Add an authentication directory service

You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to authenticate users logging in to the appliance instead of maintaining individual local login accounts.

Two types of directory services are supported—Microsoft Active Directory and OpenLDAP.

Prerequisites
  • Minimum required privileges: Infrastructure administrator.
  • The authentication directory service must be configured with certificates to support secure LDAP communications (LDAPS).
  • DNS must be configured on the HPE OneView appliance before you supply the DNS fully qualified domain name for directory servers.
  • The forward and reverse lookups of the names and IP addresses must be working properly in DNS.
  • Any CA-root certificates used by any of the directory servers must be added to HPE OneView trust store before performing an add directory task.

    NOTE:
    • For better security, most directory servers use CA signed certificates as opposed to self-signed certificates.

    • Consult with your Active Directory or OpenLDAP administrator, or public key infrastructure (PKI) administrator to obtain your CA-root public certificate.

    • Use Settings > Security > Manage Certificates to import the CA-root certificate into HPE OneView trust store. Enter each unique CA-root in the HPE OneView trust store if the individual directory servers making up the domain have certificates from different CA-roots.

Procedure
  1. From the main menu, select Settings.
  2. Either click the Edit icon in the Security panel or select Actions > Edit.
  3. On the Edit Security screen, under Directories, click Add Directory.
  4. Enter the data requested on the screen. See Add/Edit Directory screen details.
  5. Click Add directory server.
    IMPORTANT:

    The decision whether to search the Global Catalog or the domain is based on the scope of the search:

    • When the scope of a search is the domain or an organizational unit, use the SSL port. The default is 636.

    • When the scope of a search is the forest, use the SSL Global Catalog port. The default is 3269.

  6. Enter the data requested on the screen. See Add Directory Server screen details.
    NOTE:

    For Open LDAP:

    • Use the Add button to add Organizational unit fields as needed.

    • To delete an Organizational unit field and its entry, click the corresponding icon..

  7. Click Add to add the server and return to the Add Directory screen.
    NOTE:

    If you want to enter the certificate manually, use the Add a certificate option.

  8. Click Add to add the authentication directory service or click Add+ to add more directory services.
    NOTE:

    The appliance fetches the server certificate chain and trusts it. If the root CA is found missing in the chain, then it prompts you to trust the root CA certificate using the Manage certificates screen.

  9. After adding the authentication directory service:
    1. Verify the configuration: on the Security screen under Directories.
    2. Validate the directory server configuration..

Recommended next step: Add a group with directory-based authentication.