be specified: cn: common name ou: organizational unit o: organization c: country dc: domain For example, supposing your user accounts are all located in a container called 'users' under a domain 'mydomain.local'. If you want to set the users container as the starting point for search queries, you would enter: `ou=users,dc=mydomain,dc=local` To specify the full domain as your search base, you would enter: `dc=mydomain,dc=local`
URLs (required if Auto discovery is off)	Specify one or more domain controllers in an Active Directory domain to be used for user authentication when Auto discovery is disabled. The domain controllers you specify in the URLs field should all be in the same Active Directory domain which VAST Cluster joins. Enter a comma-separated list of URIs of the domain controllers. The order of listing defines the priority order. The domain controller with highest priority that has a good health status is used. Specify the URI of each domain controller in the format `<scheme>://<address>`. `<address>` can be either a DNS name or an IP address. Examples: `ldap://company-ad.com` `ldap://company-ad.com,ldap://company-ad2.com` `ldap://192.0.2.0,ldap://192.0.2.1,ldap://192.0.2.2`
Port (required)	The port to append to the URI. Recommended values: `389` for LDAP (with or without TLS), `636` for LDAPS. Note Setting non-recommended values may cause LDAP connectivity issues.
Domain name (required)	The fully qualified domain name (FQDN) of the Active Directory domain to join. Example: company-ad.com

In the Attribute mappings tab:

Ensure that Active Directory is selected in the Templates for advanced setting field. (This is the default setting when creating or editing an Active Directory configuration.)
When the Active Directory template is set, the tab displays RFC2307BIS-compliant names for user and group attributes that can be used by an Active Directory provider.
Verify that the attribute names match the actual names used by your Active Directory provider. If needed, edit the attribute names as appropriate by overtyping a field value.
Tip
To clear all fields, select Custom in the Templates for advanced setting dropdown.

Field	Description	Default (RFC2307BIS)
GID Number	The attribute of a group entry that contains the GID number of a group.	`gidNumber`
UID	The attribute of a user entry that contains the user name.	`sAMAccountName` (common, use unless you know otherwise). Also can be `uid` (rare) or `cn` (rare).
Group login name	The attribute used to query Active Directory for the group login name.	`sAMAccountName` (common, use unless you know otherwise). Also can be `uid` (rare) or `cn` (rare).
UID Number	The attribute of a user entry that contains the UID number.	`uidNumber`
Member UID	The attribute of the group entry that contains names of group members.	`member`
Posix Account	The object class that defines a user entry.	`user`
Posix Group	The object class that defines a group entry.	`group`
Match User	The attribute to use when querying a provider for a user that matches a user that was already retrieved from another provider. A user entry that contains a matching value in this attribute will be considered the same user as the user previously retrieved.	`sAMAccountName`
Username Property Name	The attribute to use when querying a provider for a user when the query is initiated by a VMS user.	`name`
User login name	Applicable only with NFSv4.1 with client-enabled ID matching. This field specifies the attribute used to query Active Directory for the user login name for NFSv4.1 ID mapping. On NDU, this value is set to sAMAccountname for Active Directory configurations.	`sAMAccountName`
UID member value property name	Specifies the attribute which represents the value of the group's `member` property.	`sAMAccountName`
Mail property name	The attribute to use for the user's email address.	`mail`

In the Encryption tab, set or modify the following settings as needed:

Field	Description
Use LDAPS	Enables or disables use of LDAPS if Auto discovery is enabled. When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.
Secure LDAP communication using StartTLS	Enable to use TLS (StartTLS) to secure communication between VAST Cluster and the LDAP server. When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.
Upload TLS certificate	If Use TLS is enabled, use this field to upload a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server. If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received. Important Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (`TLSVerifyClient` should be set to `never`). Otherwise, connections will fail.

Field

Description

Use LDAPS

Enables or disables use of LDAPS if Auto discovery is enabled.

When enabled, VAST Cluster connects to an alternative port (port 636 for the domain controller, port 3269 for the Global Catalog) and initiates a TLS handshake immediately afterwards.

Secure LDAP communication using StartTLS

Enable to use TLS (StartTLS) to secure communication between VAST Cluster and the LDAP server.

