Add/Edit Directory configuration details

Screen component

Description

Directory

The display name of the directory service used in the HPE OneView login page. This name indicates the enterprise directory that it is associated with.

NOTE:
  • When users authenticate using their directory account name (for example, with Active Directory the value of the sAMAccountName field) instead of their email address, Hewlett Packard Enterprise recommends that the display name match the domain component of the directory.
  • HPE OneView prepends the username with the directory display name.
    Example:

    For a directory domain corp.example.com, a display name of corp allows the users to log in using only their directory account name. A user specifying a login name of admin gets authenticated to the directory as corp\admin.

  • If an Active Directory is set up to use a pre-Windows 2000 domain name, when setting up a directory in HPE OneView, the administrator must ensure that the directory name matches with the pre-Windows 2000 domain name. Subsequently, if required, the administrator can also choose to set the pre-Windows 2000 directory domain as the default for users to log into HPE OneView.
    Example

    If the Active Directory domain is example.com on an Active Directory, and the pre-Windows 2000 domain name is myDomain, having the display name as myDomain allows users to log in using only their directory account name. A user specifying a login name of admin gets authenticated to the directory as myDomain\admin.

Data type:

Uppercase and lowercase alphanumeric characters and special characters

Directory type

The type of authentication directory service, OpenLDAP or Active Directory (default).

Base DN

The top-level distinguished name for the authentication directory. For both Microsoft Active Directory and OpenLDAP, the Base DN is based on the DNS name of the directory domain.

Example:

An Active Directory domain with a name corp.example.com has a Base DN of DC=corp, DC=example, DC=com, where DC is a domain component that is used to represent the constituent parts of the directory’s domain name.

Data type:

Uppercase and lowercase alphanumeric characters and special characters.

Directory Binding

Displays the following two options that you can choose to bind to the directory service:

  • Service Account
  • User account (Default)

Service Account: The service account option specifies the user name and password of an account that has been precreated in the directory.

Depending on your configuration, in some directory environments, directory users require service accounts as they are not allowed to query certain parts of the directory tree. Consult your directory administrator for more information.

NOTE:
  • Use the service account option when two-factor authentication is enabled in HPE OneView.
  • Ensure that the service account has read access to the directory tree so that HPE OneView can use this account when performing searches across the directory on behalf of HPE OneView users. For example, during login when HPE OneView queries the directory to determine the groups that the user is a member of, the service account is used to perform that query.

User Account (Default): The user account option prompts for the directory credentials of the user each time they are required. For example, when you initially define a directory service in HPE OneView or add roles for directory groups.

NOTE:

The directory credentials of the user are never saved persistently by HPE OneView.

User naming attribute

(OpenLDAP only and does not appear when Service Account is selected)

Either UID or CN, as needed. Specifies whether the OpenLDAP server is configured to search for the distinguished name of a user, using UID=<username> or CN=<username> (where CN is common name). Consult your OpenLDAP administrator to determine which convention is in use for your directory.

Organizational unit (OU)

(OpenLDAP only)

Specifies the root of the directory tree from which HPE OneView searches for the LDAP groups that the user is a member of.

HPE OneView uses OUs to determine where to search for users and groups. When the user gets authenticated with a directory, to assign the proper HPE OneView permissions for that user, HPE OneView needs OU to determine the directory group membership of the user.

Example:

OU=Engineering

OpenLDAP allows the configuration of multiple user and group OUs.

All the OUs in which the user accounts reside must be explicitly configured, but groups are searched in the subtree.

For example, consider a configuration in which the user accounts are present under:

  • ou=people and
  • ou=admins,ou=people

and groups are present under:

  • ou=groups and
  • ou=IT-groups,ou=groups

To explicitly configure different user and group OUs, the OU entries in this screen must be specified in the following format:

  • OU 1: ou=people
  • OU 2: ou=admins,ou=people
  • OU 3: ou=groups
  • OU 4: ou=IT-groups,ou=groups

To perform a subtree search for all the groups under ou=groups , the OU entries in this screen must be specified in the following format:

  • OU 1: ou=people
  • OU 2: ou=admins,ou=people
  • OU 3: ou=groups
Add

(OpenLDAP only)

Generates an additional Organizational unit field.

User name

and

Password

The credentials of the authentication directory service account that enable the appliance to log in to the directory server and validate the connection.

NOTE:

The user name and password are not saved on the appliance when the directory binding type is User Account. In this case, when prompted, enter the credentials of the authentication directory service account.

For Microsoft Active Directory users, specify a user name in any one of the following formats:

  • as an email address ( userPrincipalName field of the Active Directory) or
  • as a domain account user name (sAMAccountName field of the Active Directory)

where,

  • the @ character implies User-Principal-Name, usually the email address login of the Active Directory user.

  • the \ character implies a domain\username login, domain being the domain account user name of the Active Directory user (for example, corp\username).

If the preceding formats of user name entry credentials do not succeed, then the following user name format is used:

  • directory\login. For example, if the directory name is configured as mycorp and the user account is Neil, then the login attempted would be mycorp\Neil.
    NOTE:

    Directory names are not case-sensitive.

If the Active Directory Server Service configured in HPE OneView has a user lock-out policy (defined, for example, on n number of successive failed login attempts), Hewlett Packard Enterprise recommends that users use the UPN or the down-level logon name to login to HPE OneView. The most commonly used UPN is username@domain.com, and the down-level logon name is domain\username. If UPN or down-level logon are not used (instead, just the username is used) HPE OneView internally tries different logon formats as specified in About directory service authentication. This may result in the user getting locked out from the GUI on a single failed login attempt (wrong password).

Directory servers

Specifies the names (or IP address) and ports of the servers that host the authentication directory service.

NOTE:

To ensure high availability, typically a directory domain contains multiple directory servers. HPE OneView allows multiple directory servers to be configured. When you configure multiple directory servers, HPE OneView attempts to reach each one of the directory servers in the specified order until it can authenticate the user. For example, a Microsoft Active Directory environment typically has multiple domain controllers.

For the best availability, work with your Active Directory administrator to determine which domain controllers must be added to HPE OneView.

For more information, see the Add Directory Server screen.

See also

Add an authentication directory service