About directory service authentication

You can configure HPE OneView to use an external enterprise directory service for user authentication. HPE OneView supports the following enterprise directory services:
  • Active Directory

  • OpenLDAP

When you use a directory service, directory users are granted HPE OneView permissions using their group membership in the directory. After defining a directory service, use the User and Groups screen to define permissions for directory groups.

Directory groups are assigned one or more HPE OneView permissions. A directory user is assigned the HPE OneView permissions that represent the union of the permissions for all the directory groups that the user is a member of. Only after permissions are defined for directory groups, directory users are authenticated into the appliance.

Any user in the group can log into the appliance using the following steps:

  1. Select the enterprise directory service in the login page.

  2. Enter a user name. The format for the user name depends on the Directory type. Consult your HPE OneView administrator and directory administrator for the proper user name format. Valid formats include:
    • Email address. For example: jane@example.com.

    • The common name of the user (CN attribute in the directory). For example: jane or example\jane, where example.com is the directory domain.
      NOTE:

      A best practice is to set the HPE OneView display name for the directory service to match the leading part of the fully qualified domain name (example if there is example.com) directory. The format for the user name depends on the Directory type.

  3. Enter the password.

Enterprise directory user in the appliance

There is no explicit user created in the appliance corresponding to the directory user. However, when a directory user is logged into the appliance, the user is identified by the user name preceded by the enterprise directory name.

In the Session control, ( ) the user is identified by their name preceded by the authentication directory service. For example:) the user is identified by the name preceded by the enterprise directory service. For example:

CorpDir\pat
IMPORTANT:

Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out. Similarly if there is any modification of the user group in the authentication directory, that does not reflect in the currently active session for the user.

If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local user sessions are ended when such modifications are made.

Directory server

When a directory is configured on the appliance, you can specify one or more directory servers that can be accessed for the directory service. If more than one directory server is added for a directory, they are assumed to be redundant servers for high availability or disaster tolerance. If one directory server is not reachable, the other configured servers are accessed for authenticating the user.
NOTE:
  • If you use a cluster for your directory server configuration, the cluster hostname can be specified as the directory server. Hewlett Packard Enterprise recommends using a cluster for your directory server configuration instead of configuring replicated directory servers in the appliance.

  • Directory search operations can be time consuming depending on your directory configuration and network latency affecting login time. When using Active Directory with many domains, for optimal login performance, configure a global catalog for your directory server.

Binding to the directory server

The appliance must bind to the directory server for performing search and authentication operations. You can choose to bind using any one of the following options:
  • Service Account: A directory service account that has read-access permission to your directory server can be configured in the appliance. The service account takes user name and password as inputs. HPE OneView stores the credentials you provide for future use. The Service Account option is mandatory when two-factor authentication is enabled in HPE OneView.

  • User Account: The user account uses the credentials supplied by the user while connecting HPE OneView to the directory service. The user account helps in querying the directory during the authentication process. User Account is the default option for directory binding. The user credentials for the directory service are not stored in HPE OneView.

User login formats used for authentication

To support user login with only the user name specified, the following formats are tried to authenticate with the directory service:

If the user name is not an email address (denoted by the presence of an @ character) or a \ character (to denote the domain\user name format), logins are attempted in the following order:

  1. The user name is treated as the name, and directory-name gets prepended as directory-name\user-name, for example: example\jane.

  2. The user name is treated as a UID.

  3. The user name is treated as Common Name (CN).

NOTE: If the Active Directory Server Service configured in HPE OneView has a user lock-out policy (defined, for example, on n number of successive failed login attempts), Hewlett Packard Enterprise recommends that you use the email or the domain\user name format to log into HPE OneView. If email or domain\user name format is not used (instead, just the user name is used), HPE OneView internally tries different login formats as described previously. This may result in locking out the user from the GUI on a single failed login attempt (wrong password). To minimize login attempts, configure the directory display name to be the same as the first component of the directories fully qualified domain name. For example, assign the HPE OneView name example for the directory example.com.

Trusting the directory server

Hewlett Packard Enterprise recommends that you use CA-signed certificates on your directory servers. The entire certificate chain (including the CA root and any intermediate certificates) for the directory certificate must be placed in the HPE OneView trust store before configuring the directory service. This ensures that the appliance automatically trusts the directory server when it is configured on the appliance.

After adding an enterprise directory service and server

You can:
  • Designate it as the default directory service to be used at login time.

  • Optionally, disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.

Considerations for configuring a Microsoft Active Directory service

  • For the strongest security, Hewlett Packard Enterprise recommends that your directory server is configured to use only TLS 1.2 or later protocols.

  • The following maps the Active Directory attribute to the corresponding LDAP property:

    LDAP property

    Active Directory attribute

    cn

    Common-Name

    uid

    UID

    userPrincipalName

    User-Principal-Name

    sAMAccountName

    SAM-Account-Name

  • If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.

    Specify the following components of the user name, displayed here with the corresponding attribute:

    User name component

    Attribute

    First Name

    givenName

    Initials

    initial

    Last Name

    sn

    The field labeled Full Name defaults to this format. This string is assigned to the cn attribute (Common Name).

    givenName.initials.givenName.initial.sn
            

    In the New Object – user dialog box, you are also required to specify a User logon name. User logon name, in combination with the DNS domain name, becomes the userPrincipalName. The userPrincipalName is an alternative name that the user can use for logging in. It is in the form:

    LogonName@DNSDomain
            

    For example:

    joeuser@example.com
  • Finally, as you enter the User logon name, the first 20 characters are automatically filled in the pre-Windows 2000 logon name field, which becomes the sAMAccountName attribute.

  • CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.

More information