When enabled, VAST Cluster connects to the standard port (port 389 for the domain controller, port 3268 for the Global Catalog) and performs a StartTLS operation as defined in RFC 4513.

Upload TLS certificate

If Use TLS is enabled, use this field to upload a certificate if you want the cluster to verify the LDAP server's TLS certificate. The remote LDAP server's TLS certificate will be verified against the certificate you provide. If the certificate you provide does not list the certificate authority (CA) of the server's certificate, the cluster will fail to establish a connection with the LDAP server.

If you choose to leave this field blank, the VAST Cluster's TLS client will not request the LDAP server's TLS certificate and will ignore any certificate received.

Important
Regardless of this field's value, ensure that the LDAP server is not configured to request client certificates (TLSVerifyClient should be set to never). Otherwise, connections will fail.

In the Advanced settings tab, complete the following:

Field	Description
VMS Auth Provider	When enabled, this LDAP configuration is the one that can be used for authentication of VMS users. Only one LDAP server can be used for VMS authentication.
Netgroup DNS operation mode	Determines whether DNS reverse lookup is used for the translation of a client IP address to a host name: Normal (default): The server queries DNS for each host name found in the netgroup entries. Reverse lookup: The server compares the host name to host names in netgroup entries.
Authentication method (required)	The LDAP authentication method that the Active Directory domain controller uses to authenticate clients: Anonymous. The Active Directory domain controller accepts queries without any authentication. Simple. The Active Directory domain controller attempts to bind a specified user name to a matching Active Directory user. If the LDAP bind succeeds, VAST Cluster is allowed access to perform the query. Set also Bind DN and Bind password. SASL. The LDAP server performs the Simple Authentication and Security Layer (SASL) authentication process. If the SASL bind succeeds, VAST Cluster is allowed to perform the query. If this method is specified, you have to set Bind DN and Bind password.
Bind DN (required if Authentication method is set to Simple or SASL)	Enter the bind DN for authenticating to the LDAP domain. You can specify any user account that has read access to the domain. Format is as described for Search base beginning with a cn attribute component specifying the user object. For example, `cn=admin,ou=users,dc=mydomain,dc=local` specifies user 'admin' located in the 'users' container under the domain 'mydomain.local'.
Bind password (required if Authentication method is set to Simple or SASL)	This field appears if Simple is selected in the Authentication method field. This is the password used with the Bind DN to authenticate to the Active Directory domain controller.
Query group mode	Sets the mode for querying a users' auxiliary group memberships, where applicable: Note Group memberships may or may not be queried during access checks depending on the Group Membership Source setting in the View Policy. Compatible (default). Groups are queried using an aggregate of the RFC2307BIS and RFC2307 compliant group membership queries (see the other options). You can use this default option unless you are using an authentication provider which is incompatible with this aggregated query mode. RFC2307BIS only. Auxiliary group memberships are queried according to the RFC2307BIS standard, in which the group has a member attribute that contains the Distinguished Name (DN) of the member user and the user has a memberOf attribute which contains the DNs of the groups to which the user belongs. This standard is used by Active Directory and may be used with other LDAP-based authorization providers with LDAP schema extensions. RFC2307 only. Auxiliary group memberships are queried according to the RFC2307 standard, in which the group object has a memberUid attribute for each user object that is a member of the group, specifying the name of the user object. This standard may be used by openLDAP, freeIPA and other LDAP-based authorization providers. None. If this option is selected, auxiliary group memberships are not queried at all. In the event that the relevant view's view policy cites the authorization provider as the group membership source and the user tries to access a file or directory within that view to which the user only has permission as a member of a the owning user's group, permission will not be granted.
Group base DN	The base DN for group queries within the joined domain. When Auto discovery is enabled, group queries outside the joined domain use base DNs that are auto-discovered.
Select LDAP	Lets you choose to create a new LDAP configuration for this Active Directory provider (default, recommended), or to use an existing LDAP configuration. If you select a LDAP configuration from this dropdown, the settings you've made in the Active Directory dialog are overridden with those of the selected LDAP configuration.

Click Create.
The record is created and you can see it displayed. The Joined State shows Not a member because the cluster has not yet joined the Active Directory domain.
Proceed to Joining Active Directory via VAST Web UI.